Analysis
-
max time kernel
1193s -
max time network
1195s -
platform
windows11-21h2_x64 -
resource
win11-20231215-en -
resource tags
arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system -
submitted
29-12-2023 08:53
Static task
static1
Behavioral task
behavioral1
Sample
AnyDesk.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
AnyDesk.exe
Resource
win10-20231215-en
Behavioral task
behavioral3
Sample
AnyDesk.exe
Resource
win10v2004-20231215-en
General
-
Target
AnyDesk.exe
-
Size
5.3MB
-
MD5
75eecc3a8b215c465f541643e9c4f484
-
SHA1
3ad1f800b63640128bfdcc8dbee909554465ee11
-
SHA256
ec33d8ee9c3881b8fcea18f9f862d5926d994553aec1b65081d925afd3e8b028
-
SHA512
b3a48230fc6f20038c938e5295b68a3f020b94e220ca2fab6a894d126dc41f6f1021c239613bf9d6de84370ad7df9d9a91baf716a87d43eb101ee3e48578e5ff
-
SSDEEP
98304:j5ObAu2pmits24nYhQCWQdaQQo/mJPv4KYZPKBhYI5RuN4OL2wIjcsJWNg3:IAnRu24nR5QcTvYdmPuWOL2TcQWe3
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" antivirus-platinum.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" antivirus-platinum.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" antivirus-platinum.exe -
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest [email protected] -
Blocks application from running via registry modification 18 IoCs
Adds application to list of disallowed applications.
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1725696949-2443092314-1471438111-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\15 = "avgwdsvc.exe" [email protected] Set value (int) \REGISTRY\USER\S-1-5-21-1725696949-2443092314-1471438111-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" [email protected] Key created \REGISTRY\USER\S-1-5-21-1725696949-2443092314-1471438111-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\ [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-1725696949-2443092314-1471438111-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "egui.exe" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-1725696949-2443092314-1471438111-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "avgnt.exe" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-1725696949-2443092314-1471438111-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\12 = "avgemc.exe" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-1725696949-2443092314-1471438111-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\0 = "msseces.exe" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-1725696949-2443092314-1471438111-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "avcenter.exe" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-1725696949-2443092314-1471438111-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "avgfrw.exe" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-1725696949-2443092314-1471438111-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "avgscanx.exe" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-1725696949-2443092314-1471438111-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "avgui.exe" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-1725696949-2443092314-1471438111-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\13 = "avgchsvx.exe" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-1725696949-2443092314-1471438111-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\14 = "avgcmgr.exe" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-1725696949-2443092314-1471438111-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "avgcfgex.exe" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-1725696949-2443092314-1471438111-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "MSASCui.exe" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-1725696949-2443092314-1471438111-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "ekrn.exe" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-1725696949-2443092314-1471438111-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "avscan.exe" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-1725696949-2443092314-1471438111-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "avgtray.exe" [email protected] -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1725696949-2443092314-1471438111-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" antivirus-platinum.exe -
Drops file in Drivers directory 4 IoCs
description ioc Process File created C:\Windows\system32\drivers\etc\host_new [email protected] File created C:\Windows\System32\drivers\etc\hosts [email protected] File opened for modification C:\Windows\System32\drivers\etc\hosts [email protected] File opened for modification C:\Windows\system32\drivers\etc\hosts [email protected] -
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1725696949-2443092314-1471438111-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1725696949-2443092314-1471438111-1000\Software\Wine [email protected] -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral4/files/0x000100000002a971-1780.dat upx -
Unexpected DNS network traffic destination 36 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 208.67.220.220 Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.220.220 Destination IP 208.67.222.222 Destination IP 208.67.220.220 Destination IP 208.67.222.222 Destination IP 208.67.220.220 Destination IP 208.67.222.222 Destination IP 208.67.220.220 Destination IP 208.67.222.222 Destination IP 208.67.220.220 Destination IP 208.67.222.222 Destination IP 208.67.220.220 Destination IP 208.67.222.222 Destination IP 208.67.220.220 Destination IP 208.67.222.222 Destination IP 208.67.220.220 Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.220.220 Destination IP 208.67.222.222 Destination IP 208.67.220.220 Destination IP 208.67.222.222 Destination IP 208.67.220.220 Destination IP 208.67.220.220 Destination IP 208.67.220.220 Destination IP 208.67.222.222 Destination IP 208.67.220.220 Destination IP 208.67.222.222 Destination IP 208.67.220.220 Destination IP 208.67.220.220 Destination IP 208.67.222.222 Destination IP 208.67.220.220 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" antivirus-platinum.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" antivirus-platinum.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" antivirus-platinum.exe -
Adds Run key to start application 2 TTPs 7 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1725696949-2443092314-1471438111-1000\Software\Microsoft\Windows\CurrentVersion\Run\Internet Security Guard = "\"C:\\ProgramData\\a476e\\IS87e.exe\" /s /d" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-1725696949-2443092314-1471438111-1000\Software\Microsoft\Windows\CurrentVersion\Run\SoftProz = "C:\\Program Files (x86)\\HjuTygFcvX\\lpsprt.exe" lpsprt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Security Central = "C:\\Program Files (x86)\\Security Central\\Security Central.exe" Security Central.exe Set value (str) \REGISTRY\USER\S-1-5-21-1725696949-2443092314-1471438111-1000\Software\Microsoft\Windows\CurrentVersion\Run\Antivirus = "\"C:\\Program Files (x86)\\AnVi\\avt.exe\" -noscan" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-1725696949-2443092314-1471438111-1000\Software\Microsoft\Windows\CurrentVersion\Run\AntiVirus Pro 2017 = "C:\\Users\\Admin\\Downloads\\MalwareDatabase-master\\rogues\\Antivirus Pro 2017\\[email protected]" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-1725696949-2443092314-1471438111-1000\Software\Microsoft\Windows\CurrentVersion\Run\AdwCleaner = "\"C:\\Users\\Admin\\AppData\\Local\\6AdwCleaner.exe\" -auto" 6AdwCleaner.exe Key deleted \REGISTRY\USER\S-1-5-21-1725696949-2443092314-1471438111-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce [email protected] -
Blocklisted process makes network request 3 IoCs
flow pid Process 157 5248 msiexec.exe 158 5248 msiexec.exe 159 5248 msiexec.exe -
Checks for any installed AV software in registry 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\ [email protected] -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: Security Central.exe File opened (read-only) \??\Y: Security Central.exe File opened (read-only) \??\V: [email protected] File opened (read-only) \??\P: [email protected] File opened (read-only) \??\L: [email protected] File opened (read-only) \??\S: [email protected] File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\J: Security Central.exe File opened (read-only) \??\I: [email protected] File opened (read-only) \??\N: Security Central.exe File opened (read-only) \??\O: Security Central.exe File opened (read-only) \??\H: Security Central.exe File opened (read-only) \??\M: [email protected] File opened (read-only) \??\P: [email protected] File opened (read-only) \??\I: Security Central.exe File opened (read-only) \??\K: [email protected] File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: [email protected] File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\X: [email protected] File opened (read-only) \??\T: [email protected] File opened (read-only) \??\W: [email protected] File opened (read-only) \??\I: [email protected] File opened (read-only) \??\Q: [email protected] File opened (read-only) \??\U: [email protected] File opened (read-only) \??\G: [email protected] File opened (read-only) \??\O: [email protected] File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\G: [email protected] File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: [email protected] File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: [email protected] File opened (read-only) \??\V: [email protected] File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: Security Central.exe File opened (read-only) \??\S: [email protected] File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: [email protected] File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\U: [email protected] File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: [email protected] -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Sets file execution options in registry 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rscdwld.exe [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PsImSvc.exe\Debugger = "svchost.exe" [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avkpop.exe\Debugger = "svchost.exe" [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\supftrl.exe\Debugger = "svchost.exe" [email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dvp95.exe [email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsma32.exe [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sphinx.exe\Debugger = "svchost.exe" [email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\evpn.exe [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nwinst4.exe\Debugger = "svchost.exe" [email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcip10117_0.exe [email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sgssfw32.exe [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avsched32.exe\Debugger = "svchost.exe" [email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwupd.exe [email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctrl.exe [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ent.exe\Debugger = "svchost.exe" [email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\esafe.exe [email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pav.exe [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\escanhnt.exe\Debugger = "svchost.exe" [email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icsuppnt.exe [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmsgri32.exe\Debugger = "svchost.exe" [email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navapw32.exe [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\History.exe\Debugger = "svchost.exe" [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htpatch.exe\Debugger = "svchost.exe" [email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\persfw.exe [email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vptray.exe [email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsctool.exe [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcscan.exe\Debugger = "svchost.exe" [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rescue.exe\Debugger = "svchost.exe" [email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vet95.exe [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\b.exe\Debugger = "svchost.exe" [email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfplogvw.exe [email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pdsetup.exe [email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sysupd.exe [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webtrap.exe\Debugger = "svchost.exe" [email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgemc.exe [email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\click.exe [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hotactio.exe\Debugger = "svchost.exe" [email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\teekids.exe [email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivirusxppro2009.exe [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\claw95.exe\Debugger = "svchost.exe" [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icload95.exe\Debugger = "svchost.exe" [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pgmonitr.exe\Debugger = "svchost.exe" [email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntiVirus_Pro.exe [email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bpc.exe [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winservn.exe\Debugger = "svchost.exe" [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\Debugger = "svchost.exe" [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSUNMain.exe\Debugger = "svchost.exe" [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\Debugger = "svchost.exe" [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpf9x206.exe\Debugger = "svchost.exe" [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\generics.exe\Debugger = "svchost.exe" [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe\Debugger = "svchost.exe" [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wupdt.exe\Debugger = "svchost.exe" [email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PerAvir.exe [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvsvc32.exe\Debugger = "svchost.exe" [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\secureveteran.exe\Debugger = "svchost.exe" [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavpf.exe\Debugger = "svchost.exe" [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Security Center.exe\Debugger = "svchost.exe" [email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IEShow.exe [email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\findviru.exe [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmgt.exe\Debugger = "svchost.exe" [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netspyhunter-1.2.exe\Debugger = "svchost.exe" [email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\popscan.exe [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clean.exe\Debugger = "svchost.exe" [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dpf.exe\Debugger = "svchost.exe" [email protected] -
Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 [email protected] File opened for modification \??\PhysicalDrive0 [email protected] File opened for modification \??\PhysicalDrive0 [email protected] -
Drops file in System32 directory 29 IoCs
description ioc Process File opened for modification C:\Windows\system32\wbem\repository\MAPPING2.MAP svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-wal OfficeClickToRun.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db AnyDesk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db AnyDesk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db AnyDesk.exe File opened for modification C:\Windows\system32\wbem\repository svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db AnyDesk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db AnyDesk.exe File opened for modification C:\Windows\system32\wbem\repository\MAPPING3.MAP svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-shm OfficeClickToRun.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db AnyDesk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db AnyDesk.exe File opened for modification C:\Windows\system32\wbem\repository\OBJECTS.DATA svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db AnyDesk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db AnyDesk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db AnyDesk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db AnyDesk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db AnyDesk.exe File opened for modification C:\Windows\system32\wbem\repository\MAPPING1.MAP svchost.exe File opened for modification C:\Windows\system32\wbem\repository\INDEX.BTR svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db AnyDesk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db AnyDesk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db AnyDesk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db AnyDesk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db AnyDesk.exe File opened for modification C:\Windows\system32\wbem\repository\WRITABLE.TST svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db AnyDesk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db AnyDesk.exe -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,\"C:\\Program Files (x86)\\Def Group\\PC Defender\\Antispyware.exe\"" MsiExec.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4176 set thread context of 2584 4176 [email protected] 145 PID 6028 set thread context of 6016 6028 [email protected] 245 PID 5652 set thread context of 4000 5652 Security Central.exe 247 -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 20 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\antiviruspc2009\bzip2.dll [email protected] File created C:\Program Files (x86)\antiviruspc2009\libltdl3.dll [email protected] File opened for modification C:\Program Files (x86)\antiviruspc2009\libltdl3.dll [email protected] File opened for modification C:\Program Files (x86)\HjuTygFcvX [email protected] File created C:\Program Files (x86)\HjuTygFcvX\__tmp_rar_sfx_access_check_241721000 [email protected] File created C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe msiexec.exe File created C:\Program Files (x86)\Security Central\Security Central.exe [email protected] File created C:\Program Files (x86)\AnVi\splash.mp3 [email protected] File created C:\Program Files (x86)\AnVi\virus.mp3 [email protected] File created C:\Program Files (x86)\antiviruspc2009\pthreadVC2.dll [email protected] File opened for modification C:\Program Files (x86)\antiviruspc2009\pthreadVC2.dll [email protected] File created C:\Program Files (x86)\antiviruspc2009\bzip2.dll [email protected] File created C:\Program Files (x86)\antiviruspc2009\avpc2009.exe [email protected] File created C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe [email protected] File created C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe msiexec.exe File opened for modification C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe [email protected] File created C:\Program Files (x86)\Def Group\PC Defender\hook.dll msiexec.exe File opened for modification C:\Program Files (x86)\antiviruspc2009 [email protected] File created C:\Program Files (x86)\antiviruspc2009\__tmp_rar_sfx_access_check_241694375 [email protected] File opened for modification C:\Program Files (x86)\antiviruspc2009\avpc2009.exe [email protected] -
Drops file in Windows directory 26 IoCs
description ioc Process File created C:\Windows\Installer\e68d771.msi msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\_3F16219B047CF8432B7ADA.exe msiexec.exe File created C:\Windows\Installer\e68d775.msi msiexec.exe File created C:\Windows\__tmp_rar_sfx_access_check_241684656 [email protected] File created C:\Windows\302746537.exe [email protected] File created C:\Windows\SystemTemp\~DF67521E502EE9697F.TMP msiexec.exe File opened for modification C:\Windows\MSCOMCTL.OCX [email protected] File opened for modification C:\windows\antivirus-platinum.exe attrib.exe File opened for modification C:\Windows\Installer\MSID946.tmp msiexec.exe File created C:\Windows\antivirus-platinum.exe [email protected] File opened for modification C:\Windows\COMCTL32.OCX [email protected] File created C:\Windows\Installer\SourceHash{FC2ABC8E-3715-4A32-B8B5-559380F45282} msiexec.exe File created C:\Windows\SystemTemp\~DFD9B0B7C28D736E8F.TMP msiexec.exe File created C:\Windows\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\_966CD4ED37489844400D0C.exe msiexec.exe File created C:\Windows\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\_3F16219B047CF8432B7ADA.exe msiexec.exe File created C:\Windows\SystemTemp\~DF338EDD7B0E91EF35.TMP msiexec.exe File opened for modification C:\Windows\antivirus-platinum.exe [email protected] File created C:\Windows\COMCTL32.OCX [email protected] File created C:\Windows\MSCOMCTL.OCX [email protected] File opened for modification C:\Windows\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\_966CD4ED37489844400D0C.exe msiexec.exe File created C:\Windows\SystemTemp\~DFA7C6F9EB028F5F86.TMP msiexec.exe File opened for modification C:\Windows\302746537.exe [email protected] File opened for modification C:\Windows\Installer\e68d771.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe -
Executes dropped EXE 26 IoCs
pid Process 2892 [email protected] 4176 [email protected] 2564 usеrinit.exe 1636 [email protected] 4148 302746537.exe 1800 antivirus-platinum.exe 588 [email protected] 3428 [email protected] 652 [email protected] 2216 avpc2009.exe 384 [email protected] 3236 6AdwCleaner.exe 2516 [email protected] 3052 [email protected] 3160 [email protected] 5512 lpsprt.exe 5692 [email protected] 6128 [email protected] 764 [email protected] 5772 [email protected] 5784 is-C29PP.tmp 1460 [email protected] 6028 [email protected] 6016 [email protected] 5652 Security Central.exe 4000 Security Central.exe -
Loads dropped DLL 6 IoCs
pid Process 1588 regsvr32.exe 4140 regsvr32.exe 1800 antivirus-platinum.exe 2216 avpc2009.exe 2216 avpc2009.exe 2216 avpc2009.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 5384 5692 WerFault.exe 211 -
Checks SCSI registry key(s) 3 TTPs 63 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities explorer.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags explorer.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000d663cd00a411206d0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000d663cd000000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900d663cd00000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dd663cd00000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000d663cd0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe -
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString OfficeClickToRun.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AnyDesk.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString AnyDesk.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 OfficeClickToRun.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz OfficeClickToRun.exe -
Enumerates system info in registry 2 TTPs 10 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU OfficeClickToRun.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS OfficeClickToRun.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily OfficeClickToRun.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchHost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1725696949-2443092314-1471438111-1000\Software\Microsoft\Internet Explorer\Main [email protected] Set value (int) \REGISTRY\USER\S-1-5-21-1725696949-2443092314-1471438111-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\MSCompatibilityMode = "0" [email protected] Key created \REGISTRY\USER\S-1-5-21-1725696949-2443092314-1471438111-1000\Software\Microsoft\Internet Explorer\GPU SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-1725696949-2443092314-1471438111-1000\Software\Microsoft\Internet Explorer\Main antivirus-platinum.exe Set value (int) \REGISTRY\USER\S-1-5-21-1725696949-2443092314-1471438111-1000\Software\Microsoft\Internet Explorer\ltTST = "33181" [email protected] Key created \REGISTRY\USER\S-1-5-21-1725696949-2443092314-1471438111-1000\Software\Microsoft\Internet Explorer\SearchScopes [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-1725696949-2443092314-1471438111-1000\Software\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=7&q={searchTerms}" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-1725696949-2443092314-1471438111-1000\Software\Microsoft\Internet Explorer\PRS = "http://127.0.0.1:27777/?inj=%ORIGINAL%" [email protected] Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main antivirus-platinum.exe Set value (str) \REGISTRY\USER\S-1-5-21-1725696949-2443092314-1471438111-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "YOUR PC MAY BE INFECTED WITH SPYWARE OR OTHER MALICIOUS ITEMS" antivirus-platinum.exe Set value (int) \REGISTRY\USER\S-1-5-21-1725696949-2443092314-1471438111-1000\Software\Microsoft\Internet Explorer\ltHI = "0" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-1725696949-2443092314-1471438111-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-1725696949-2443092314-1471438111-1000\Software\Microsoft\Internet Explorer\Main\Use FormSuggest = "Yes" [email protected] Set value (int) \REGISTRY\USER\S-1-5-21-1725696949-2443092314-1471438111-1000\Software\Microsoft\Internet Explorer\IIL = "0" [email protected] Set value (int) \REGISTRY\USER\S-1-5-21-1725696949-2443092314-1471438111-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1" [email protected] Key created \REGISTRY\USER\S-1-5-21-1725696949-2443092314-1471438111-1000\Software\Microsoft\Internet Explorer\BrowserEmulation [email protected] -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://secureservices2010.webs.com/scan" antivirus-platinum.exe Set value (str) \REGISTRY\USER\S-1-5-21-1725696949-2443092314-1471438111-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://secureservices2010.webs.com/scan" antivirus-platinum.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes [email protected] Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\ChunkCount = "uint64_t|3" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\ChunkCount = "uint64_t|1" OfficeClickToRun.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\0.6 = 22203a207b205c224576656e74466c61675c22203a20353132207d2c205c22436f6175746847616c6c657279557365724a756d70546f417574686f725c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c22436f6175746847616c6c657279557365724f70656e53696e676c65466c796f75745c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c22456d61696c416374696f6e487562416374696f6e53656e64456d61696c5c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c224f666669636543686174436f6d6d616e6453657456616c75655c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c224d736f494d5365727669636573536642506861736531496d70726f76656d656e7473456e61626c65645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224368617443616c6c6f757455736572496e697455495c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224d736f494d5365727669636573497357616343686174456e61626c65645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224d736f494d536572766963657353664257616343686174456e61626c65645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224d736f494d536572766963657353664357616343686174456e61626c65645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e744368617455494d6f64656c4f6e55494576656e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224368617443616c6c6f7574557365724f6e5061727469636970616e744c6973744368616e6765645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22436f6175746847616c6c65727955736572437265617465416374696f6e4875624c69737446726f6d536e617073686f745c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c22436f6175746847616c6c65727955736572437265617465466c65784c69737446726f6d536e617073686f745c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d2c205c22436f6c6c61625c22203a207b205c225375624e616d657370616365735c22203a207b205c22436f617574686f725c22203a207b205c225375624e616d657370616365735c22203a207b205c22436f617574686f72446f63756d656e7448656c7065725c22203a207b205c224576656e74735c22203a207b205c22547269676765725265747269657665446f63756d656e74436f617574686f72735c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c225265747269657665456469746f72735461626c654d616e616765725c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c225265747269657665527463557365725c22203a207b205c224576656e74466c61675c22203a20353132207d207d207d207d207d207d207d2c205c2241744d656e74696f6e5c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c22446f63756d656e744163746976697479496e746567726174696f6e5c22203a207b205c224576656e74735c22203a207b205c224164645265636f7665726564416374697669746965735c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c2250726f6365737341744d656e74696f6e4e6f74696669636174696f6e734c6973745c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c22436f6d6d656e74734e6f74696669636174696f6e436f6c6c6563746f7252656d6f766564436f6d6d656e74735c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c2250726f63657373436f6d6d656e74734e6f74696669636174696f6e734c6973745c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c22536176654c6f67466f725265636f766572795c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c22437265617465446f63756d656e7441637469766974794c6f674d616e616765725c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c2244656c657465436f6d6d656e7441637469766974795c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c22446973636172644c6f63616c416374697669746965735c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c2244656c6574655265706c7941637469766974795c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c2243726561746541744d656e74696f6e41637469766974795c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c2244656c65746541744d656e74696f6e41637469766974795c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c2244656c6574654d6f6465726e436f6d6d656e7441637469766974795c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c224372656174654d6f6465726e41744d656e74696f6e41637469766974795c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c224f70656e4c6f6746726f6d5265636f766572795c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c2244656c6574654d6f6465726e5265706c7941637469766974795c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c225064616c6d446f63756d656e7441637469766974794c6f674d616e616765725c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c22456e73757265446f63756d656e744163746976697479436170747572655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22456e737572654c6f67507265526571735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224d6574726f4f70656e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2243726561746555736572496e666f466f72417574686f725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22437265617465556e69717565417574686f72566563746f725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2243726561746555736572496e666f46726f6d417574686f72566563746f725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224973436c6f7564446f63756d656e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225365745361766564507265526571735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224372656174655265766973696f6e53657441637469766974795c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22476574436f6d6d656e74436f6e74656e744964656e7469666965725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224c6f67436f6d6d656e744174747269627574696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225472794372656174654c6f675c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22536176654c6f675c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2253657453617665645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224162616e646f6e4c6f675c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224372656174655461736b41637469766974795c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225461736b4372656174696f6e41637469766974795c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22526561737369676e5461736b41637469766974795c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2252656f70656e5461736b41637469766974795c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22436f6d706c6574655461736b41637469766974795c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c224465736b746f704261636b73746167655c22203a207b205c224576656e74735c22203a207b205c22536176654173526563656e74436c69636b65645c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c2253617665417344656661756c745365727669636553656c656374696f6e5c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c224f70656e526563656e74446f63756d656e747356696577436c69636b65645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224f70656e526563656e74446f63756d656e7473566965775769746846656174757265456e61626c6564436c69636b65645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22424743616c634d616e6167657250726f6365737353657456616c75657350726f635c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22424743616c6349646c655461736b46457865637574655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22506c6163657347726f757065724163636f756e74496e666f5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2247657474696e67537461727465644d5255536c61624765744d72754461746554696d6547726f7570547970655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224f70656e526563656e744c6f636174696f6e7356696577436c69636b65645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224e617669676174696f6e5265616453697465526f6f74427956726f6f6d5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224e617669676174696f6e52656164446f634c6962466f6c646572427956726f6f6d5c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c224f666669636553706163655c22203a207b205c225375624e616d657370616365735c22203a207b205c224465736b746f704261636b73746167654e617669676174696f6e5c22203a207b205c224576656e74735c22203a207b205c224c617a794c6f616446696c6543616368655c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c224c6f616446726f6d46696c6543616368655c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c2253617665496e746f46696c6543616368655c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c2252656164546869735043526f6f745c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c22526561644c6f63616c466f6c6465725c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c225265616453697465526f6f74427956726f6f6d5c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c224765744974656d57656244617655726c5c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c2247657452656d6f74654974656d496e666f726d6174696f6e5c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c2252656164446f634c6962466f6c646572427956726f6f6d5c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c22526561644d696772617465644f4443466f6c646572427956726f6f6d5c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d207d207d2c205c22504358506572736f6e6150686f746f5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224f757453706163655c22203a207b205c224576656e74735c22203a207b205c22557064617465506c616365735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224372656174655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22486964655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225365744d72754c697374466f72486f6d65506167655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22436c65616e75705c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22536861726564576974684d65506f70756c6174654c6973745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225570646174654d52554974656d735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224f70656e4469736d6973735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224e65774469736d6973735c22203a207b205c224576656e74466c61675c22203a2032207d207d2c205c225375624e616d657370616365735c22203a207b205c224465736b746f704261636b73746167655c22203a207b205c224576656e74735c22203a207b205c224261636b73746167654469736d69737365645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224175746f5265636f76657279436f6d7061726557697468556e736176656456657273696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224175746f5265636f7665727944656c657465556e736176656456657273696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224175746f5265636f766572794f70656e556e736176656456657273696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224175746f5265636f76657279506f70756c617465556e736176656456657273696f6e4c6973745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22496e69744e65774e6176466f6c6465725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224e6577536572766963654c6973745c22203a207b205c224576656e74466c61675c22203a2032207d207d207d207d207d2c205c225368617265506f696e7453697465735c22203a207b205c224576656e74735c22203a207b205c2247726f75707353697465735265717565737449636f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225368617265506f696e745369746573496e697469616c697a655369746573436f6c6c656374696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225368617265506f696e74536974657350726f63657373526573756c74466f724964656e746974795c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225368617265506f696e7453697465734964656e74697479436163686552657175657374526573756c745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225368617265506f696e7453697465735265717565737453697465734361636865645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225368617265506f696e7453697465735265717565737453697465734173796e6350726f63657373526573756c745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225368617265506f696e7453697465735265717565737453697465734173796e635c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c224372656174654c6f636174696f6e735c22203a207b205c224576656e74735c22203a207b205c2244656661756c744964656e74697479456d7074795c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c2253686172696e674c6567616379436c69656e745c22203a207b205c224576656e74735c22203a207b205c22476574446174615c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c22486f6d65506167655c22203a207b205c224576656e74735c22203a207b205c22506c6163654368616e6765536c6162436f6e646974696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224f6e53686f77486f6d65506167655c22203a207b205c224576656e74466c61675c22203a2032207d207d2c205c225375624e616d657370616365735c22203a207b205c225365617263685c22203a207b205c224576656e74735c22203a207b205c225365656e4279557365725c22203a207b205c224576656e74466c61675c22203a2032207d207d207d207d207d2c205c224f666669636553746172745c22203a207b205c224576656e74735c22203a207b205c22536574757054656d706c61746550726f706572746965735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2243757272656e745549416374697665506c6163654368616e67655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22547269676765725468756d626e61696c416374696f6e52756e5c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c22446f63756d656e744e6f74696669636174696f6e735c22203a207b205c224576656e74735c22203a207b205c2252656769737465724f6e49646c65466561747572654761746544697361626c65645c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c224d7275536572766963654170695c22203a207b205c225375624e616d657370616365735c22203a207b205c22446f63756d656e74735c22203a207b205c224576656e74735c22203a207b205c2252656164526571756573745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225772697465526571756573745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224f6e526571756573745375636365656465645c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c22506c616365735c22203a207b205c224576656e74735c22203a207b205c2252656164526571756573745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225772697465526571756573745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224f6e526571756573745375636365656465645c22203a207b205c224576656e74466c61675c22203a2032207d207d207d207d207d2c205c224d736f53686172696e675c22203a207b205c224576656e74735c22203a207b205c22434d736f53686172696e675365727669636548656c706572456e64476574486f73744361706162696c69746965735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f53686172696e675365727669636548656c706572476574486f737443617061 OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}\ApplicationFlags = "1" OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry\Volatile\MsaDevice = "t=GwAWAbuEBAAU2qcZHJoKGNizGOeyqM4OaIoSZ0MOZgAAECOO7V5B+uboa6DCP4gXnQvgABiw1gHeqtal11lv2xDJKa2smCu/gEsw87NdafsGvIZ+gTXBOfmuGLinaBPzRdTr5vQm3h+o1ninG3kKbi/fJahfCgl+6jXA4K6QHXRX3OBCT4IZTTC3n0fnOi+9uEcYB1vapm/gTwVZBCYuDk+Yk9sEB9YJ0r+iAMh26GYEdqQPpUoeBC9feNT0MW/iL8jH8stUWi1F4+QobZbCDtoeXDl/HExHfBdzivaG3sfyQP6F4fMPiv1Hs4yknaHRYFy28Da/JctqgaUoXfxasei2a5nS68if/GUl0NwA7ORf0gz7HQE=&p=" OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\ChunkCount = "uint64_t|9" OfficeClickToRun.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb010000002d2f8f81e05ef84b8f9c3eb8ac799df2000000000200000000001066000000010000200000007033843ce619d1134b4755f7b0c519b0bf27076525f989aecd1c2b4de5389122000000000e8000000002000020000000197e234bbf0ab6da311bf3e7d1da35f464f0c530a9f791adfc1abfa54e357737f00300001dfb7a35133c97183f85dab0d294b7141e9873a2299df3ad2d22c78fe4c897600dd179690ee331b87575769f18a28fbf5feb2666e288dbb16dacf38c645ce6b90048c752c953ffd5453b7d8f0ccf445e986ebadf707de6dad32fcbd5ea08e808f6d082495dab1e1939c9d0a6882f29857554f0cd09f02b241402e153f9d2bcf374e102f8eb1ec47441a49d4a1ffc747a91ff7fe13219ded8717d66ffb26336018122f0e6bbd9952f63e67614088847206fb2d8234fb3e5d31df9bbf658c448038056a11dde32915b3d724a249c622aca4faaa871c97c6da754a0f56fd539c2cc4fc6b227a45e70fa57628924cad463272a8e31113481ebdcb4e8368c6f3e972406b2e1bd1f6d5532afdc7cf3eaca481c170b85d17040962a4489feb17d769d352fb64edf0e6012328e95176370579c11a81b2680e2cd7e0c8057623497db7efa881cb3008b7ea6cd1453c3ae579a3a3c911f88e3072b86246b7e5cd57eacca3f8503c4c903c1ae064076df3a826240a5c29363cd17065b2e362fa176a0c108c7cba137904ee1b5dd5850640738af1ac8e612d1d7ae741e31b4d238859e2bc33f391dd5aa0c3c37d4ce63093331ed9fb3ee7e0022544a50fb73537ed0c2b7fad0bfc08916101475cdef4f6d39e9b0a4e77455316d9b205e458bcb551cf49207ead939caada20fe723f27d128c1867c9fe3e6516420c7b20d193f728621b00aee31e960826422e62a66c258924b9f1763dad78ed7b2b9d74074919ae63dc8bd9a436869f5bb5cef4c313ec3c0a1f659bc22d521ef3b289929d168ad35d27608cea550bb5a500e2bd099b99570b8831c9b2854174ed21a42efba29d459f2c6206f453fd9611f515a682f338cc3f0671fb0918acd21a7c11cdfc61941eb19dce5c619c276e01dd74a6a274ef1a5ce21c978cf9fa73f02e617ca8d02576ede320462dc74e2cff6614e9e9b0d4546eb28d2efe3da2d75f8e45e8d0166c2391deac000c1b440cc37878452f7390d78bcbba4d9d234b37e9c92c7df78dad2c18240653b3cdae8b5c2a0e83f61652b848bc27addd083bf5746cbae6e89e5ef7db8f23ceaee3df57febcc56b919f1a774063498ae0d5b32f4a35e6a12cb8104e9723e68b6f1fd6e7848fdab5625473677efae821deaf8ae5bd9840585f9a68bf180da7b8d98deca434f9299e134b1b565a0242f6c37bd356eb14e75660b98c371afc27382c5e7d1cf74f4bd0c25fea3116282e5dcf2bb00f3548695b50e03ac984d9ebec6360365e0207516b7603bc21bfa865a407e3c104c0bb6e4d3fa9059da9a6bd19f5a9d2f360bc8d978c9d7c5c1f441ed923895a55abf04e4d6290201043fbf4161216a323ef76463a09a79c3413405c2b3db151c73ee340e0e9fa7489d39f2f1a82b735e51ef5d706bb23b405ff2a5fea0a4000000053b83b8161d8248e1c316086c53d3140be16a8c56b62b976fe864347341e16a9c20c8207bc849604c21833144719952e56fb91b5efc57527bc2db42df727659b OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes [email protected] Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\ChunkCount = "uint64_t|5" OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\VersionId = "uint16_t|0" OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}\DeviceId = "0018400DB5D347E1" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\23 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\ChunkCount = "uint64_t|0" OfficeClickToRun.exe Set value (str) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=7&q={searchTerms}" [email protected] Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\0.11 = 74696f6e5c22203a207b205c224576656e74735c22203a207b205c224c6f61644c6963656e73655c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c2250726f706572746965735c22203a207b205c224576656e74735c22203a207b205c224765744c6963656e736543617465676f72795c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22546f6b656e697a654c6963656e736543617465676f726965735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225570646174654c6963656e736543617465676f726965735c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d2c205c224272616e64696e675c22203a207b205c224576656e74735c22203a207b205c2247657441707056616c75655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2247657450726f6475637456616c75655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2253686f756c645573654d6963726f736f66743336354272616e64696e675c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d2c205c2254656e616e745c22203a207b205c224576656e74735c22203a207b205c22496e697454656e616e7449645c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c224e756c5c22203a207b205c225375624e616d657370616365735c22203a207b205c22466574636865725c22203a207b205c224576656e74735c22203a207b205c224765744e756c4f626a656374466f724964656e746974795c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2246657463684d6f64656c46726f6d4f6c735c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c224765744c6963656e73654665617475726573466f724964656e746974795c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2243726561746552657175657374426f64795c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c224d6f64656c5c22203a207b205c224576656e74735c22203a207b205c224765744c6963656e736543617465676f72795c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c22476574416c6c4c6963656e736543617465676f726965735c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c22446573657269616c697a655c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c225061727365526177526573706f6e73655c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2243616e52756e46656174757265526573756c74735c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d2c205c224d6f64655c22203a207b205c224576656e74735c22203a207b205c224765744d6f64655c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d2c205c224170695c22203a207b205c224576656e74735c22203a207b205c22437265617465526571756573745c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2253656e64526571756573745c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2252656365697665526573706f6e73655c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d2c205c2253746f726167655c22203a207b205c224576656e74735c22203a207b205c2247657453746f72616765506174685c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c224c6f61644d6f64656c735c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c22476574556e766572696669656453746f72616765506174685c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c224c6f61644d6f64656c5c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2252656e616d6546696c65546f55736555706461746564486173685c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d2c205c2256616c69646174696f6e5c22203a207b205c224576656e74735c22203a207b205c22517569636b56616c69646174696f6e5c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d2c205c2256616c696461746f725c22203a207b205c224576656e74735c22203a207b205c224d61746368696e67486172776172656449645c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d207d207d2c205c22466c6f77735c22203a207b205c224576656e74735c22203a207b205c22536561726368466f72534341546f6b656e5c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e4d6f786965222c20225622203a20227374643a3a77737472696e677c7b205c224576656e74466c61675c22203a203438383936207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e4f6666696365222c20225622203a20227374643a3a77737472696e677c7b205c224c6f636b65645c22203a2066616c73652c205c225375624e616d657370616365735c22203a207b205c224e61747572616c4c616e67756167655c22203a207b205c224c6f636b65645c22203a2066616c73652c205c225375624e616d657370616365735c22203a207b205c224372697469717565735c22203a207b205c224c6f636b65645c22203a2066616c73652c205c224576656e74735c22203a207b205c2250726f636573734175676c6f6f704372697469717565735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2250726f636573734175676c6f6f7041646443726974697175655c22203a207b205c224576656e74466c61675c22203a2032207d207d207d207d207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e4f75746c6f6f6b222c20225622203a20227374643a3a77737472696e677c7b205c225375624e616d657370616365735c22203a207b205c224465736b746f705c22203a207b205c225375624e616d657370616365735c22203a207b205c2253796e635c22203a207b205c224576656e74735c22203a207b205c2253796e6350757267654f66666c696e654974656d735c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c2256696577735c22203a207b205c224576656e74735c22203a207b205c224872566965774c6f6164436f6d706c657465645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22566965774d6f64655c22203a207b205c224576656e74466c61675c22203a2032207d207d207d207d207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e506572736f6e616c697a6174696f6e222c20225622203a20227374643a3a77737472696e677c7b205c225375624e616d657370616365735c22203a207b205c2246696c65496e736967687443616368654d616e616765725c22203a207b205c224576656e74735c22203a207b205c2250757267654578706972656443616368655c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c225369676e616c50726f636573736f725c22203a207b205c224576656e74735c22203a207b205c2253656e645369676e616c5c22203a207b205c224576656e74466c61675c22203a2032207d207d207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e50726f6772616d6d6162696c697479222c20225622203a20227374643a3a77737472696e677c7b205c225375624e616d657370616365735c22203a207b205c2254656c656d657472795c22203a207b205c224576656e74735c22203a207b205c22446e61416464496e4c6f6164586c6c46696c655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446e61416464496e4c6f616445787465726e616c446c6c5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446e61416464496e4c6f6164446e6146696c655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22416464696e43726173685c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c22416464696e735c22203a207b205c224576656e74735c22203a207b205c22417070416464496e4c6f61645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22417070416464496e55736167655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22416464696e446f634c6f61645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22496e7465726e616c536574436f6e6e6563745c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e5365637572697479222c20225622203a20227374643a3a77737472696e677c7b205c225375624e616d657370616365735c22203a207b205c22436c705c22203a207b205c224576656e74735c22203a207b205c2246657463684c6162656c7346726f6d5365727665725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2247657444656661756c744c6162656c49445c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224765744c6162656c735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224765744f7574636f6d6573466f724c6162656c4368616e67655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224c6162656c696e67457870657269656e63655c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c224164644c6162656c4f627365727665725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2252656d6f76654c6162656c4f627365727665725c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c224d6163726f5c22203a207b205c224576656e74735c22203a207b205c22426c6f636b4d6163726f46726f6d496e7465726e6574506f6c69637953657474696e675c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c22456e636f756e74657265645c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c22456e61626c65645c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d2c205c2246696c65426c6f636b5c22203a207b205c224576656e74735c22203a207b205c2246696c65426c6f636b496e666f726d6174696f6e5c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d2c205c224f43585c22203a207b205c224576656e74735c22203a207b205c2254727573746564456e636f756e7465725c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c224e6f6e54727573746564456e636f756e7465725c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c22416363657373456e636f756e7465725c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d2c205c22426c6f636b6564657874656e73696f6e735c22203a207b205c224576656e74735c22203a207b205c2246696c65457874656e73696f6e4c69737446726f6d536572766963655c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d2c205c22536563757265526561646572486f73745c22203a207b205c224576656e74735c22203a207b205c224f70656e496e4f53525c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e54617267657465644d6573736167696e67222c20225622203a20227374643a3a77737472696e677c7b205c224576656e74735c22203a207b205c224275736261725468656d6553656c656374696f6e5374617475735c22203a207b205c224576656e74466c61675c22203a2032207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e54656c656d65747279222c20225622203a20227374643a3a77737472696e677c7b205c224576656e74735c22203a207b205c22436c69656e7453616d706c696e674f76657272696464656e5c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c2253797374656d4865616c74684d657461646174614e6574776f726b436f73745c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c224576656e7451756172616e74696e65645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224c6f6164586d6c52756c65735c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c2250726f6365737349646c6551756575654a6f625c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c22466c7573684576656e744275666665725c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c2254656c656d6574727953656e74696e656c56616c75655c22203a207b205c224576656e74466c61675c22203a2030207d207d2c205c224c6f636b65645c22203a2066616c7365207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e54656c6c4d65222c20225622203a20227374643a3a77737472696e677c7b205c225375624e616d657370616365735c22203a207b205c2254656c6c4d655741435c22203a207b205c224576656e74735c22203a207b205c225175657279526573706f6e73655c22203a207b205c224576656e74466c61675c22203a2032207d207d207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e54657874222c20225622203a20227374643a3a77737472696e677c7b205c225375624e616d657370616365735c22203a207b205c225265736f75726365436c69656e745c22203a207b205c224576656e74735c22203a207b205c22446573657269616c697a655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2252656164466f6e74456c656d656e74735c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2250757267654d756c7469706c655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22526561645265736f757263654d657461446174615c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2257726974655265736f757263654d657461446174615c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c22474449417373697374616e745c22203a207b205c224576656e74735c22203a207b205c225265676973746572436c6f7564466f6e7443616c6c6261636b5c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2248616e646c6543616c6c6261636b5c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c22466f6e744d616e6167657244657374727563746f725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22416464436c6f7564466f6e745265736f757263655c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c22466f6e74537562737469747574696f6e5c22203a207b205c224576656e74735c22203a207b205c22436f6c6c656374466f6e74537562737469747574696f6e55736167655c22203a207b205c224576656e74466c61675c22203a2032207d207d207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e5472616e736c61746f72222c20225622203a20227374643a3a77737472696e677c7b205c224576656e74735c22203a207b205c22416c7465726e6174655472616e736c6174696f6e735265747269657665645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22436f6e7465787475616c53756767657374696f6e734c6f616465645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e745465787453656c65637465645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e745472616e736c617465645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e745472616e736c61746564466565646261636b547269676765725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e745472616e736c6174696f6e43616e63656c6c65645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e745472616e736c6174696f6e53756767657374696f6e436c69636b65645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224578636c756465644c616e677561676541646465645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224578636c756465644c616e677561676552656d6f7665645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224d6963726f666565646261636b566f746553656c65637465645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224f6f786d6c5472616e736c617465645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2253657474696e6773436c6f7365645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2253657474696e67734f70656e65645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22536f75726365446f63756d656e744c616e674368616e6765645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22536f75726365546172676574537761707065645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22536f75726365546578744c616e674368616e6765645c22203a207b205c2245 OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\ChunkCount = "uint64_t|12" OfficeClickToRun.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\0.4 = 7472696e677c6a612c7a6822207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e43726974697175652e4c6f67496e7465726e616c4e616d65416e645072696f72697479222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e456469746f72536572766963652e557365496e737472756d656e746174696f6e417069222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e4772616d6d6172436865636b696e672e4765726d616e456e744469736162696c69747942696173222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e4772616d6d6172436865636b696e672e4e6f7277656769616e426f6b6d61616c456e746572707269736547726f757031222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e4772617068496d706f72744865647769675558222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e4772617068496d706f7274496e73657274416c6c4f626a6563747356696577222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e47726170686963732e4368616e6765476174652e5570646174655461626c65426f756e6473466f72547970696e67222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e4967782e456e7375726545326f4d6f6e696b65724166746572456e7375726545326f222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e4e6577456e737572655549444c6f676963222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e4f6666696365496e7369646572526567697374726174696f6e222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e5043582e416c6c6f7746696e6450656f706c655573616765496e41744d656e74696f6e222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e5043582e4175746f436f6d706c6574652e46696e6450656f706c65537570706f7274222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e5043582e4669784e6f6e526566436f756e7465644d736f506572736f6e6173222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e5063782e4261636b67726f756e64576f726b436f6e74726f6c6c6572427567466978222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e5063782e427567466978466f7241744d656e74696f6e734d6f6e69746f72696e67222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e5063782e427567466978466f7250686f746f41637469766974794c6f6767696e6752656d6f76616c222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e5063782e436f6e746163744361726456324f766572666c6f774d656e7573506861736532222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e5063782e46696e6450656f706c655573616765456e61626c6564222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e5063782e497350656f706c655365617263684578656375746f72456e61626c6564222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e5063782e506378417072696c323031384275674669786573222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e5063782e5063784665627275617279323031384275674669786573222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e5063782e5063784a616e75617279323031384275674669786573222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e5063782e5063784a756e65323031384275674669786573222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e5063782e5063784d61726368323031384275674669786573222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e5063782e557365506378436f6e74616374496e666f4c697374222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e506378417072696c323031374275676669786573222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e506378436f6d6d6f6e436f6d70617265427567466978222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e506378436f6e746163744361726444706941776172656e6573734275674669786573222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e506378436f6e7461637443617264466f6e74486569676874444450494275674669786573222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e5063784a756e65323031374275676669786573222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e5063784d61726368323031384275674669786573222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e5063784f63746f626572323031364275676669786573222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e50656f706c655365617263682e436f6e7461637453656172636849676e6f72657353796d626f6c73222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e50656f706c655365617263682e50637848616e646c65734175746f446973636f766572222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e50656f706c655365617263682e526563697069656e744175746f436f6d706c657465537570706f7274222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e50726f6f66696e672e4175746f4d616e616765722e41637469766974696573222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e536d6172744c696e6b732e416c6c6f775265636f676e697a65536d6172744c696e6b73496e7369646550617261677261706873222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e54686573617572757350616e652e41637469766974696573222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e5472616e736c61746f722e456e61626c65466c6f6f6467617465537572766579222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e5472616e736c61746f722e466c6f6f646761746553757276657944656c6179222c20225622203a2022696e7433325f747c3530303022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e576f72642e46574153686f756c64426c6f636b53656c4368616e67656446616c73654576656e7473222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e576f72642e53656e6445646974466c6167546f4e6f4572726f724576656e7473222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e576f72642e57726974696e67417373697374616e63654372697469717565466f724347415049222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e57726974696e67417373697374616e636555492e50616e652e46697857726f6e67436c6f73654c6f676963222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e536861726564546578742e436f6c6f72466f6e74537570706f7274456e61626c6564222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e536861726564546578742e46696c6556657273696f6e696e67222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e536861726564546578742e48696464656e466f6e7473222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e536861726564546578742e4f4172745465787456616c696461746552616e6765564544222c20225622203a2022696e7433325f747c3322207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e536861726564546578742e52696368456469742e416c6c6f774475706c696361746555696d557064617465222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e536861726564546578742e52696368456469742e436f7079506173746548544d4c222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e536861726564546578742e5472616e7363726962652e436f6e666967436865636b44697361626c6564222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d657472792e417269614d617854656172646f776e55706c6f616454696d65496e536563222c20225622203a2022696e7433325f747c3222207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d657472792e566f6c756d65547261636b696e674d61784576656e7473222c20225622203a2022696e7433325f747c3530303022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e4169725370616365222c20225622203a20227374643a3a77737472696e677c7b205c225375624e616d657370616365735c22203a207b205c224261636b656e645c22203a207b205c224576656e74735c22203a207b205c224c61796572486f7374496e697469616c697a6174696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22436f6d706f7369746f7253657373696f6e547970655c22203a207b205c224576656e74466c61675c22203a2032207d207d2c205c225375624e616d657370616365735c22203a207b205c2257696e33325c22203a207b205c225375624e616d657370616365735c22203a207b205c224c65676163795c22203a207b205c224576656e74735c22203a207b205c22416e696d6174696f6e50657263656e74556e64657233304650535c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22416e696d6174696f6e4176674650535c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2243726f737357696e54496d654f6646697273744672616d655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224176657261676550726573656e74735065725365636f6e645c22203a207b205c224576656e74466c61675c22203a2032207d207d207d207d207d207d207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e4368617274696e67222c20225622203a20227374643a3a77737472696e677c7b205c224576656e74735c22203a207b205c22436861727445326f4c6f61645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22436861727445326f536176655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224368617274696e67456e644c6f61645c22203a207b205c224576656e74466c61675c22203a2032207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e436c69636b546f52756e222c20225622203a20227374643a3a77737472696e677c7b205c225375624e616d657370616365735c22203a207b205c225363656e6172696f5c22203a207b205c224576656e74735c22203a207b205c22446f72695461736b5c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c225570646174655461736b557064617465646574656374696f6e325c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225570646174655461736b557064617465646f776e6c6f61645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225570646174655461736b557064617465636c69656e74646f776e6c6f61645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225265706169725461736b46756c6c7265706169725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225265706169725461736b52656d6f7665696e7374616c6c6174696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22496e7374616c6c5461736b436f6e6669677572656c696768745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22436c69656e747570646174655461736b436c69656e74646f776e6c6f61645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22496e7374616c6c5461736b53747265616d5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22496e7374616c6c5461736b437265617465776f726b696e67636f6e66696775726174696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225570646174655461736b55706461746566696e616c697a655c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c225461736b4c61737452756e4865617274626561745c22203a207b205c224576656e74735c22203a207b205c225461736b4c61737452756e4865617274626561745c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c22556e6976657273616c426f6f7473747261707065725c22203a207b205c224576656e74735c22203a207b205c224170706c69636174696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22457865637574655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22436f6c6c656374506172616d65746572735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22436f6c6c656374456d6265646465645369676e61747572655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2243616c63756c617465506172616d65746572735c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c22436c69656e744361624d616e616765725c22203a207b205c224576656e74735c22203a207b205c225461736b557064617465436c69656e74446f776e6c6f6164446f457865637574655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225461736b436c69656e74446f776e6c6f6164446f457865637574655c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c2253747265616d4361625c22203a207b205c224576656e74735c22203a207b205c22446f776e6c6f616453747265616d4361625c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c225472616e73706f72745c22203a207b205c225375624e616d657370616365735c22203a207b205c224578706572696d656e74616c5472616e73706f72745c22203a207b205c224576656e74735c22203a207b205c22436162735c22203a207b205c224576656e74466c61675c22203a2032207d207d2c205c224576656e74466c61675c22203a20323536207d207d207d2c205c225472616e73616374696f6e616c46696c654f7065726174696f6e735c22203a207b205c224576656e74735c22203a207b205c224170706c794368616e6765735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22457865637574655472616e73616374696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d207d207d207d2c205c224576656e74735c22203a207b205c2250726f636573734b696c6c657253687574646f776e5c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c225472616e73706f72745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f776e6c6f61644361625c22203a207b205c224576656e74466c61675c22203a2032207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5465 OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1" OfficeClickToRun.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\0.13 = 4d6963726f736f66742e4f66666963652e576f72642e456e61626c655061747465726e73496e41746e74786e64222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e576f72642e52616973655569614175746f436f72726563744576656e7457697468456e74697265576f7264222c20225622203a2022626f6f6c7c3122207d205d2c2022464347726f75704d617022203a207b2022464347726f75704d61705f3122203a205b207b20224622203a20224d6963726f736f66742e4f66666963652e41697253706163652e426c6f636b656447726170686963734164617074657231222c20225622203a20227374643a3a77737472696e677c33323930323b303b303b303b383434343234393330373838333230323b323b303b303b303b303b3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e41697253706163652e426c6f636b656447726170686963734164617074657232222c20225622203a20227374643a3a77737472696e677c33323930323b303b303b303b383434343234393330373838323936373b323b303b303b303b303b3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e41697253706163652e426c6f636b656447726170686963734164617074657233222c20225622203a20227374643a3a77737472696e677c33323930323b303b303b303b383434343234393330373838333231313b323b303b303b303b303b3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e41697253706163652e426c6f636b656447726170686963734164617074657234222c20225622203a20227374643a3a77737472696e677c33323930323b303b303b303b383434343234393330373934313932373b323b303b303b303b303b3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e41697253706163652e426c6f636b656447726170686963734164617074657235222c20225622203a20227374643a3a77737472696e677c33323930323b303b303b303b383732353732343238343635343239363b323b303b303b303b303b3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e41697253706163652e426c6f636b6564477261706869637341646170746572436f756e74222c20225622203a2022696e7433325f747c3522207d205d2c2022464347726f75704d61705f3222203a205b207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e476c6f62616c5265736f75726365496e666f4361636865456e61626c6564222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e53686f756c644d69677261746546726f6d4f72617069222c20225622203a2022626f6f6c7c3122207d205d2c2022464347726f75704d61705f3322203a205b207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e4772616d6d6172436865636b696e672e437a656368456e746572707269736547726f757032222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e4772616d6d6172436865636b696e672e4f7074696f6e4f766572726964652e6373222c20225622203a20227374643a3a77737472696e677c4772616d6d617220616e6420726566696e656d656e74733a3a53657875616c206f7269656e746174696f6e20626961733d3022207d205d2c2022464347726f75704d61705f3422203a205b207b20224622203a20224d6963726f736f66742e4f66666963652e54617267657465644d6573736167696e672e456e61626c65537572666163652e42697a426172222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54617267657465644d6573736167696e672e456e61626c65537572666163652e4f66666963652d43616e766173426f6f742d57696e3332222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54617267657465644d6573736167696e672e456e61626c65537572666163652e4f66666963652d43616e766173446f63756d656e7452656164792d57696e3332222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54617267657465644d6573736167696e672e456e61626c65537572666163652e4f66666963652d43616e766173466c6f6f64676174652d57696e3332222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54617267657465644d6573736167696e672e456e61626c65537572666163652e4f66666963652d43616e7661734c6963656e73696e674469616c6f6752656e65772d57696e3332222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54617267657465644d6573736167696e672e456e61626c65537572666163652e4f66666963652d43616e7661734c6f63616c4f70656e446f63756d656e742d57696e3332222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54617267657465644d6573736167696e672e456e61626c65537572666163652e4f66666963652d43616e7661734c6f63616c53617665446f63756d656e742d57696e3332222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54617267657465644d6573736167696e672e456e61626c65537572666163652e4f66666963652d43616e7661734f444253617665446f63756d656e742d57696e3332222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54617267657465644d6573736167696e672e456e61626c65537572666163652e4f66666963652d43616e7661734f6e6544726976654f70656e446f63756d656e742d57696e3332222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54617267657465644d6573736167696e672e456e61626c65537572666163652e4f66666963652d43616e7661734f6e65447269766553617665446f63756d656e742d57696e3332222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54617267657465644d6573736167696e672e456e61626c65537572666163652e4f66666963652d43616e7661734f757453706163654f70656e2d57696e3332222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54617267657465644d6573736167696e672e456e61626c65537572666163652e4f66666963652d43616e7661734f757453706163655361766541732d57696e3332222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54617267657465644d6573736167696e672e456e61626c65537572666163652e4f66666963652d466c6f6f6447617465222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54617267657465644d6573736167696e672e456e61626c65537572666163652e4f66666963652d496e41707050757263686173652d57696e3332222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54617267657465644d6573736167696e672e456e61626c65537572666163652e4f75745370616365222c20225622203a2022626f6f6c7c3022207d205d207d207d OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\ChunkCount = "uint64_t|6" OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\ChunkCount = "uint64_t|8" OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\ChunkCount = "uint64_t|13" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun OfficeClickToRun.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\0.9 = 61675c22203a20323536207d2c205c2241707044656c6574656446726f6d446f63756d656e745c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c224469616c6f67436c6f7365645c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c224469616c6f674f70656e5c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2253686f77496e666f626172436f6e73656e74566965775c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2253686f774c6f6164696e6753746174655c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2253686f775265616374566965775c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d2c205c22416464696e50726566657463685c22203a207b205c224576656e74735c22203a207b205c22507265666574636849636f6e735c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c22507265666574636855726c5c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c225072656c6f61644d616e69666573745c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2253616e64626f78507265666574636855726c5c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d2c205c2241637469766174696f6e5c22203a207b205c224576656e74735c22203a207b205c224352656d6f74657250726f78795c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d2c205c2253696e676c655369676e4f6e5c22203a207b205c224576656e74735c22203a207b205c22446973706c617953534f436f6e73656e7450616765466f7241706943616c6c5c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c224578656375746547657453534f546f6b656e496e7465726e616c5c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2247657441757468546f6b656e5c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d207d2c205c224576656e74735c22203a207b205c224f445041637469766174696f6e466f7254616761353572735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224f4450417070436f6d6d616e64735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434f4d416464696e4f7065726174696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224f4450417070436f6d6d616e647343616368655c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c224f4450417070436f6d6d616e6473496e7374616c6c54696d655c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c224f4450417070436f6d6d616e6473526962626f6e436c69636b5c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c224557534c69626c657443616c6c735c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c22446565704c696e6b696e67436865636b5c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c22446565704c696e6b696e67446f63756d656e744f70656e5c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c22446565704c696e6b696e67446f63756d656e7453686f77547275737455495c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c22446565704c696e6b696e675472757374526573756c745c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c224577734c6173745570646174655374617475734974656d436c69636b5c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c224577734c6173745570646174655374617475734974656d53686f776e5c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2247656e314163746976697479416767726567617465644261736553756272756c655c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2247656e314163746976697479416767726567617465644661696c757265436f756e745c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2247656e3141637469766974794167677265676174656453756363657373436f756e74576974685461675c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c224f44504170704d616e6167656d656e744d656e755c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c224f4450496e73657274696f6e4469616c6f675c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c224f445050617273654e65774d616e69666573744572726f725c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c224f44505265636f6d6d656e64656447616c6c657279436c69636b5c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c224f4450526962626f6e427269646765526962626f6e436c69636b5c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c224f445053616e64626f7841637469766174696f6e5c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c224f45504d616e696665737450617273696e675c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c22526962626f6e427574746f6e436c69636b5c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2253746f7265557365725374617475735c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2253746f7265557365725374617475734572726f725c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c224f445041637469766174696f6e466f7254616761353572715c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c224f44504c6174656e63795c22203a207b205c224576656e74466c61675c22203a203438383936207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e466565646261636b222c20225622203a20227374643a3a77737472696e677c7b205c224576656e74735c22203a207b205c2253617665526573706f6e73655c22203a207b205c224576656e74466c61675c22203a2032207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e46696c65494f222c20225622203a20227374643a3a77737472696e677c7b205c225375624e616d657370616365735c22203a207b205c224353495c22203a207b205c224576656e74735c22203a207b205c225265717565737441646170746572556e657870656374656443616c6c5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22416d49416c6f6e6550726f63657373526573706f6e73655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225472616e73616374656453747265616d446174615570646174655472616e73616374696f6e436f6d6d69745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225472616e73616374656453747265616d446174614d657267655472616e73616374696f6e436f6d6d69745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224343616368656446696c655363686564756c6546696c6555706c6f6164526571756573745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2243656c6c53746f726167654f6e426c6f624865617052657175657374526573756c745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2243656c6c53746f726167654f6e426c6f624865617052657175657374526573756c74434d555c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224f6e49734f6e6c79436c69656e7452657175657374436f6d706c6574655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22437369446176436c69656e7453656e64526571756573745374617475735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22476574446f63756d656e7446726f6d55726c5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224343616368656446696c654373694c6f616446696c655c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c224343616368656446696c654373695361766546696c655c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c22446f63756d656e74466163746f72794372656174654e6577446f63756d656e745c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c22446f63756d656e7452656e616d655375626d6974576f726b4974656d5c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c22464d617050617468735c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c22476574536861726555726c466f72436f6e7461696e65724173796e635c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c22476574536861726555726c466f7246696c654173796e635c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c22476574576f706955726c46726f6d46696c654964656e7469666965724173796e635c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c2249446f63756d656e7447657456657273696f6e4c6973745c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c2249446f63756d656e74526573746f72654173796e635c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c224973446f776e6c6f616465644261736556616c69644e6f48617368436865636b5c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c2253796e634261636b65645265636f6e63696c65725472795265636f6e63696c65546f4c6174657374416674657256657273696f6e4e6f74466f756e645c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c2253796e634261636b65645265636f6e63696c65725472616e736974696f6e4f6e6c696e655c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c2254727944657374726f794f666669636546696c6543616368655c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c22576f706942726f77736542726f777365546f436f6e7461696e65724173796e635c22203a207b205c224576656e74466c61675c22203a203438383936207d207d2c205c225375624e616d657370616365735c22203a207b205c2253746f726167655c22203a207b205c224576656e74735c22203a207b205c2243616368654f70746963735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2243616368654f7074696373446f776e6c6f61644572726f72446973747269627574696f6e735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2243616368654f7074696373446f776e6c6f61644572726f72446973747269627574696f6e7337446179735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2243616368654f70746963734572726f72735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2243616368654f707469637346696c6553746f726546696c6553697a65446973747269627574696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2243616368654f707469637355706c6f61644572726f72446973747269627574696f6e735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2243616368654f707469637355706c6f61644572726f72446973747269627574696f6e7337446179735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2243616368654f7074696373576f726b696e67436f707946696c6553697a65446973747269627574696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2252656d6f766546696c65456e7472795c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2243616368654f707469637350657246696c655c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c2253746172744f666669636546696c6543616368655c22203a207b205c224576656e74466c61675c22203a203438383936207d207d2c205c225375624e616d657370616365735c22203a207b205c2243656e7472616c5461626c655c22203a207b205c224576656e74735c22203a207b205c22436865636b536368656d6156657273696f6e5c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c22436c65617243616368655c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c22437265617465446174616261736546696c655573696e6754656d706c6174655c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c2243726561746544617461536f757263654661696c7572655c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c2244617461736f757263654f70656e4661696c7572655c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c2246696c65436163686550726f70657274696573526f774e6f74466f756e645c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c224d69677261746546696c654e616d6546726f6d496e695c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c22526f77736574556e6b6e6f776e4661696c7572655c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c22536368656d61557067726164655c22203a207b205c224576656e74466c61675c22203a203438383936207d207d207d2c205c224661756c744d616e6167656d656e745c22203a207b205c224576656e74735c22203a207b205c224661756c745265636f766572795c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c224661756c745265706f72745c22203a207b205c224576656e74466c61675c22203a203438383936207d207d207d207d207d207d207d2c205c2250726f746f636f6c5061727365725c22203a207b205c224576656e74735c22203a207b205c2250617273655572695c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22556e7061636b55726c5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22496672496e697441726773576f72645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2248724c61756e636855726c5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22464c6f6164436d644c696e65436f72655c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c2250726f746f636f6c48616e646c65725c22203a207b205c224576656e74735c22203a207b205c225472794f70656e696e674c6f7248797065724c696e6b496e4e6174697665436c69656e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2250726f746f636f6c48616e646c65724d61696e5c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c22556e7061636b4c696e6b5c22203a207b205c224576656e74735c22203a207b205c22556e7061636b4c696e6b5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22556e7061636b4c696e6b4173796e635c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22556e7061636b4c696e6b5769746848696e745c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c225254435c22203a207b205c224576656e74735c22203a207b205c2246696e6453657373696f6e456e64706f696e7452756e5c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c22446f63756d656e74536861726555726c5c22203a207b205c224576656e74735c22203a207b205c22556e7061636b536861726555726c416e6448616e646c65526573756c745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224f6e556e7061636b55726c436f6d706c657465645c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c22486c696e6b5c22203a207b205c224576656e74735c22203a207b205c224d736f4872486c696e6b43726561746546726f6d537472696e675c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c224d534f5c22203a207b205c224576656e74735c22203a207b205c22434d736f4f4c446f634e657744657374727563746f725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224c6f63616c446f63756d656e74496e666f557073656c6c4576656e745c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c224c6f63616c446f63756d656e74496e666f466c796f757444726f707065645c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2248616e646c65417574684661696c7572655f5573654578697374696e6743726564735f47656e657269634661696c7572655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f4f4c446f6342617365476574504b4d436c69656e7445785c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f536572766572496e666f476574536572766572496e666f5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e745265636f766572794872476574447270436f72655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e745265636f766572794d736f4872426567696e4d6f646966794472705c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225469746c654261725361766555694d616e616765725772697465537461747573546f5469746c654261725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224c6f6164437369446c6c466f72436c69636b3252756e456e7669726f6e6d656e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes [email protected] Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun OfficeClickToRun.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\0.2 = 4f66666963652e46696c65494f2e4872446f776e6c6f616454656d704173796e634c4d54222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e496e637265617365644279746573427566666572657257696e646f7753697a65222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e496e6372656d656e74616c4f70656e222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e4973496e74656c6c6967656e745361766550726f6d7074537572766579456e61626c6564222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e49734f70656e4572726f724469616c6f6741626c65546f42654f76657272696464656e222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e4c6f636174696f6e5069636b65725468726565446f74222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e4e65766572466f726365486f73744d6f6465496e436f6c6c61625265636f6e63696c6174696f6e222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e4f63735072656665746368496e7465726e616c436f6f7264696e6174696f6e456e61626c6564222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e4f637369576f726b696e67436f7079577269746546696c654d61785265747279436f756e74222c20225622203a2022696e7433325f747c3522207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e4f637369576f726b696e67436f7079577269746546696c655265747279496e74657276616c496e4d696c6c697365636f6e6473222c20225622203a2022696e7433325f747c31303022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e5265667265736855706f6e526573746f726174696f6e222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e536572766572496e666f4d736f446176436865636b456e61626c6564222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e53686f756c645265717565737451756572794578706563746564416363657373222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e536b6970556e636f6d70617261626c65446f776e6c6f61645265766973696f6e222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e536b6970576563496e6974447572696e674f70656e222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e53747269637453746f726167654c6966656379636c65222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e537472697056657273696f6e494446726f6d55726c4265666f726553656e64696e67546f437369222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e5472696767657253796e63496e7369646548616e646c6542617365446f776e6c6f61644572726f72222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e556e7365745265736f757263654964496646696c655761734e6f745361766564546f536572766572222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e5573654361636865644e6574776f726b436f6e6e656374696f6e222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e5573655265666163746f72656453796e634368616e6e656c496e486f73745265766973696f6e7355706461746572222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e557365586d6c48747470436f6d706f6e656e74222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e56616c69646174654d617050617468734c697465222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e466c6f6f64676174652e44656661756c744368616e6e656c436f6f6c646f776e2e42616e6e6572222c20225622203a2022696e7433325f747c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e466c6f6f64676174652e456e61626c6543616d706169676e436c69656e74222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e466c6f6f64676174652e456e61626c654d6f6465726e466c6f7757697468546965726564476f7665726e616e6365222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e466c6f6f64676174652e456e61626c654d756c74694c61756e636853757276657943616d706169676e73222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e466c6f6f64676174652e456e61626c6554656c656d657472794576656e745472616e736475636572222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e466c6f6f64676174652e456e61626c6564222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e466c6f6f64676174652e496e7369646572546f6173744c61756e63686572456e61626c6564222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e466c6f6f64676174652e4d617843616d706169676e73506572417070222c20225622203a2022696e7433325f747c323522207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e466c6f6f64676174652e4d6178446961676e6f73746963436f6c6c656374696f6e73506572417070222c20225622203a2022696e7433325f747c323022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e466c6f6f64676174652e4e6f746669636174696f6e4c61756e63686572456e61626c6564222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e466c6f6f64676174652e50726976616379436865636b466f724e6f6e436f6e74726f6c6c657253657276696365466f72537572766579222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e466c6f6f64676174652e526f616d696e67426173656443616d706169676e537461746573222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e466c6f6f64676174652e526f616d696e674261736564476f7665726e65644368616e6e656c537461746573222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e466c6f6f64676174652e526f616d696e67426173656453757276657941637469766174696f6e5374617473222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e466c6f6f64676174652e53757276657973456e61626c6564222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726170686963732e4368616e6765476174652e41766f6964556e6e656365737361727944657669636552656372656174654f6e446973706c61794368616e6765222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726170686963732e4368616e6765476174652e436865636b507265666572436d644c697374466f7243616c6c436d64546f7373556e646f222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726170686963732e4368616e6765476174652e456e73757265496e6b5374796c65496e69745769746853757266616365222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726170686963732e4368616e6765476174652e4669784465766963655265456e756d65726174696f6e222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726170686963732e4368616e6765476174652e52756e4d6f646966794465736372697074696f6e436f6d6d616e6441734d6f6465726e496e457863656c222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726170686963732e4368616e6765476174652e5365745465787446696c6c546f426c61636b466f7253656c6563746564486967686c69676874222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726170686963732e4368616e6765476174652e5365745465787446696c6c546f426c61636b466f7253656c6563746564486967686c6967687432222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726170686963732e4368616e6765476174652e5573655368617265644458474941646170746572456e756d65726174696f6e4c6f676963466f7253746172747570222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726170686963732e436f6d6d616e64732e456e61626c6553657450696374757265417370656374526174696f436d64222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726170686963732e436f6d6d616e64732e456e61626c655365745461626c655374796c65436d64222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726170686963732e456e61626c654368616e676550696374757265436f6d6d616e64466f72426c697046696c6c73222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726170686963732e456e61626c655356474c696e65416e6446696c6c436f6d6d616e6473466f72536861706573222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726170686963732e47657443616c6c537461636b466f7246576964656e222c20225622203a2022696e7433325f747c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726170686963732e49636f46696c746572456e61626c6564222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726170686963732e496e6b2e44656c657465416c6c496e6b222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726170686963732e4d617833444d6174657269616c5465787475726553697a65222c20225622203a2022696e7433325f747c3430393622207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726170686963732e4d6f64656c33444f6e6c696e652e426c6f636b6564436f756e7472696573222c20225622203a20227374643a3a77737472696e677c61663b647a3b62683b636e3b63753b65673b69643b69723b69713b6a6f3b6b773b6c623b6c793b6d723b6d613b6b703b6f6d3b71613b73613b73643b73793b746e3b74723b61653b796522207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726170686963732e4d6f64656c33444f6e6c696e652e426c6f636b65644c616e677561676573222c20225622203a20227374643a3a77737472696e677c74722d74723b7a682d636e3b61722d73613b69642d696422207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726170686963732e4d756c74695363656e654465707265636174696f6e732e476574554957696e646f7746726f6d55736572496e74657266616365222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726170686963732e526574727943726561746544324431466163746f72794f6e44656c61794c6f61644661696c7572654d617852657472696573222c20225622203a2022696e7433325f747c323022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726170686963732e536b69704661696c656446436f70794f50544573496e46436f7079222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726170686963732e536e61704c696e655769647468496e50656e222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726170686963732e53746172744174506172656e7454696d65222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726170686963732e537570706f727454657874496e535647546f5368617065436f6e76657273696f6e222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726170686963732e557365417263546578747572654265666f7265443244222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726170686963732e5573654c6973744e6f6465222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726170686963732e5573654c6f676963616c445049466f72566563746f72496d6167655265736f75726365222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726170686963732e557365536d617274496e6b416e616c797a6572466f72496e6b456469746f72222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726f7774682e41697254726166666963436f6e74726f6c2e466f726365456e67696e6553657475704f6e4247546872656164222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726f7774682e41697254726166666963436f6e74726f6c2e4f7074696d697a65526f616d696e6753657474696e67222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726f7774682e41697254726166666963436f6e74726f6c2e547275737442617244656c6179466f726d6174222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726f7774682e41697254726166666963436f6e74726f6c2e556e666f726d6174746564427573426172222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e48656c702e496e636c756465436f6d6d616e6454797065222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4964656e746974792e4144414c5468726f74746c696e67456e61626c6564222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4964656e746974792e41766f696453656e64696e675368617265506f696e7448656164657273546f5075626c6963456e64706f696e7473222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4964656e746974792e4368616e6765476174652e4f6e6c7950657273697374536368656d65466f7253657276657255726c73222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4964656e746974792e456e61626c6557616d54656c656d65747279426c6f62222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4964656e746974792e456e7375726550726f66696c65466f725072696d6172794964656e746974696573222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4964656e746974792e49676e6f726544697361626c654144414c61746f7057414d4f76657272696465466f725075726557414d222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4964656e746974792e53706f41757468436f6e74657874456e61626c6564222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4964656e746974792e5573654964656e7469747943726564656e7469616c734661696c757265496e666f222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4964656e746974792e55736553706f436f6f6b696546726f6d53616d6554656e616e74222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4c6963656e73696e672e44617465546f5573654d6963726f736f6674333635466f72436f6e73756d65 OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\ChunkCount = "uint64_t|2" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs OfficeClickToRun.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=7&q={searchTerms}" [email protected] Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1" OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\Expires = "int64_t|0" OfficeClickToRun.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FE9-8583-11D1-B16A-00C0F0283628} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ACBB956-5C57-11CF-8993-00AA00688B10} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BF877890-E026-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E6E17E82-DF38-11CF-8E74-00A0C90F26F8}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.Slider regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35053A20-8589-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F04A-858B-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4D83600-895E-11D0-B0A6-000000000000}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DA8D95-9D6A-101B-AFC0-4210102A8DA7}\TypeLib\Version = "1.3" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F08DF954-8592-11D1-B16A-00C0F0283628}\ToolboxBitmap32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1EFB6599-857C-11D1-B16A-00C0F0283628}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FEB-8583-11D1-B16A-00C0F0283628}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDD1F049-858B-11D1-B16A-00C0F0283628}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9ED94440-E5E8-101B-B9B5-444553540000}\Version\ = "1.3" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7791BA52-E020-11CF-8E74-00A0C90F26F8}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{612A8626-0FB3-11CE-8747-524153480004}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4D83601-895E-11D0-B0A6-000000000000}\TypeLib\Version = "1.3" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.TabStrip\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9ED94440-E5E8-101B-B9B5-444553540000} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6B7E638F-850A-101B-AFC0-4210102A8DA7}\Version\ = "1.3" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0713E944-850A-101B-AFC0-4210102A8DA7}\TypeLib\Version = "1.3" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C74190B6-8589-11D1-B16A-00C0F0283628}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6E17E82-DF38-11CF-8E74-00A0C90F26F8}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66833FE7-8583-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\Version = "16777216" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F053-858B-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}" regsvr32.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7791BA52-E020-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E3867A3-8586-11D1-B16A-00C0F0283628}\Version\ = "2.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE35-8596-11D1-B16A-00C0F0283628}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E3867A2-8586-11D1-B16A-00C0F0283628}\ = "IStatusBarEvents" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8556BCD0-E01E-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ImageComboCtl.2 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66833FE5-8583-11D1-B16A-00C0F0283628} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\COMCTL.TabStrip\CurVer regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9ED94441-E5E8-101B-B9B5-444553540000}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7791BA42-E020-11CF-8E74-00A0C90F26F8} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E6E17E8E-DF38-11CF-8E74-00A0C90F26F8}\ = "ITreeView" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE35-8596-11D1-B16A-00C0F0283628}\ = "ImageList General Property Page Object" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C74190B4-8589-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{612A8628-0FB3-11CE-8747-524153480004}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6027C2D4-FB28-11CD-8820-08002B2F4F5A} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BF877896-E026-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DA8D95-9D6A-101B-AFC0-4210102A8DA7}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E3867A3-8586-11D1-B16A-00C0F0283628}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE33-8596-11D1-B16A-00C0F0283628}\ = "TabStrip General Property Page Object" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1EFB6594-857C-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE3B-8596-11D1-B16A-00C0F0283628}\ = "Progress Bar General Property Page Object" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C74190B8-8589-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F055-858B-11D1-B16A-00C0F0283628}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9ED94444-E5E8-101B-B9B5-444553540000} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7791BA50-E020-11CF-8E74-00A0C90F26F8}\TypeLib\Version = "1.3" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C787A50-E01C-11CF-8E74-00A0C90F26F8}\TypeLib\Version = "1.3" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DA8D8B-9D6A-101B-AFC0-4210102A8DA7}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DD9DA664-8594-11D1-B16A-00C0F0283628}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\COMCTL.ListViewCtrl.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7791BA50-E020-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2C787A52-E01C-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2C247F21-8591-11D1-B16A-00C0F0283628}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ImageListCtrl.2 regsvr32.exe -
Runs net.exe
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 101 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 100 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 3 IoCs
pid Process 3808 AnyDesk.exe 3808 AnyDesk.exe 3808 AnyDesk.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1376 AnyDesk.exe 1376 AnyDesk.exe 1376 AnyDesk.exe 1376 AnyDesk.exe 1376 AnyDesk.exe 1376 AnyDesk.exe 1376 AnyDesk.exe 1376 AnyDesk.exe 1376 AnyDesk.exe 1376 AnyDesk.exe 1376 AnyDesk.exe 1376 AnyDesk.exe 1376 AnyDesk.exe 1376 AnyDesk.exe 3212 msedge.exe 3212 msedge.exe 2252 msedge.exe 2252 msedge.exe 1176 identity_helper.exe 1176 identity_helper.exe 5108 msedge.exe 5108 msedge.exe 456 msedge.exe 456 msedge.exe 3456 msedge.exe 3456 msedge.exe 3456 msedge.exe 3456 msedge.exe 4360 msedge.exe 4360 msedge.exe 2564 usеrinit.exe 2564 usеrinit.exe 2892 [email protected] 2892 [email protected] 2892 [email protected] 2892 [email protected] 2892 [email protected] 2892 [email protected] 2892 [email protected] 2892 [email protected] 2892 [email protected] 2892 [email protected] 2892 [email protected] 2892 [email protected] 2892 [email protected] 2892 [email protected] 2892 [email protected] 2892 [email protected] 2892 [email protected] 2892 [email protected] 2892 [email protected] 2892 [email protected] 2892 [email protected] 2892 [email protected] 2892 [email protected] 2892 [email protected] 2892 [email protected] 2892 [email protected] 2892 [email protected] 2892 [email protected] 2892 [email protected] 2892 [email protected] 2892 [email protected] 2892 [email protected] -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs
pid Process 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1376 AnyDesk.exe Token: 33 1696 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1696 AUDIODG.EXE Token: SeDebugPrivilege 1376 AnyDesk.exe Token: SeDebugPrivilege 1376 AnyDesk.exe Token: SeRestorePrivilege 1184 7zG.exe Token: 35 1184 7zG.exe Token: SeSecurityPrivilege 1184 7zG.exe Token: SeSecurityPrivilege 1184 7zG.exe Token: SeRestorePrivilege 1832 7zG.exe Token: 35 1832 7zG.exe Token: SeSecurityPrivilege 1832 7zG.exe Token: SeSecurityPrivilege 1832 7zG.exe Token: SeRestorePrivilege 2752 7zG.exe Token: 35 2752 7zG.exe Token: SeSecurityPrivilege 2752 7zG.exe Token: SeSecurityPrivilege 2752 7zG.exe Token: SeRestorePrivilege 3804 7zG.exe Token: 35 3804 7zG.exe Token: SeSecurityPrivilege 3804 7zG.exe Token: SeSecurityPrivilege 3804 7zG.exe Token: SeSecurityPrivilege 1312 mofcomp.exe Token: SeAssignPrimaryTokenPrivilege 4732 svchost.exe Token: SeIncreaseQuotaPrivilege 4732 svchost.exe Token: SeSecurityPrivilege 4732 svchost.exe Token: SeTakeOwnershipPrivilege 4732 svchost.exe Token: SeLoadDriverPrivilege 4732 svchost.exe Token: SeSystemtimePrivilege 4732 svchost.exe Token: SeBackupPrivilege 4732 svchost.exe Token: SeRestorePrivilege 4732 svchost.exe Token: SeShutdownPrivilege 4732 svchost.exe Token: SeSystemEnvironmentPrivilege 4732 svchost.exe Token: SeUndockPrivilege 4732 svchost.exe Token: SeManageVolumePrivilege 4732 svchost.exe Token: SeAssignPrimaryTokenPrivilege 4732 svchost.exe Token: SeIncreaseQuotaPrivilege 4732 svchost.exe Token: SeSecurityPrivilege 4732 svchost.exe Token: SeTakeOwnershipPrivilege 4732 svchost.exe Token: SeLoadDriverPrivilege 4732 svchost.exe Token: SeSystemtimePrivilege 4732 svchost.exe Token: SeBackupPrivilege 4732 svchost.exe Token: SeRestorePrivilege 4732 svchost.exe Token: SeShutdownPrivilege 4732 svchost.exe Token: SeSystemEnvironmentPrivilege 4732 svchost.exe Token: SeUndockPrivilege 4732 svchost.exe Token: SeManageVolumePrivilege 4732 svchost.exe Token: SeAssignPrimaryTokenPrivilege 4732 svchost.exe Token: SeIncreaseQuotaPrivilege 4732 svchost.exe Token: SeSecurityPrivilege 4732 svchost.exe Token: SeTakeOwnershipPrivilege 4732 svchost.exe Token: SeLoadDriverPrivilege 4732 svchost.exe Token: SeSystemtimePrivilege 4732 svchost.exe Token: SeBackupPrivilege 4732 svchost.exe Token: SeRestorePrivilege 4732 svchost.exe Token: SeShutdownPrivilege 4732 svchost.exe Token: SeSystemEnvironmentPrivilege 4732 svchost.exe Token: SeUndockPrivilege 4732 svchost.exe Token: SeManageVolumePrivilege 4732 svchost.exe Token: SeAssignPrimaryTokenPrivilege 4732 svchost.exe Token: SeIncreaseQuotaPrivilege 4732 svchost.exe Token: SeSecurityPrivilege 4732 svchost.exe Token: SeTakeOwnershipPrivilege 4732 svchost.exe Token: SeLoadDriverPrivilege 4732 svchost.exe Token: SeSystemtimePrivilege 4732 svchost.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3808 AnyDesk.exe 3808 AnyDesk.exe 3808 AnyDesk.exe 3808 AnyDesk.exe 3808 AnyDesk.exe 3808 AnyDesk.exe 3808 AnyDesk.exe 3808 AnyDesk.exe 3808 AnyDesk.exe 3808 AnyDesk.exe 3808 AnyDesk.exe 3808 AnyDesk.exe 3808 AnyDesk.exe 3808 AnyDesk.exe 3808 AnyDesk.exe 3808 AnyDesk.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3808 AnyDesk.exe 3808 AnyDesk.exe 3808 AnyDesk.exe 3808 AnyDesk.exe 3808 AnyDesk.exe 3808 AnyDesk.exe 3808 AnyDesk.exe 3808 AnyDesk.exe 3808 AnyDesk.exe 3808 AnyDesk.exe 3808 AnyDesk.exe 3808 AnyDesk.exe 3808 AnyDesk.exe 3808 AnyDesk.exe 3808 AnyDesk.exe 3808 AnyDesk.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe 2892 [email protected] 2892 [email protected] 2892 [email protected] 588 [email protected] 588 [email protected] 588 [email protected] 2216 avpc2009.exe 2516 [email protected] 3052 [email protected] 3052 [email protected] 5512 lpsprt.exe 5512 lpsprt.exe 5512 lpsprt.exe 588 [email protected] 588 [email protected] 588 [email protected] 5512 lpsprt.exe 5512 lpsprt.exe 5512 lpsprt.exe 588 [email protected] 5512 lpsprt.exe 5512 lpsprt.exe 5512 lpsprt.exe 5512 lpsprt.exe 4000 Security Central.exe 4000 Security Central.exe 4000 Security Central.exe 2760 explorer.exe 2760 explorer.exe 2760 explorer.exe 2760 explorer.exe 2760 explorer.exe 2760 explorer.exe 2760 explorer.exe 2760 explorer.exe 2760 explorer.exe -
Suspicious use of SetWindowsHookEx 39 IoCs
pid Process 1380 AnyDesk.exe 1380 AnyDesk.exe 5020 AnyDesk.exe 5020 AnyDesk.exe 3648 AnyDesk.exe 3648 AnyDesk.exe 2892 [email protected] 2892 [email protected] 2892 [email protected] 2892 [email protected] 2892 [email protected] 2892 [email protected] 2892 [email protected] 2892 [email protected] 1800 antivirus-platinum.exe 588 [email protected] 588 [email protected] 2216 avpc2009.exe 2216 avpc2009.exe 2892 [email protected] 2892 [email protected] 3236 6AdwCleaner.exe 3236 6AdwCleaner.exe 3052 [email protected] 3052 [email protected] 3160 [email protected] 6128 [email protected] 764 [email protected] 6028 [email protected] 5652 Security Central.exe 5288 dw20.exe 4000 Security Central.exe 4000 Security Central.exe 5364 OfficeClickToRun.exe 4336 OfficeClickToRun.exe 2760 explorer.exe 5316 SearchHost.exe 6000 StartMenuExperienceHost.exe 2760 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1500 wrote to memory of 1376 1500 AnyDesk.exe 31 PID 1500 wrote to memory of 1376 1500 AnyDesk.exe 31 PID 1500 wrote to memory of 1376 1500 AnyDesk.exe 31 PID 1500 wrote to memory of 3808 1500 AnyDesk.exe 30 PID 1500 wrote to memory of 3808 1500 AnyDesk.exe 30 PID 1500 wrote to memory of 3808 1500 AnyDesk.exe 30 PID 2252 wrote to memory of 1968 2252 msedge.exe 89 PID 2252 wrote to memory of 1968 2252 msedge.exe 89 PID 2252 wrote to memory of 4744 2252 msedge.exe 90 PID 2252 wrote to memory of 4744 2252 msedge.exe 90 PID 2252 wrote to memory of 4744 2252 msedge.exe 90 PID 2252 wrote to memory of 4744 2252 msedge.exe 90 PID 2252 wrote to memory of 4744 2252 msedge.exe 90 PID 2252 wrote to memory of 4744 2252 msedge.exe 90 PID 2252 wrote to memory of 4744 2252 msedge.exe 90 PID 2252 wrote to memory of 4744 2252 msedge.exe 90 PID 2252 wrote to memory of 4744 2252 msedge.exe 90 PID 2252 wrote to memory of 4744 2252 msedge.exe 90 PID 2252 wrote to memory of 4744 2252 msedge.exe 90 PID 2252 wrote to memory of 4744 2252 msedge.exe 90 PID 2252 wrote to memory of 4744 2252 msedge.exe 90 PID 2252 wrote to memory of 4744 2252 msedge.exe 90 PID 2252 wrote to memory of 4744 2252 msedge.exe 90 PID 2252 wrote to memory of 4744 2252 msedge.exe 90 PID 2252 wrote to memory of 4744 2252 msedge.exe 90 PID 2252 wrote to memory of 4744 2252 msedge.exe 90 PID 2252 wrote to memory of 4744 2252 msedge.exe 90 PID 2252 wrote to memory of 4744 2252 msedge.exe 90 PID 2252 wrote to memory of 4744 2252 msedge.exe 90 PID 2252 wrote to memory of 4744 2252 msedge.exe 90 PID 2252 wrote to memory of 4744 2252 msedge.exe 90 PID 2252 wrote to memory of 4744 2252 msedge.exe 90 PID 2252 wrote to memory of 4744 2252 msedge.exe 90 PID 2252 wrote to memory of 4744 2252 msedge.exe 90 PID 2252 wrote to memory of 4744 2252 msedge.exe 90 PID 2252 wrote to memory of 4744 2252 msedge.exe 90 PID 2252 wrote to memory of 4744 2252 msedge.exe 90 PID 2252 wrote to memory of 4744 2252 msedge.exe 90 PID 2252 wrote to memory of 4744 2252 msedge.exe 90 PID 2252 wrote to memory of 4744 2252 msedge.exe 90 PID 2252 wrote to memory of 4744 2252 msedge.exe 90 PID 2252 wrote to memory of 4744 2252 msedge.exe 90 PID 2252 wrote to memory of 4744 2252 msedge.exe 90 PID 2252 wrote to memory of 4744 2252 msedge.exe 90 PID 2252 wrote to memory of 4744 2252 msedge.exe 90 PID 2252 wrote to memory of 4744 2252 msedge.exe 90 PID 2252 wrote to memory of 4744 2252 msedge.exe 90 PID 2252 wrote to memory of 4744 2252 msedge.exe 90 PID 2252 wrote to memory of 3212 2252 msedge.exe 91 PID 2252 wrote to memory of 3212 2252 msedge.exe 91 PID 2252 wrote to memory of 2248 2252 msedge.exe 92 PID 2252 wrote to memory of 2248 2252 msedge.exe 92 PID 2252 wrote to memory of 2248 2252 msedge.exe 92 PID 2252 wrote to memory of 2248 2252 msedge.exe 92 PID 2252 wrote to memory of 2248 2252 msedge.exe 92 PID 2252 wrote to memory of 2248 2252 msedge.exe 92 PID 2252 wrote to memory of 2248 2252 msedge.exe 92 PID 2252 wrote to memory of 2248 2252 msedge.exe 92 PID 2252 wrote to memory of 2248 2252 msedge.exe 92 PID 2252 wrote to memory of 2248 2252 msedge.exe 92 PID 2252 wrote to memory of 2248 2252 msedge.exe 92 PID 2252 wrote to memory of 2248 2252 msedge.exe 92 PID 2252 wrote to memory of 2248 2252 msedge.exe 92 PID 2252 wrote to memory of 2248 2252 msedge.exe 92 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer antivirus-platinum.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "67108863" antivirus-platinum.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System antivirus-platinum.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" antivirus-platinum.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2800 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control2⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3808
-
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1376 -
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --backend3⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1380
-
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --backend3⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:5020
-
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --backend3⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:3648
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x00000000000004EC1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1696
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff1ab23cb8,0x7fff1ab23cc8,0x7fff1ab23cd82⤵PID:1968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,18104125406994074979,3714981607261342939,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:22⤵PID:4744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1880,18104125406994074979,3714981607261342939,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1880,18104125406994074979,3714981607261342939,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2532 /prefetch:82⤵PID:2248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,18104125406994074979,3714981607261342939,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:12⤵PID:4756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,18104125406994074979,3714981607261342939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:12⤵PID:1972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,18104125406994074979,3714981607261342939,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3652 /prefetch:12⤵PID:3768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,18104125406994074979,3714981607261342939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3912 /prefetch:12⤵PID:236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1880,18104125406994074979,3714981607261342939,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3444 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1880,18104125406994074979,3714981607261342939,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,18104125406994074979,3714981607261342939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:12⤵PID:800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,18104125406994074979,3714981607261342939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:12⤵PID:3156
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1880,18104125406994074979,3714981607261342939,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5356 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1880,18104125406994074979,3714981607261342939,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5272 /prefetch:82⤵PID:1804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,18104125406994074979,3714981607261342939,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:12⤵PID:3836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,18104125406994074979,3714981607261342939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:12⤵PID:3048
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,18104125406994074979,3714981607261342939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:12⤵PID:4156
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,18104125406994074979,3714981607261342939,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:12⤵PID:428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,18104125406994074979,3714981607261342939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:12⤵PID:4160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,18104125406994074979,3714981607261342939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2500 /prefetch:12⤵PID:4764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,18104125406994074979,3714981607261342939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2892 /prefetch:12⤵PID:3928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,18104125406994074979,3714981607261342939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:12⤵PID:484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,18104125406994074979,3714981607261342939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6496 /prefetch:12⤵PID:3904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1880,18104125406994074979,3714981607261342939,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6492 /prefetch:82⤵PID:4148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,18104125406994074979,3714981607261342939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6732 /prefetch:12⤵PID:3112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,18104125406994074979,3714981607261342939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3012 /prefetch:12⤵PID:3156
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,18104125406994074979,3714981607261342939,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1640 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1880,18104125406994074979,3714981607261342939,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5676 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4360
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4308
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3048
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4316
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1264
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\MalwareDatabase-master\" -spe -an -ai#7zMap10067:106:7zEvent120141⤵
- Suspicious use of AdjustPrivilegeToken
PID:1184
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\MalwareDatabase-master\trojans\*\" -spe -an -ai#7zMap4424:1392:7zEvent262691⤵
- Suspicious use of AdjustPrivilegeToken
PID:1832
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\*\" -spe -an -ai#7zMap31253:3994:7zEvent26701⤵
- Suspicious use of AdjustPrivilegeToken
PID:2752
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\MalwareDatabase-master\ransomwares\*\" -spe -an -ai#7zMap10873:2380:7zEvent287531⤵
- Suspicious use of AdjustPrivilegeToken
PID:3804
-
C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\Antivirus\[email protected]"C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\Antivirus\[email protected]"1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2892 -
C:\Windows\SysWOW64\net.exenet stop wscsvc2⤵PID:3452
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wscsvc3⤵PID:2216
-
-
-
C:\Windows\SysWOW64\net.exenet stop winmgmt /y2⤵PID:2868
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop winmgmt /y3⤵PID:2920
-
-
-
C:\Windows\SysWOW64\Wbem\mofcomp.exemofcomp C:\Users\Admin\AppData\Local\Temp\4otjesjty.mof2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1312
-
-
C:\Windows\SysWOW64\net.exenet start wscsvc2⤵PID:4120
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start wscsvc3⤵PID:4692
-
-
-
C:\Windows\SysWOW64\net.exenet start winmgmt2⤵PID:3052
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start winmgmt3⤵PID:4644
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4732
-
C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\Antivirus 2010\[email protected]"C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\Antivirus 2010\[email protected]"1⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
PID:4176 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"2⤵PID:2584
-
-
\??\globalroot\systemroot\system32\usеrinit.exe/install2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2564
-
-
C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\Antivirus Platinum\[email protected]"C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\Antivirus Platinum\[email protected]"1⤵
- Drops file in Windows directory
- Executes dropped EXE
PID:1636 -
C:\WINDOWS\302746537.exe"C:\WINDOWS\302746537.exe"2⤵
- Executes dropped EXE
PID:4148 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D1B9.tmp\302746537.bat" "3⤵PID:3464
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s c:\windows\comctl32.ocx4⤵
- Loads dropped DLL
- Modifies registry class
PID:1588
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s c:\windows\mscomctl.ocx4⤵
- Loads dropped DLL
- Modifies registry class
PID:4140
-
-
\??\c:\windows\antivirus-platinum.exec:\windows\antivirus-platinum.exe4⤵
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1800
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h c:\windows\antivirus-platinum.exe4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2800
-
-
-
-
C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\Antivirus Pro 2017\[email protected]"C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\Antivirus Pro 2017\[email protected]"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Executes dropped EXE
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:588
-
C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\Antivirus Pro 2017\[email protected]"C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\Antivirus Pro 2017\[email protected]"1⤵
- Writes to the Master Boot Record (MBR)
- Executes dropped EXE
PID:3428
-
C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\AnViPC2009\[email protected]"C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\AnViPC2009\[email protected]"1⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:652 -
C:\Program Files (x86)\antiviruspc2009\avpc2009.exe"C:\Program Files (x86)\antiviruspc2009\avpc2009.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2216
-
-
C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\FakeAdwCleaner\[email protected]"C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\FakeAdwCleaner\[email protected]"1⤵
- Executes dropped EXE
PID:384 -
C:\Users\Admin\AppData\Local\6AdwCleaner.exe"C:\Users\Admin\AppData\Local\6AdwCleaner.exe"2⤵
- Adds Run key to start application
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3236
-
-
C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\Happy Antivirus\[email protected]"C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\Happy Antivirus\[email protected]"1⤵
- Executes dropped EXE
- Suspicious use of SendNotifyMessage
PID:2516
-
C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\InternetSecurityGuard\[email protected]"C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\InternetSecurityGuard\[email protected]"1⤵
- Enumerates VirtualBox registry keys
- Blocks application from running via registry modification
- Drops file in Drivers directory
- Adds Run key to start application
- Checks for any installed AV software in registry
- Enumerates connected drives
- Sets file execution options in registry
- Writes to the Master Boot Record (MBR)
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3052 -
C:\Windows\SysWOW64\netsh.exenetsh "firewall" add allowedprogram "C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\InternetSecurityGuard\[email protected]" "Internet Security Guard" ENABLE2⤵PID:3108
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt djmuz612iirstah.com 8.8.8.82⤵PID:5160
-
-
C:\Windows\SysWOW64\Wbem\mofcomp.exemofcomp "C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\InternetSecurityGuard\6137.mof"2⤵PID:3208
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt djmuz612iirstah.net 8.8.8.82⤵PID:5528
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt djmuz612iirstah.com 208.67.222.2222⤵PID:5640
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt djmuz612iirstah.net 208.67.222.2222⤵PID:5776
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt djmuz612iirstah.com 8.8.4.42⤵PID:5848
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt djmuz612iirstah.net 8.8.4.42⤵PID:5916
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt djmuz612iirstah.com 208.67.220.2202⤵PID:6076
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt djmuz612iirstah.net 208.67.220.2202⤵PID:1632
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt ddlua510gpucdip.com 8.8.8.82⤵PID:4336
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt ddlua510gpucdip.net 8.8.8.82⤵PID:1300
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt ddlua510gpucdip.com 208.67.222.2222⤵PID:1312
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt ddlua510gpucdip.net 208.67.222.2222⤵PID:5192
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt ddlua510gpucdip.com 8.8.4.42⤵PID:5412
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt ddlua510gpucdip.net 8.8.4.42⤵PID:5164
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt ddlua510gpucdip.com 208.67.220.2202⤵PID:5248
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt ddlua510gpucdip.net 208.67.220.2202⤵PID:5332
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt clls406szhipps.com 8.8.8.82⤵PID:5544
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt clls406szhipps.net 8.8.8.82⤵PID:5580
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt clls406szhipps.com 208.67.222.2222⤵PID:5564
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt clls406szhipps.net 208.67.222.2222⤵PID:5700
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt clls406szhipps.com 8.8.4.42⤵PID:5776
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt clls406szhipps.net 8.8.4.42⤵PID:5888
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt clls406szhipps.com 208.67.220.2202⤵PID:6024
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt clls406szhipps.net 208.67.220.2202⤵PID:5940
-
-
C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\Live Protection Suite 2019\[email protected]"C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\Live Protection Suite 2019\[email protected]"1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3160 -
C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe"C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe"2⤵
- Adds Run key to start application
- Executes dropped EXE
- Suspicious use of SendNotifyMessage
PID:5512 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 15763⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:5288
-
-
-
C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\Movie.mpeg\[email protected]"C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\Movie.mpeg\[email protected]"1⤵
- Executes dropped EXE
PID:5692 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5692 -s 6082⤵
- Program crash
PID:5384
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5692 -ip 56921⤵PID:5224
-
C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\NavaShield\[email protected]"C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\NavaShield\[email protected]"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6128
-
C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\PC Defender\[email protected]"C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\PC Defender\[email protected]"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:764 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PCDefenderSilentSetup.msi"2⤵
- Enumerates connected drives
PID:4420
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
PID:2492 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:2976
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 559009B7B22822FEF8025D169E60A852 E Global\MSI00002⤵
- Modifies WinLogon for persistence
- Modifies data under HKEY_USERS
PID:5292
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:4868
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\PC Defender v2\[email protected]"1⤵
- Blocklisted process makes network request
- Enumerates connected drives
PID:5248
-
C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\RegistrySmart\[email protected]"C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\RegistrySmart\[email protected]"1⤵
- Executes dropped EXE
PID:5772 -
C:\Users\Admin\AppData\Local\Temp\is-IIG2L.tmp\is-C29PP.tmp"C:\Users\Admin\AppData\Local\Temp\is-IIG2L.tmp\is-C29PP.tmp" /SL4 $4088E "C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\RegistrySmart\[email protected]" 779923 558082⤵
- Executes dropped EXE
PID:5784
-
-
C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\SE2011\[email protected]"C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\SE2011\[email protected]"1⤵
- Identifies Wine through registry keys
- Executes dropped EXE
PID:1460
-
C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\Security Central\[email protected]"C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\Security Central\[email protected]"1⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6028 -
C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\Security Central\[email protected]"C:\Users\Admin\Downloads\MalwareDatabase-master\rogues\Security Central\[email protected]"2⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:6016 -
C:\Program Files (x86)\Security Central\Security Central.exe"C:\Program Files (x86)\Security Central\Security Central.exe"3⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5652 -
C:\Program Files (x86)\Security Central\Security Central.exe"C:\Program Files (x86)\Security Central\Security Central.exe"4⤵
- Adds Run key to start application
- Enumerates connected drives
- Executes dropped EXE
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4000
-
-
-
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:5616
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5364
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:5468
-
C:\Windows\explorer.exeexplorer.exe /LOADSAVEDWINDOWS2⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2760
-
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4336
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:6000
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:5316
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:692
-
C:\Windows\explorer.exeexplorer.exe /LOADSAVEDWINDOWS2⤵PID:2604
-
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:3120
-
C:\Windows\explorer.exeexplorer.exe /LOADSAVEDWINDOWS2⤵PID:696
-
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2204
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding1⤵PID:4648
-
C:\Users\Admin\Downloads\MalwareDatabase-master\trojans\MEMZ\[email protected]PID:3424
-
-
C:\Users\Admin\Downloads\MalwareDatabase-master\trojans\FakeActivation\[email protected]"C:\Users\Admin\Downloads\MalwareDatabase-master\trojans\FakeActivation\[email protected]"2⤵PID:1516
-
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"3⤵PID:3280
-
-
-
C:\Users\Admin\Downloads\MalwareDatabase-master\trojans\HMBlocker\[email protected]PID:3784
-
C:\Windows\SysWOW64\shutdown.exe"C:\Windows\System32\shutdown.exe" /r /t 6 /f3⤵PID:5524
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 2503326475 /t REG_SZ /d "C:\Users\Admin\2503326475\2503326475.exe" /f3⤵PID:1480
-
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 2503326475 /t REG_SZ /d "C:\Users\Admin\2503326475\2503326475.exe" /f4⤵PID:5044
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v 2503326475_del /t REG_SZ /d "cmd /c del \"C:\Users\Admin\Downloads\MalwareDatabase-master\trojans\HMBlocker\[email protected]\"" /f3⤵PID:3224
-
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v 2503326475_del /t REG_SZ /d "cmd /c del \"C:\Users\Admin\Downloads\MalwareDatabase-master\trojans\HMBlocker\[email protected]\"" /f4⤵PID:4668
-
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding1⤵PID:4588
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:3024
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:3680
-
C:\Windows\explorer.exeexplorer.exe /LOADSAVEDWINDOWS2⤵PID:5252
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵PID:5680
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3084
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:892
-
C:\Windows\explorer.exeexplorer.exe /LOADSAVEDWINDOWS2⤵PID:5940
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding1⤵PID:4180
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding1⤵PID:4896
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4884
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2292
-
C:\Windows\System32\PickerHost.exeC:\Windows\System32\PickerHost.exe -Embedding1⤵PID:3088
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3956855 /state1:0x41c64e6d1⤵PID:4300
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
4Registry Run Keys / Startup Folder
3Winlogon Helper DLL
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
4Registry Run Keys / Startup Folder
3Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
2Disable or Modify Tools
2Modify Registry
9Pre-OS Boot
1Bootkit
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD5e196335c19eafde72885e87e0fbfee06
SHA1918d2d2af7ecc4fa91c6e25f50fd7fd331b86aca
SHA2565a93e720527c4e5c14ec16848095ef1bc9d557c49435d2958ee3a4a684c463a9
SHA512641f464180872aeb9d5a35623ed3523ec40ecbfb60990f72d1e11f99d295504d3042f1a1f70678fb9700ad395ef20e8dd1e1e590d62538bb63d33fdf720354a7
-
Filesize
704KB
MD5c65e69e26f1929679c931592ba22d8c2
SHA1c401c093236140570b4c17746c79cd4d48d158c1
SHA2567b10b187dab0c40a5b1fd8345a5639e855975bf0405cf9f2153e58f89eced67a
SHA512f96d725787b8d364b7f2fc06c180fe27761853dac80237d7f07602123833699ca9dac9aa600a7947e9b824a8bf8b03a7409b4527d0d0bf6e21de81b758c3ac66
-
Filesize
7.2MB
MD59ce316ee1388536bb6e016563bd3c723
SHA19669568be937c7f7d7f347ce3eddf158db042212
SHA256d9c68b713e4cde4ded31ac686b728e61c69ac77e21251b98fcbd787316cd879b
SHA512de98e251e866ab02cb952048b145760fd71c49deafbe31b5d761f4e1562c6edc7ff7191b8589663667a32a50e784b0d24b74b2c819ae0620ed0199796d71c6f4
-
Filesize
185B
MD5b8224e5293d4fad1927c751cc00c80e7
SHA1270b8c752c7e93ec5485361fe6ef7b37f0b4513b
SHA256c47da9be4fc4d757add73c49654c9179067af547d0cc758d6356e2955bbfcb61
SHA5128fed9a509e46319529145fa2159251e43040d26080af84e44badaab1dd339c767ff75a2c473bc0abfb448b03beb96718ee34ba6bc150ed3085322878b55a22f2
-
Filesize
381B
MD5578de375e22e22b459d0a4de2142aaaa
SHA1146546a060488be2cf7dd40779a246851bf6fbcf
SHA2564dbdbf366cdd4c56ad37adfef83e3868f0b767712838af2f63ba3d3e9bc4d8e7
SHA512fb62238bd745c9cfc7a0c07f28b9f6ca21cc9107e7056a6c73e915edf0358b4025148d86c5f66d88f002a868fba0617f0f166df45ff088b3f33507d1e5c38cf4
-
Filesize
1KB
MD56ba8a1c28b59d7d8617a64ad7ac5d4de
SHA1eb6c08aadf71be6e306a65a1082d8ea1d1ae23cb
SHA2567d092ea75fa1f85ae0a025f08d0c3228c0f715e7a91f82d234926e81c9f1acc6
SHA5125fa84004de7392c589953e651e70b64bdc8d33ae8b84d17514fa1dd13d997687655925ed13c23505ac67c9ec9d438c4c501db99379080a9018b8f6688b366709
-
Filesize
3KB
MD597c65eb77f49d307298c8deb0d8843c3
SHA14e8e7b8d3d706b09a6d8ee5f9cd094ae7620d45a
SHA256074a726d0284888dc87f05cac743cd839b15fe9aaca6d86026c6c7a86541021c
SHA512a0ce72da32ca0b2c78efc11ef7445a76202c67953d03bd8b6c8cb286e342586f913589870505ae9cbefc0108376882b7afee7a79aee5ade70705cdae85294637
-
Filesize
3KB
MD523e3a51882a52171a3823d807a995f9f
SHA1bb175a314703fd222040a872d6513fb3257b1fc0
SHA256e73e3aeb4a8fb11b09637875a2e43cd1111fb3840b123193b53fb1f4b26f275f
SHA512506d2e1091c93887442248fac00e12dd2a38679ea3714464e282e86a241cea4275b46b2244169f33092085a9579c09dfcd37515611cec95c29c49a831b39c943
-
Filesize
3KB
MD5f973258ff74ea8df56f9f8c2c38a5440
SHA14ae3fd0b40371f8e0062eabdcac7f45803dd9986
SHA256ff93afaa7b68bc28188516857db81ff92962730cbe26f4a28a55fcb312edfd1a
SHA512e3474b1c8e9464a62eab8d4d2b44dcb39e7ec05f30410b39be7ed3e7cb9da4e1fd5d037272f74019ee9b3354e8c7ce3f594c2628d9cc0046b08d91bd77050caa
-
Filesize
4KB
MD58688e9af0926fc927c2e1b9bf22c3051
SHA15e9608e7c7c7048daaa95d6595bd238e8228aa8f
SHA256499232f560411134354d4e4dcba3f0a518916319ad7352c8366124e64fe178cc
SHA5121c8cd5142bfbd37c4b5e4c3ef5c3c5ea865de6249509fd23f266b2229ab91b52ba7ef5d3f12fa0e91e521359a81705ec367ff3b05d4707f3259e828bc72dc596
-
Filesize
5KB
MD5fec5bc83e72df8ffda9c0c69592c80a1
SHA1639a9b4e115d849fce10176112aa69c84817fd68
SHA256710c8b73f7d6019e388f651ce2a9a91ba5907381525c76e4b75b6f0d663038a7
SHA5123d1b6036a1d8fbeb2afe2f932f488728b931b21cf78586865caa1c8b7913310d018a5358b57025a17db77b02ef8e743981425af302886ed78570203a7bb2f208
-
Filesize
17KB
MD5bec0628b3090e92c62623efed105eb0c
SHA1864e0bf2bfb51e74c0dcdba62f85f0d179a0fbd5
SHA2569959454667e208511ff2befc2794c89c9eca2f7117431d417e9d0f5851673dfa
SHA51266758e57aced44789bcfa0e045527477ef348a40aefba7c6748b2cc52d69443728cffa3b82451036cc50d3757ae788d3f3d82f8b0780f28286fdc96e07581f97
-
Filesize
2.3MB
MD527cb6c9a157efad84bf4a34d92b752a1
SHA1e57928b64b354b8405766c0e58178ea4198f2003
SHA256a6ffd07a4fefd2427bd69178944fe8fca862fcf4f74aad6df6de4774c724d2f7
SHA512cdf660cd629479d8c935e249acefea756c59e9b8aa8da05f11ecae068e0ff50d25174d8dde6412f437cf35e2d99a227be13d741c1306e8c9ba3c0ee4f479f71f
-
Filesize
168KB
MD587e4959fefec297ebbf42de79b5c88f6
SHA1eba50d6b266b527025cd624003799bdda9a6bc86
SHA2564f0033e811fe2497b38f0d45df958829d01933ebe7d331079eefc8e38fbeaa61
SHA512232fedec0180e85560a226870a244a22f54ca130ed6d6dc95dc02a1ff85f17da396925c9ff27d522067a30ee3e74a38adff375d8752161ee629df14f39cf6ba9
-
Filesize
152B
MD5d943a8cf4efd126466512b0952309e2a
SHA16a2398d0f51bd03726846cf3e63cf057c9089fb4
SHA256193acec13684c624ad94981200e722c9acaeb9e7b9df41fcd20de8a3169c2302
SHA512604e55c870302f893ba79432a41da9ba923001ecc7ce764d8372207cc6bcc7a5f7f44f61c14e21415f292d6746a1abe678df3f496b7231b52e571221b8fd1322
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD540f9a99367dde2afef4dc632717b03de
SHA11609981bebafb48c7edd693875d4efc477ae7b17
SHA2568935dee8b09f2fedbcf5e3c9b86057d0b4a7b214cab3ce4be84eb736b569761e
SHA512906a3a6a115f53ab7576b02569b7dbbbacdd9b92b3e4c0dc169e55574c8a17eae98d11c7be333eb9ee37698b82c2e254fc364fc3dec1da9bd3d5965a1f640411
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
3KB
MD5fe7bf6a97c5240c3afb6d88d6dded959
SHA1329ff24e498de3c4416f654f0db007bc4bfd55e3
SHA256c54a0a56933759739783807f1abaa8b8225ceb96e9e7b3b619a3c20c7747b7fe
SHA512bc66e151442baa47effbd43d7de9416c6ddeda4da99850d91489ebc3afcd5f9abd7f46c09497d5f4afb4c9ff939cdc4fda07df7351650599347e7b7c38671582
-
Filesize
4KB
MD5d5b1df43ef395d1601130d972183381a
SHA1a564dd252c40746d4e39a0b09ac8893838191724
SHA25614f6830f79326d46e731dd4ef09f82854841df5c14b63e20f9dba1e4bb8f052d
SHA5129f48f7673c45bf44b894a042c2ec7f140c46f258712aa6ed8ff9d43c10c80d05b114344d27f7e4d517ecd5b8656edfab0dae757e410acbb5b630ed72dd64d80b
-
Filesize
5KB
MD56821bfef6e4b11ebc8509d97430c0b5c
SHA1a40e3952c94692dc7a30680ad0ab18a574bc0010
SHA256fe37a59b6b85de8dd6c953b6550dd9e533eb01c098730e0ddbc6c48393c81e0a
SHA51234228def9079221dad64e36cafc1a894539ef5ad8e8b8bc58b4305c8b4606d5bfd0df30e6149797c740a9ad38ac568622c4b96b8a33c80d27e4457e3bb11d73e
-
Filesize
6KB
MD5b11fb15515a5c4b86d8e368837390243
SHA18f633f5d403d2366e034c8b07082967be2028ad8
SHA256d18916569a8c435294d8596d9b2c65d50fdb4a8f82e929921b659d8c8e5ae95f
SHA512777e64c0619e07e5fdfa21958572902fd9be1ca3b4ce640b454469150163fb87f49df9ea89158a84174822fbdba7580a9e4287cf0a509ba155c69844082307a7
-
Filesize
5KB
MD5c84c84fcd6c04bf93350e5ea84a773b8
SHA13c4a275d5e0fa66092cb78ad912fc3b26975721f
SHA256b56e6b1d610af959e3deebeae05da829a4a578cd29f0400ff972b0ad21fd9823
SHA512faac3389d70853c26cd7662c3966b889e242485ec385f43eb4b82463d296f38d8899547c3170d36f0d75b5a9e35710017384dd879a4acc9fa5a7c327a6e454c4
-
Filesize
6KB
MD525ae2bef0fbb0f4987c9463038711cd4
SHA145bae683baeb142fd2466e5d518e9af3a9ed4741
SHA256036580b6e4eb9f43f686ad56a233be1d443a7f8f83b3dff8c53f05b7720924e9
SHA5127a3c1a050a88f9f61572714af3000814896105a0e93a7a3af48c3605d3829def0bd6902e9282693bfb2c0a9268a7dbe15d032c08af7b8b9c0c520852a20a58ef
-
Filesize
25KB
MD596ef0380c97220c7a8bd1e84aa6a93a5
SHA14c568f3cecb9e5eb89538dd1fe6a5be7a6e4c97c
SHA256653afbc13bfdf41960d635f702c4006da53e2379b3b05e5897543e2706400827
SHA5128177f441bb32d965773f0448bf8b463783c66e18b6482187d656f959ff83f53cda4deaca768f0900221654f4211f6f26be7f652567b0b7b3b720dcd365bbac21
-
Filesize
2KB
MD5a1aeb7824f7841ca0b0803646a85a3c7
SHA14965c0211a51eea6980e06ef2e1c6e549959b5b2
SHA25627d414823e818304e85603dd71bef96c072548da8242be70caf49b694cfb2436
SHA512271f94805b8888230e574b7271847b5b9b77feaf5d3e4d57dbc434a9ef41cb286d095bbfa75e9a571907dfaedf7a25ff6bd3cb7a142220909250e45915a50d02
-
Filesize
1KB
MD5a420cdaebd1a9594ec9162db780a366c
SHA17fbbc27931408aaca1435be0e22be118b1b3bcf5
SHA2560627ef0ac76ef6cad04ede1bbf6203ea122d4318ef09e8116c11e95b957a7fb5
SHA512d0f05c11a0e0e841a71c62282e5cc20a9a6909302a6a1829431bf33f17c2140de160d4e73a99f5b58e01cd2dd5f136f01a884b84b58b6d4fa0c9fff30c8a2a2e
-
Filesize
1KB
MD5a353ecbfc4916316d72ba6fb69a53462
SHA1b37aa96915ca0980ee2f295d2db458660f50e00f
SHA2569c733c839132e752853c26f18ca8221864fd441d1a7055be8f14f417f50d16f4
SHA5121eda1fcb6d6aa1e36f7166207681a3fff46d4e314574353679818f46aeb71fec16e9cdbf8fe79c5534754e9a62dbbf8ac7c54751ac59a58c62b2dbeb5790e2f6
-
Filesize
538B
MD5e05e8a88ac6ebab93ddfe6750eab0119
SHA1315982d61fb3c0e59fa70d2ec0aeae956a736d50
SHA256072eecffb3174b239bf5d7541e60558093bffaaac07b25e069506ef6d6fda1b8
SHA51238b50eebc6c65ffdcd43c24a59aaefe290c9f5e1348ab063e26778647a6d929689fac4141a6349819d99639c07a2ab3b4965a73f74a4175a2468463e97bb614e
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD55a9a75eb784c9d29a18cf0f144fbcc68
SHA14b10b4689bd0c12eb562a2ae66a75c4c3163ac3d
SHA25652edaccf128fca18f11a61e6a3ff0d7133b2e4b1dce6762977ffaeb44367e682
SHA5121492ff8caf703ef3efee5c7bf845e2b4ec0b070239c70978b943955c0058b62a988f8676e8b35f99186b11bd77e121488b77316184ef64187e20ef1e29e8fa4a
-
Filesize
11KB
MD54a56e60b62805a9f9df02d7b28e3fd0c
SHA13209fd4b198f0a851a311288e68eece90d9c34f1
SHA2564fdfa2465aeae99760a94ddad9c2616c44310f65b3173f6f04ee05429889e619
SHA512fdc69579d511e1ef866cccf7dde64c069492684265dc58208c75ae391e3cbba33acb01bd843a4fc0591260a5be18aefa9f1ed3273f2285d5fd73e1abdeebcc19
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133483148670665359.txt
Filesize67KB
MD5ac547d3bd306d682db8325c1ef7c4024
SHA109bb4c6486f3645a39ab468295857bca47b34594
SHA256b0e2ecda3d61b2847d7cbdb0971f2f28bdf9bb1769ba638ee5b3ec76e3e6bb5b
SHA5121cec560a922bf3f05336c2cfe3873a9ab951ebe973c1ec901dde90535bbb18d070be36cd8c9534ee785357c5cb4b28f2ca5800c36b4d250e1b9529ba5106d5e5
-
Filesize
870KB
MD57f728acab22868ca02cc1ba0a14f5d64
SHA19e3e82b152447b8bcd27583fbdab7aa91ca4739d
SHA256586f9a9af50b2a3321e77d2b4583741cc4842967af9429cc371534f7179caec4
SHA5129bc8bb97e6d4f18ec484fcd792466cb5df0bf0447cbaa19a41258ef80e599e8a2b2c83c700f32f30bef578b03614af1b554844d051435dc9f510ccbd56686800
-
Filesize
57KB
MD5589d77eadb85bdf4c192665d565882a9
SHA14805582329ac6b80a045b82c04e1c9328565a13a
SHA2564aadc5a6fa4dfbaf3b4c635760fd55476de39ef37d27eacf5c8c6daf99230273
SHA51265d881ad2561acde5de4ceea1b1b634ddc44735b3139ab006c957f2543d33c59df6b371e1b5234f504f435595b7ac48330d9afe1fbc85fbed4acb485d1a61bb8
-
Filesize
38KB
MD58224bcd1e3c752b4b200360b016ac17f
SHA15ddd5ccdb68ad750eb0c2c0d10f91d60e1da05d0
SHA2563d3a6dc6a1879b2e7f0315f8a3eca4afbde6487188c73db34b1e1527aeaad444
SHA512246da9f9b7f92527ea25b1463dc7f6732c2c920ed1b632be9c8a216584b68e7810035866bcb643a17670de3f6ccd2dc5ec86533f39c5a86910efd6531ec03342
-
Filesize
70KB
MD58fbc2185824c53a8f1aae146deb5dd85
SHA15c65703b3a0e29ec3c9081a82864fd5fa91d29ce
SHA256cad5c5b5fab6d95a76a4b68b253827cd5d11ac9be8366339ba58bcf65423f36c
SHA512280b1bb5b87ebf44a8aed93aacbc38f084bb51ad8062b3f71fcbffb82ca6ce8469f7f88da87f1d7d931ade50d53f254ded3953db02866311af8667c09898f163
-
Filesize
102KB
MD5248ac01a5b5ef13b1f13c479bfeddba6
SHA10f8fe85f716a234ade49c393f3c78c582b2ff745
SHA256b7807d4967be8c2c7bc55b50d173b243dcc975e6d34771717aa361d6937808cf
SHA512abf9e33f8108e724701fed2c87bbdbbe1f5fdca43c7124e9ead25ac5416040190399816034ad87cd067763fd71406f7f5805e8a1a9f62ead13b887829be948e0
-
Filesize
2KB
MD55ea4bfc19f3a776db0ae7ecdb95672f2
SHA12bc74578704bd96d5c1b83334ec0f2a6d00253a8
SHA2560563f7d2fa40b3c06e5897003f0f96ac8a2247941faf496b7ab3501a77866e46
SHA5121a66df5b8363a98786a87e6f26f037c649e86a1d480e0ad4850e82e1b1e4fba24e4341b3181fec85d1dc1e20f26945633c9a1c514eb452cfeed47d8afedd13f1
-
Filesize
6KB
MD5afff3c3926b123120a7d206771ddfe6c
SHA1299bf3ca0fb073514a4aedc9b751a5e37d91a0a0
SHA2565b71e05929b63e7aa58f87697f1ebc41f03af6bf1faa0c61739358ed22071615
SHA5124ec9b4baf1414a509c5d66e575d67e0fb20442a90435b24e8ecc1532ce1ad85e40c69a04ff72c2dc47358e7338b833095b68784bcac40d637415ce11d8f3a458
-
Filesize
7KB
MD5d534162f9767b24e809124039c834c1a
SHA11220cfc30658bf8fa38865162ea25950a8838693
SHA25682af6001ab68bdca045a3f037315dc429ef0d304213b0d1ab0aa4b06d73c416c
SHA512fe7b7dc5e52ad2cf466859d33f8387bf8c7bdf0e3bd062affaecf0fcaeef79fc31ebba930cd1baf890c135ab57ffae474c0be13f2e7567213068d874ced16879
-
Filesize
7KB
MD53877babed315548f03255004153eb0da
SHA11083b35e6e3f98856a08f7ef95b0bf959b4edb19
SHA256c6feb944adbff58a377f870e767a55b2f1c85dfe92426f254a817fcb5c176257
SHA5127dbf3d3131b319d677762805981ae995edcde2f96541756d0e4769ad3166cb885f00d0a8133ae80b3f341f99d1b96ab201304cb5633313b141f79b8d12d00b7b
-
Filesize
7KB
MD56175b2b6d780bcc8965880ad6b03508a
SHA109f57f9d30b233d173517cd02eaf713ad856c202
SHA25606ac5da13dcd5a5955669ae46c839f5c698988b374268d7dc8384fc75945e766
SHA512a8ef29d2c92536a9b2ad6c32b356ad5bd6f4e5a8a27e1435dde5f28b0d87119cec55016631c46e96c9000ca7ac71ad5a587166f21ff56e38eec549bcd574ca79
-
Filesize
7KB
MD50d7995fbe15618365de645c785f6eb36
SHA1ac55517a6e29f999d27ceb7d89754e9cf1876bcf
SHA25654fa65cbcf70cc74d789921425daff1fa9cebd9c45b1115189af29734872a161
SHA512e5f75c39cd003d31780b3a8ac198d8917768a8ebf0467491f186e8af08628f8d624520c41015a8c2b46df49c261559e9041f800e99215d50dbc579ae15fe7bce
-
Filesize
7KB
MD5dfa55cdc16d76b06dc5bea338f79e694
SHA180b2b47fd7500f49078bdeef7e9ebd66a21c1053
SHA2561febd3b7763b246b12a420ba977810613f0850d37af1f738e74ddc3397e67e04
SHA512faa9c0cef9cd2ddd3c0ba05016881da90c9119dd451c4fd0c672279fb699bbba2e3c27d034d1eb8eeeba5a55259a7787b642486242ce846e3b9e68f76b314979
-
Filesize
7KB
MD51f9d4d7b4559595f41c37b590b900c40
SHA1b5611f24f1296df40f1ea51ef815babd81e4c9f5
SHA256d16493a1090bda3f3e6ba806600854941f000a9f1e98ed287262e2a9f05dc6a9
SHA51218a0c0e2b16b0c99b4b9c6ca720bc522519953bd83d54f692cca875cd413cbdb44d7f4905b8a9da12736d4c53f9b93b3a685ae941e6eb0257b9f0bb0bcb6f463
-
Filesize
6KB
MD5e46e639a725f1ce40c7abc98af50c4ef
SHA1fbbd0147755c134d5dfb63ec790ea787d41eba7a
SHA256b1506e7203952e09e5231f0777ca50a7301e9ad65fd6fc00d97732fc23c14e68
SHA512500d016b2e584d622a4fcba41078ec922d3a9d2900ac36f8c72aab60dbb090b584d2337e2886c644174034a2dc54b169b2c1044e41c33d575d2e531ce62f663d
-
Filesize
22KB
MD58703ff2e53c6fd3bc91294ef9204baca
SHA13dbb8f7f5dfe6b235486ab867a2844b1c2143733
SHA2563028a2b0e95143a4caa9bcd6ae794958e7469a20c6e673da067958cbf4310035
SHA512d5eb8a07457a78f9acd0f81d2f58bbf64b52183318b87c353a590cd2a3ac3a6ec9c1452bd52306c7cf99f19b6a897b16ceb8289a7d008c5ce3b07eda9b871204
-
Filesize
153KB
MD5f33a4e991a11baf336a2324f700d874d
SHA19da1891a164f2fc0a88d0de1ba397585b455b0f4
SHA256a87524035509ff7aa277788e1a9485618665b7da35044d70c41ec0f118f3dfd7
SHA512edf066968f31451e21c7c21d3f54b03fd5827a8526940c1e449aad7f99624577cbc6432deba49bb86e96ac275f5900dcef8d7623855eb3c808e084601ee1df20
-
Filesize
21KB
MD5b84df77564555c63c899fce0fcec7edb
SHA1e63e7560b3c583616102cad58b06433b1a9903b0
SHA256912ebab4ab2ea830b961df778dd854e555c89e05e25b7c02b3737429115405f9
SHA512857717981c44a6a5fbb1bd34308e981c448746e0ea2d5bea94516fea20d0186e00a3547ad0b948c10fd9493e3ca00c0899927b0fa51c240697faacbbecca033a
-
Filesize
1024KB
MD5c0a8d8fb18ba3599470ac07e9d4c21da
SHA12f2224b6cc6a91d2fa459341bcc56939d9aaa964
SHA2569c779ba622e829246d42aad03d6d5eeb4763d87669009d4910b2a0bb75f1abe4
SHA51281d1d7b3d1b8faa18d1e735c2ddce71141bab23862bef1649dda90b6d67afc705306a13b352b578f1a30b22522a60524c3382b9a86503c981b6f58c88050388b
-
Filesize
7KB
MD514bda2f1ac3ff6639c3c240fbfca881a
SHA15850f40a49e51fccfd4c45fc251b6e76d1d91d44
SHA25613530fe3ccbf7c3e7e3f57932e2d86174041250362f350f87f9ebcc1a8a16eeb
SHA512f2ccbb9706ae08e591c2dbd21c5c5bd289ca3772be1dc7bf970bac6fc31dd5aa283d66425cd1ce04d01a80ac9f50e1315f0700878fd35387bc97dd791c9b7993
-
Filesize
1KB
MD5008fba141529811128b8cd5f52300f6e
SHA11a350b35d82cb4bd7a924b6840c36a678105f793
SHA256ab0e454a786ef19a3ae1337f10f47354ffa9521ea5026e9e11174eca22d86e84
SHA51280189560b6cf180a9c1ecafc90018b48541687f52f5d49b54ca25e040b3264da053e3d4dbb0cd38caaf496e23e516de18f500b333e3cda1fd1b25c6e9632defc