Analysis
-
max time kernel
1800s -
max time network
1804s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
24-02-2024 03:23
Static task
static1
Behavioral task
behavioral1
Sample
New Client.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
New Client.exe
Resource
win10-20240221-en
Behavioral task
behavioral3
Sample
New Client.exe
Resource
win10v2004-20240221-en
Behavioral task
behavioral4
Sample
New Client.exe
Resource
win11-20240221-en
General
-
Target
New Client.exe
-
Size
188KB
-
MD5
b848808a7c3f542eaf9718c0c8e0159f
-
SHA1
c8fc1af2a0e6df1be9426b5f2e636b7f2b1aa302
-
SHA256
13fde5c8aeb2fe2335dcb803a1a31a404e2f65e990d2a728a0df681ef832b616
-
SHA512
0eb66a47448b588cdbd4b1b1d426c70b10fd073f2612a1f45e3abbec7b61f35735ff2a8cfeb1eb3f5390f89cc3abd88522a1c7ff20ddc8857242e8ce7335ac2d
-
SSDEEP
3072:p2B+64kQ2EJam2dNREz9Vnc4OZMJwGu3U4QyZom8exsrPR5TE7D0XuDTTo6M//lz:p2B+64kQ2EJam2dNREz9FdOZMJwGuE42
Malware Config
Extracted
njrat
Platinum
AntiVirus
127.0.0.1:38277
Client.exe
-
reg_key
Client.exe
-
splitter
|Ghost|
Signatures
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe New Client.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe New Client.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.url New Client.exe -
Executes dropped EXE 10 IoCs
pid Process 4436 68e808a32a7445e081481e1a576a6eea.exe 1856 Ention.exe 4124 Locker.exe 4972 fe70bfde50bf46b298d0a63350d2cf4f.exe 1536 Ention.exe 4696 1c174b145c8e4091a5774f9441cbf620.exe 4872 e88f17b8ff0a4f2ebbd6d3f2551f6ef4.exe 760 7ae6b7a89ffa41948a832202917a02fd.exe 3656 5d71b00b8a674bc4bb44882ec07efcce.exe 3664 aa99e63a512a4219a7e849a1b04a46b1.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\New Client.exe\" .." New Client.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\New Client.exe\" .." New Client.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\w: e88f17b8ff0a4f2ebbd6d3f2551f6ef4.exe File opened (read-only) \??\o: Locker.exe File opened (read-only) \??\n: e88f17b8ff0a4f2ebbd6d3f2551f6ef4.exe File opened (read-only) \??\o: e88f17b8ff0a4f2ebbd6d3f2551f6ef4.exe File opened (read-only) \??\s: e88f17b8ff0a4f2ebbd6d3f2551f6ef4.exe File opened (read-only) \??\q: e88f17b8ff0a4f2ebbd6d3f2551f6ef4.exe File opened (read-only) \??\i: 1c174b145c8e4091a5774f9441cbf620.exe File opened (read-only) \??\k: 1c174b145c8e4091a5774f9441cbf620.exe File opened (read-only) \??\n: 1c174b145c8e4091a5774f9441cbf620.exe File opened (read-only) \??\h: Locker.exe File opened (read-only) \??\m: Locker.exe File opened (read-only) \??\p: Locker.exe File opened (read-only) \??\k: e88f17b8ff0a4f2ebbd6d3f2551f6ef4.exe File opened (read-only) \??\p: 1c174b145c8e4091a5774f9441cbf620.exe File opened (read-only) \??\v: 1c174b145c8e4091a5774f9441cbf620.exe File opened (read-only) \??\K: WScript.exe File opened (read-only) \??\Y: WScript.exe File opened (read-only) \??\Q: WScript.exe File opened (read-only) \??\b: e88f17b8ff0a4f2ebbd6d3f2551f6ef4.exe File opened (read-only) \??\o: 1c174b145c8e4091a5774f9441cbf620.exe File opened (read-only) \??\B: WScript.exe File opened (read-only) \??\H: WScript.exe File opened (read-only) \??\w: Locker.exe File opened (read-only) \??\g: 1c174b145c8e4091a5774f9441cbf620.exe File opened (read-only) \??\N: WScript.exe File opened (read-only) \??\P: WScript.exe File opened (read-only) \??\m: e88f17b8ff0a4f2ebbd6d3f2551f6ef4.exe File opened (read-only) \??\r: 1c174b145c8e4091a5774f9441cbf620.exe File opened (read-only) \??\u: 1c174b145c8e4091a5774f9441cbf620.exe File opened (read-only) \??\w: 1c174b145c8e4091a5774f9441cbf620.exe File opened (read-only) \??\g: Locker.exe File opened (read-only) \??\k: Locker.exe File opened (read-only) \??\z: Locker.exe File opened (read-only) \??\e: e88f17b8ff0a4f2ebbd6d3f2551f6ef4.exe File opened (read-only) \??\G: WScript.exe File opened (read-only) \??\q: 1c174b145c8e4091a5774f9441cbf620.exe File opened (read-only) \??\y: 1c174b145c8e4091a5774f9441cbf620.exe File opened (read-only) \??\Z: WScript.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\e: Locker.exe File opened (read-only) \??\n: Locker.exe File opened (read-only) \??\j: 1c174b145c8e4091a5774f9441cbf620.exe File opened (read-only) \??\U: WScript.exe File opened (read-only) \??\V: WScript.exe File opened (read-only) \??\q: Locker.exe File opened (read-only) \??\t: e88f17b8ff0a4f2ebbd6d3f2551f6ef4.exe File opened (read-only) \??\z: 1c174b145c8e4091a5774f9441cbf620.exe File opened (read-only) \??\O: WScript.exe File opened (read-only) \??\y: e88f17b8ff0a4f2ebbd6d3f2551f6ef4.exe File opened (read-only) \??\A: WScript.exe File opened (read-only) \??\E: WScript.exe File opened (read-only) \??\T: WScript.exe File opened (read-only) \??\s: 1c174b145c8e4091a5774f9441cbf620.exe File opened (read-only) \??\S: WScript.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\l: Locker.exe File opened (read-only) \??\y: Locker.exe File opened (read-only) \??\r: e88f17b8ff0a4f2ebbd6d3f2551f6ef4.exe File opened (read-only) \??\j: Locker.exe File opened (read-only) \??\v: Locker.exe File opened (read-only) \??\l: e88f17b8ff0a4f2ebbd6d3f2551f6ef4.exe File opened (read-only) \??\z: e88f17b8ff0a4f2ebbd6d3f2551f6ef4.exe File opened (read-only) \??\m: 1c174b145c8e4091a5774f9441cbf620.exe File opened (read-only) \??\J: WScript.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral4/memory/4436-123-0x0000000000400000-0x0000000000A31000-memory.dmp autoit_exe behavioral4/files/0x000200000002a83b-141.dat autoit_exe behavioral4/files/0x000200000002a83c-458.dat autoit_exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\windows\system32\zm0u1_.exe New Client.exe -
Sets desktop wallpaper using registry 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wl.jpg" Locker.exe Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wl.jpg" e88f17b8ff0a4f2ebbd6d3f2551f6ef4.exe Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Web\\Wallpaper\\Windows\\img0.jpg" 1c174b145c8e4091a5774f9441cbf620.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 58 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe -
Enumerates system info in registry 2 TTPs 15 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchHost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchHost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchHost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchHost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchHost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchHost.exe -
Kills process with taskkill 3 IoCs
pid Process 3724 TASKKILL.exe 4460 TASKKILL.exe 3376 taskkill.exe -
Modifies Control Panel 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Control Panel\Desktop Locker.exe Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Control Panel\Desktop e88f17b8ff0a4f2ebbd6d3f2551f6ef4.exe Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Control Panel\Desktop 1c174b145c8e4091a5774f9441cbf620.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Internet Explorer\GPU SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Internet Explorer\GPU SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Internet Explorer\GPU SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Internet Explorer\GPU SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Internet Explorer\GPU SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Internet Explorer\GPU SearchHost.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com SearchHost.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4280069375-290121026-380765049-1000\{B1635794-0AC2-46FA-B5C6-72018B3A1A29} WScript.exe Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings 5d71b00b8a674bc4bb44882ec07efcce.exe Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchHost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\MuiCache StartMenuExperienceHost.exe Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchHost.exe Set value (data) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 140000000700000001000100050000001400000050003a005c00480066007200650066005c004e0071007a00760061005c004e006300630051006e0067006e005c005900620070006e0079005c005a00760070006500620066006200730067005c00420061007200510065007600690072005c00420061007200510065007600690072002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f50100000000000000000000e8070200420061007200510065007600690072000a004100620067002000660076007400610072007100200076006100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000ad5f60b4c764da0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff82ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff83ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "1042" SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings Ention.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4280069375-290121026-380765049-1000\{C29CF54E-15CF-43F0-8C4F-6A342F44E7F2} explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\MuiCache SearchHost.exe Set value (data) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\PastIconsStream = 1400000005000000010001000200000014000000494c200602000400280010001000ffffffff2110ffffffffffffffff424d360000000000000036000000280000001000000040000000010020000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000ff00000060000000000000000000000020000000b0000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff00000060000000200000000000000020000000f00d0d0df09d9d9dffc8c8c8ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff000000603f3f3f66000000ff00000060000000900a0a0af0c0c0c0ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660e2e2e2ff474747eb000000d0000000e04c4c4cee999999ff939393eeb1b1b1f0e0e0e0ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660c8c8c8f7adadadf6858585ff000000ff000000ff737373ff999999ff999999ff999999ff999999ffa0a0a0e8868686ff000000ff000000606d6d6d88aaaaaaebb2b2b2ffb2b2b2ff7a7a7aff000000ff000000ff696969ff999999ff999999ff999999ff999999ff5f5f5fff000000ff0000006045454571b2b2b2ffb2b2b2ffb2b2b2ffa7a7a7ff1b1b1be8000000c0000000b0080808f08f8f8fff999999ff999999ff5f5f5fff000000ff00000060303030607f7f7fff7b7b7bf67e7e7ee2525252e20a0a0af0000000f00000003000000020000000f0101010eb5a5a5af6505050ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff676767ff000000ff000000b000000020000000000000000000000020000000b0000000ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff777777ff080808f0000000d0000000000000000000000000000000000000000000000060000000ff00000060000000602c2c2ceb5f5f5fff5f5f5fff3f3f3fee080808f0000000f0000000300000000000000000000000000000000000000000000000a0000000600000000000000050000000b0000000f0000000ff000000f0000000a000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000ff00000060000000000000000000000020000000b0000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff00000060000000200000000000000020000000f00d0d0df09d9d9dffc8c8c8ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff000000603f3f3f66000000ff00000060000000900a0a0af0c0c0c0ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660e2e2e2ff474747eb000000d0000000e04c4c4cee999999ff939393eeb1b1b1f0e0e0e0ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660c8c8c8f7adadadf6858585ff000000ff000000ff737373ff999999ff999999ff999999ff999999ffa0a0a0e8868686ff000000ff000000606d6d6d88aaaaaaebb2b2b2ffb2b2b2ff7a7a7aff000000ff000000ff696969ff999999ff999999ff999999ff999999ff5f5f5fff000000ff0000006045454571b2b2b2ffb2b2b2ffb2b2b2ffa7a7a7ff1b1b1be8000000c0000000b0080808f08f8f8fff999999ff999999ff5f5f5fff000000ff00000060303030607f7f7fff7b7b7bf67e7e7ee2525252e20a0a0af0000000f00000003000000020000000f0101010eb5a5a5af6505050ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff676767ff000000ff000000b000000020000000000000000000000020000000b0000000ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff777777ff080808f0000000d0000000000000000000000000000000000000000000000060000000ff00000060000000602c2c2ceb5f5f5fff5f5f5fff3f3f3fee080808f0000000f0000000300000000000000000000000000000000000000000000000a0000000600000000000000050000000b0000000f0000000ff000000f0000000a000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000424d3e000000000000003e0000002800000010000000400000000100010000000000000100000000000000000000000000000000000000000000ffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffff0000fff90000fff10000800100000000000000000000000000000000000000000000000000000001000080070000c0070000c80f0000ffff0000ffff0000ffff0000fff90000fff10000800100000000000000000000000000000000000000000000000000000001000080070000c0070000c80f0000ffff0000ffff000000000000000000000000000000000000000000000000010000000800000002000000040000002400000001000000000000000100000000000000 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\MuiCache SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\MuiCache SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings Ention.exe Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com SearchHost.exe Set value (data) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com SearchHost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState SearchHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "1042" SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\MuiCache SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\MuiCache SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\MuiCache SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchHost.exe Set value (data) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHost = 6801000088020000 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "1042" SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchHost.exe -
Suspicious behavior: EnumeratesProcesses 29 IoCs
pid Process 1412 New Client.exe 1412 New Client.exe 1412 New Client.exe 1412 New Client.exe 1412 New Client.exe 1412 New Client.exe 1412 New Client.exe 1412 New Client.exe 1412 New Client.exe 1412 New Client.exe 1412 New Client.exe 1412 New Client.exe 1412 New Client.exe 1412 New Client.exe 1412 New Client.exe 1412 New Client.exe 1412 New Client.exe 1412 New Client.exe 1412 New Client.exe 1412 New Client.exe 1412 New Client.exe 244 explorer.exe 244 explorer.exe 1756 msedge.exe 1756 msedge.exe 1444 msedge.exe 1444 msedge.exe 1892 msedge.exe 1892 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1412 New Client.exe 244 explorer.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1412 New Client.exe Token: SeDebugPrivilege 4460 TASKKILL.exe Token: SeDebugPrivilege 3724 TASKKILL.exe Token: 33 1412 New Client.exe Token: SeIncBasePriorityPrivilege 1412 New Client.exe Token: 33 1412 New Client.exe Token: SeIncBasePriorityPrivilege 1412 New Client.exe Token: 33 1412 New Client.exe Token: SeIncBasePriorityPrivilege 1412 New Client.exe Token: 33 1412 New Client.exe Token: SeIncBasePriorityPrivilege 1412 New Client.exe Token: 33 1412 New Client.exe Token: SeIncBasePriorityPrivilege 1412 New Client.exe Token: 33 1412 New Client.exe Token: SeIncBasePriorityPrivilege 1412 New Client.exe Token: 33 1412 New Client.exe Token: SeIncBasePriorityPrivilege 1412 New Client.exe Token: 33 1412 New Client.exe Token: SeIncBasePriorityPrivilege 1412 New Client.exe Token: 33 1412 New Client.exe Token: SeIncBasePriorityPrivilege 1412 New Client.exe Token: 33 1412 New Client.exe Token: SeIncBasePriorityPrivilege 1412 New Client.exe Token: 33 1412 New Client.exe Token: SeIncBasePriorityPrivilege 1412 New Client.exe Token: 33 1412 New Client.exe Token: SeIncBasePriorityPrivilege 1412 New Client.exe Token: 33 1412 New Client.exe Token: SeIncBasePriorityPrivilege 1412 New Client.exe Token: 33 1412 New Client.exe Token: SeIncBasePriorityPrivilege 1412 New Client.exe Token: 33 1412 New Client.exe Token: SeIncBasePriorityPrivilege 1412 New Client.exe Token: 33 1412 New Client.exe Token: SeIncBasePriorityPrivilege 1412 New Client.exe Token: 33 1412 New Client.exe Token: SeIncBasePriorityPrivilege 1412 New Client.exe Token: 33 1412 New Client.exe Token: SeIncBasePriorityPrivilege 1412 New Client.exe Token: 33 1412 New Client.exe Token: SeIncBasePriorityPrivilege 1412 New Client.exe Token: 33 1412 New Client.exe Token: SeIncBasePriorityPrivilege 1412 New Client.exe Token: 33 1412 New Client.exe Token: SeIncBasePriorityPrivilege 1412 New Client.exe Token: 33 1412 New Client.exe Token: SeIncBasePriorityPrivilege 1412 New Client.exe Token: 33 1412 New Client.exe Token: SeIncBasePriorityPrivilege 1412 New Client.exe Token: 33 1412 New Client.exe Token: SeIncBasePriorityPrivilege 1412 New Client.exe Token: 33 1412 New Client.exe Token: SeIncBasePriorityPrivilege 1412 New Client.exe Token: 33 1412 New Client.exe Token: SeIncBasePriorityPrivilege 1412 New Client.exe Token: 33 1412 New Client.exe Token: SeIncBasePriorityPrivilege 1412 New Client.exe Token: 33 1412 New Client.exe Token: SeIncBasePriorityPrivilege 1412 New Client.exe Token: 33 1412 New Client.exe Token: SeIncBasePriorityPrivilege 1412 New Client.exe Token: 33 1412 New Client.exe Token: SeIncBasePriorityPrivilege 1412 New Client.exe Token: 33 1412 New Client.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1384 sihost.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe 244 explorer.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 244 explorer.exe 3876 SearchHost.exe 3372 StartMenuExperienceHost.exe 244 explorer.exe 4992 SearchHost.exe 2724 SearchHost.exe 1932 SearchHost.exe 1148 SearchHost.exe 1096 SearchHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1412 wrote to memory of 3724 1412 New Client.exe 76 PID 1412 wrote to memory of 3724 1412 New Client.exe 76 PID 1412 wrote to memory of 4460 1412 New Client.exe 79 PID 1412 wrote to memory of 4460 1412 New Client.exe 79 PID 1412 wrote to memory of 3376 1412 New Client.exe 81 PID 1412 wrote to memory of 3376 1412 New Client.exe 81 PID 1384 wrote to memory of 244 1384 sihost.exe 88 PID 1384 wrote to memory of 244 1384 sihost.exe 88 PID 1412 wrote to memory of 4436 1412 New Client.exe 135 PID 1412 wrote to memory of 4436 1412 New Client.exe 135 PID 1412 wrote to memory of 4436 1412 New Client.exe 135 PID 4436 wrote to memory of 1856 4436 68e808a32a7445e081481e1a576a6eea.exe 136 PID 4436 wrote to memory of 1856 4436 68e808a32a7445e081481e1a576a6eea.exe 136 PID 4436 wrote to memory of 1856 4436 68e808a32a7445e081481e1a576a6eea.exe 136 PID 4436 wrote to memory of 4124 4436 68e808a32a7445e081481e1a576a6eea.exe 137 PID 4436 wrote to memory of 4124 4436 68e808a32a7445e081481e1a576a6eea.exe 137 PID 4436 wrote to memory of 4124 4436 68e808a32a7445e081481e1a576a6eea.exe 137 PID 1856 wrote to memory of 876 1856 Ention.exe 138 PID 1856 wrote to memory of 876 1856 Ention.exe 138 PID 1856 wrote to memory of 876 1856 Ention.exe 138 PID 1412 wrote to memory of 4972 1412 New Client.exe 140 PID 1412 wrote to memory of 4972 1412 New Client.exe 140 PID 1412 wrote to memory of 4972 1412 New Client.exe 140 PID 4972 wrote to memory of 1536 4972 fe70bfde50bf46b298d0a63350d2cf4f.exe 141 PID 4972 wrote to memory of 1536 4972 fe70bfde50bf46b298d0a63350d2cf4f.exe 141 PID 4972 wrote to memory of 1536 4972 fe70bfde50bf46b298d0a63350d2cf4f.exe 141 PID 1536 wrote to memory of 4492 1536 Ention.exe 142 PID 1536 wrote to memory of 4492 1536 Ention.exe 142 PID 1536 wrote to memory of 4492 1536 Ention.exe 142 PID 1412 wrote to memory of 4696 1412 New Client.exe 143 PID 1412 wrote to memory of 4696 1412 New Client.exe 143 PID 1412 wrote to memory of 4696 1412 New Client.exe 143 PID 1412 wrote to memory of 4872 1412 New Client.exe 144 PID 1412 wrote to memory of 4872 1412 New Client.exe 144 PID 1412 wrote to memory of 4872 1412 New Client.exe 144 PID 1412 wrote to memory of 760 1412 New Client.exe 146 PID 1412 wrote to memory of 760 1412 New Client.exe 146 PID 1412 wrote to memory of 3656 1412 New Client.exe 147 PID 1412 wrote to memory of 3656 1412 New Client.exe 147 PID 1412 wrote to memory of 3656 1412 New Client.exe 147 PID 3656 wrote to memory of 2712 3656 5d71b00b8a674bc4bb44882ec07efcce.exe 148 PID 3656 wrote to memory of 2712 3656 5d71b00b8a674bc4bb44882ec07efcce.exe 148 PID 3656 wrote to memory of 2712 3656 5d71b00b8a674bc4bb44882ec07efcce.exe 148 PID 1412 wrote to memory of 3664 1412 New Client.exe 151 PID 1412 wrote to memory of 3664 1412 New Client.exe 151 PID 1412 wrote to memory of 3664 1412 New Client.exe 151 PID 3664 wrote to memory of 3104 3664 aa99e63a512a4219a7e849a1b04a46b1.exe 152 PID 3664 wrote to memory of 3104 3664 aa99e63a512a4219a7e849a1b04a46b1.exe 152 PID 3104 wrote to memory of 1444 3104 cmd.exe 156 PID 3104 wrote to memory of 1444 3104 cmd.exe 156 PID 1444 wrote to memory of 4452 1444 msedge.exe 157 PID 1444 wrote to memory of 4452 1444 msedge.exe 157 PID 1444 wrote to memory of 4856 1444 msedge.exe 160 PID 1444 wrote to memory of 4856 1444 msedge.exe 160 PID 1444 wrote to memory of 4856 1444 msedge.exe 160 PID 1444 wrote to memory of 4856 1444 msedge.exe 160 PID 1444 wrote to memory of 4856 1444 msedge.exe 160 PID 1444 wrote to memory of 4856 1444 msedge.exe 160 PID 1444 wrote to memory of 4856 1444 msedge.exe 160 PID 1444 wrote to memory of 4856 1444 msedge.exe 160 PID 1444 wrote to memory of 4856 1444 msedge.exe 160 PID 1444 wrote to memory of 4856 1444 msedge.exe 160 PID 1444 wrote to memory of 4856 1444 msedge.exe 160 PID 1444 wrote to memory of 4856 1444 msedge.exe 160 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\New Client.exe"C:\Users\Admin\AppData\Local\Temp\New Client.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\SYSTEM32\TASKKILL.exeTASKKILL /F /IM wscript.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3724
-
-
C:\Windows\SYSTEM32\TASKKILL.exeTASKKILL /F /IM cmd.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4460
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /f im explorer.exe2⤵
- Kills process with taskkill
PID:3376
-
-
C:\Users\Admin\AppData\Local\Temp\68e808a32a7445e081481e1a576a6eea.exe"C:\Users\Admin\AppData\Local\Temp\68e808a32a7445e081481e1a576a6eea.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Users\Admin\AppData\Local\Temp\Ention.exe"C:\Users\Admin\AppData\Local\Temp\Ention.exe"3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Новый текстовый документ.txt4⤵PID:876
-
-
-
C:\Users\Admin\AppData\Local\Temp\Locker.exe"C:\Users\Admin\AppData\Local\Temp\Locker.exe"3⤵
- Executes dropped EXE
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Modifies Control Panel
PID:4124
-
-
-
C:\Users\Admin\AppData\Local\Temp\fe70bfde50bf46b298d0a63350d2cf4f.exe"C:\Users\Admin\AppData\Local\Temp\fe70bfde50bf46b298d0a63350d2cf4f.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Users\Admin\AppData\Local\Temp\Ention.exe"C:\Users\Admin\AppData\Local\Temp\Ention.exe"3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Новый текстовый документ.txt4⤵PID:4492
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1c174b145c8e4091a5774f9441cbf620.exe"C:\Users\Admin\AppData\Local\Temp\1c174b145c8e4091a5774f9441cbf620.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Modifies Control Panel
PID:4696
-
-
C:\Users\Admin\AppData\Local\Temp\e88f17b8ff0a4f2ebbd6d3f2551f6ef4.exe"C:\Users\Admin\AppData\Local\Temp\e88f17b8ff0a4f2ebbd6d3f2551f6ef4.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Modifies Control Panel
PID:4872
-
-
C:\Users\Admin\AppData\Local\Temp\7ae6b7a89ffa41948a832202917a02fd.exe"C:\Users\Admin\AppData\Local\Temp\7ae6b7a89ffa41948a832202917a02fd.exe"2⤵
- Executes dropped EXE
PID:760
-
-
C:\Users\Admin\AppData\Local\Temp\5d71b00b8a674bc4bb44882ec07efcce.exe"C:\Users\Admin\AppData\Local\Temp\5d71b00b8a674bc4bb44882ec07efcce.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\loll.VBS"3⤵
- Enumerates connected drives
- Modifies registry class
PID:2712
-
-
-
C:\Users\Admin\AppData\Local\Temp\aa99e63a512a4219a7e849a1b04a46b1.exe"C:\Users\Admin\AppData\Local\Temp\aa99e63a512a4219a7e849a1b04a46b1.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A2F3.tmp\A2F4.tmp\A2F5.bat C:\Users\Admin\AppData\Local\Temp\aa99e63a512a4219a7e849a1b04a46b1.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/lFwy2c-5Rwg4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffff6c23cb8,0x7ffff6c23cc8,0x7ffff6c23cd85⤵PID:4452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,16550767142821304254,2483594917616841752,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2632 /prefetch:85⤵PID:680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,16550767142821304254,2483594917616841752,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:1756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,16550767142821304254,2483594917616841752,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1936 /prefetch:25⤵PID:4856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16550767142821304254,2483594917616841752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:15⤵PID:4756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16550767142821304254,2483594917616841752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:15⤵PID:996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16550767142821304254,2483594917616841752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4532 /prefetch:15⤵PID:4680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16550767142821304254,2483594917616841752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:15⤵PID:1472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1924,16550767142821304254,2483594917616841752,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4036 /prefetch:85⤵PID:4500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16550767142821304254,2483594917616841752,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:15⤵PID:1360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16550767142821304254,2483594917616841752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:15⤵PID:2680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,16550767142821304254,2483594917616841752,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:1892
-
-
-
-
-
C:\Windows\system32\sihost.exesihost.exe1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\explorer.exeexplorer.exe /LOADSAVEDWINDOWS2⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:244
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3876
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3372
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4992
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2724
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1932
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1148
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1096
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x00000000000004D01⤵PID:124
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4468
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:560
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:224
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5ded21ddc295846e2b00e1fd766c807db
SHA1497eb7c9c09cb2a247b4a3663ce808869872b410
SHA25626025f86effef56caa2ee50a64e219c762944b1e50e465be3a6b454bc0ed7305
SHA512ddfaa73032590de904bba398331fdbf188741d96a17116ada50298b42d6eb7b20d6e50b0cfae8b17e2f145997b8ebce6c8196e6f46fbe11f133d3d82ce3656db
-
Filesize
152B
MD5a0407c5de270b9ae0ceee6cb9b61bbf1
SHA1fb2bb8184c1b8e680bf873e5537e1260f057751e
SHA256a56989933628f6a677ad09f634fc9b7dd9cf7d06c72a76ddbb8221bc4a62ffcd
SHA51265162bf07705dfdd348d4eaf0a3feba08dc2c0942a3a052b4492d0675ab803b104c03c945f5608fac9544681e0fe8b81d1aaca859663e79aa87fcb591ddb8136
-
Filesize
6KB
MD58ee442ad0a89e71ba1b03dfc9770420d
SHA173622156b12f67e42b38b08d5af1419e4c5076c0
SHA256d1d3c32546a06ef36a4317a11a8b5b8a1034063bf1d9ea4735abfb9702740b14
SHA5125745a6d5cd88a2b3a28567fa82312918690b2c96a64f2c91e2bff6100509508762722858633c31c232c4432aa28c0bf70d09ac5917ad12f49c6ed05313fb1f24
-
Filesize
6KB
MD5cd79a83128ab5b0c9dee0754423457d3
SHA1352845a4f929788d9b045cfd8ef03fe93595c4a0
SHA25619494da60cdd103a2e4c05d105825f6212b6245471d23e9b12ee5382b52f687a
SHA5121cecae15a3b2c3873169501fdee924c0689f15e2c99626f6fbd026af82e25a5c5155599543536a33a0f032ffe210ff0d1a581e5e62de59244e6e2989763fc71d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize146B
MD57907f093288ffc648b36ec2ca2243c50
SHA1d55929ed899e90c710bd395bfcb5cf2679275dfa
SHA25693a80995599d5798cc8959005531e2fe945d1f7ab8068d85b34c32087c3fb2dc
SHA51270eb903ba7d0f02d55da67207d02c23cb204ed4c87dbd2d202546c38f572793874b5e782fce6770c5e03cd5f016d09ef1df32da3c4ff05f2adf72c9db5b789b3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize82B
MD52140e6f8b3fdd96e7dd0335e245b3be1
SHA19e60c19d3bb2291ab66da03144ad6eb9c2349509
SHA256583a8a51cf921a87d398d58663a9a7cdb45951b38afd1f89a2640940b21a1440
SHA5125b2cb9dd7e4b90fb2576f42a8c1b03e43f94c8fc8cb0820d0161ea407ae9db0e76351f4fd73630cb6a38a604dfe7a8871245b509932aa2e0dffaa86ba2c0ff7b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe72adc1.TMP
Filesize89B
MD5c8a53e178fd411858b7eb6c4d978e0ef
SHA1f2fd90744d49f68d11219bdce3546095f02e7138
SHA256872de3ade2da941fa404f099421202dfa7bdc55df94d514ce70b55079c84c4b5
SHA5122b7d1187129c4e013e428bb26bbab2dbc76d99fcdc6f24cb746c1bb5a013c6d42ff67d5c4ba6ed9923a1b1ea4465734ea58ecacaad848751dc464b539885aea1
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
11KB
MD5482ea82ba186de352788bb92a5a2b8d1
SHA148d4d3097f0cfc401bf6fbc312032c5919f21027
SHA256c8cfc19e73653b63d2998ff132e0811502f7b5b700a75453a0327db36c8034e1
SHA5126e591f0fe7e4d59e77f64a5ad9cdff150aacc4dea1ff94cd027e0f4f8482316336713c7c3adadb7eba74e98f5c2f1a1f0a91cd380f99955112fc91ef10f738c5
-
Filesize
896KB
MD50989cb3ecc0b3d1d6a5f57270ddf6d91
SHA1f451e756c6b6b6e8e82d2439450c5c6de50f4046
SHA256d8974f13e71a5cf5b893e271b1b2e23b75e0a7da7fc050439790231b303aa80e
SHA5129abbc34b5384c494c3367bb5942d590acb594c7bbd45c623bf17594a0121e0c35b5800aef5fe7eaaf7c1765e9fa97effe6f402bffeea8c152b66369f3a7e95a4
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
653KB
MD5c29e84272de123ac2cae92bf8210d95b
SHA11b60b8f5430707ca08d806e5739553cd6cfccf89
SHA25642c145d05f5a3d20a4df748d488e32f986ef0bbd370dd086b6f431e00a5efb14
SHA512055aebf709f23647783f034913fd61721649ceddcc1357b4bd34ecd446b059f27c57a16392943000d7f2152cdec51043d11910fae1dd002f043f300d9724ee6e
-
Filesize
417KB
MD5ce016dac7becf882e7f17190457ee568
SHA1f2b1262fa3f78de8cc88062a36e98ce4e50e8967
SHA256c0a140b3a484617da0127159e7cce955d6749019dffaae2e1c3b0ed65ad8b9b4
SHA512007775b3a61cee71c30f40f274714b7fc86704904ea0b587649e19638718a9f13fd9e1491dd6eb0688c00d9cc03806c60594adcf52687e681918fb4cd14a7a8c
-
Filesize
6.2MB
MD53afdd7b7018fff0ff6c7d378ddc641d6
SHA12915697b0e41ec983e489166152cdddf8a13a5f7
SHA2569755b75a23a85e19954802f757b2f86e5dde5bd661e7dbed2141d89090da924e
SHA51204435208aa767888c296d007ba25711f5d21d2edc38a6c3271ad8b10d33516f67b04c60f579a5ad48ef34fa09e380b7cd2b0d9959591875b1aae14efb118fed4
-
Filesize
6.3MB
MD5828a19452ab8427212994c558b37b93c
SHA15847b4491f6ef4bbcf1a49b305a7403ce27cb4ba
SHA256259addf9bc00c8ba891377c977a764b9a57422b8d803b41be0d431013fc46ce0
SHA512194e48403a1898656916ccb87cb71c9201d212ef6adc49f255f73982e69d9c4f47fbce5ed67484589e58bfb7f5256c55271fb65d9ebc257bc733c10424883147
-
Filesize
3.0MB
MD5f5b8df2da0ed3f5a9b1ab5be3e101c1b
SHA1d5c5b56640f184c632182113f4131986964ff298
SHA2561dc93a7e26d97c3ab84b04b4523aafcc7128808d2317899b7042df9121a175d7
SHA5123133246462d2b766ffa3430f14e4b83399cfdc681caa4d8813aebcbff59633ea201cbb584d38156d40d6c837dce85e98f046c13327f8141ae3141c2a3380759e
-
Filesize
1.8MB
MD5cd28d0784df50ad12f23fb01318b919c
SHA1656410308828cbc9b166c83202b4e0694f4d0afb
SHA256de6565f29a91aa40f8c6b52f8a3310299a9156691333297170f4c54dbecaa6ca
SHA512ef525394228ca56e10140317808ffe8245ab8c8552b84f8b7af2728202765900e6948ea4a7e006e9aacae2e1d4ff175af03c4e02a1a4dfe26d6947a462d62290
-
Filesize
1.6MB
MD50c76b107535a2013e87dc31afad8d6d0
SHA1e07360cba00b326173c0eff2f3fbb8504b34aabf
SHA256e11a7fa7fd54c5a494066c77ac66dd85937fd8bad4e8ed5722cb04a05d5e84e6
SHA512f93a13eac5d287a16bc9867a541441f742436f317b800d4ded9ba725f6c08f8e015e65127f0e3ec02a329c15df2f5a24aee313c049a203ed2ea011b0bc301c6d
-
Filesize
3.2MB
MD57268bf6d84c3154d1b413cb72acbefed
SHA118556d0b812bcacb65c710a519f480539bba9bf1
SHA256c7d66a8f9672bafaefd09e92e3167d7caac525634e08b0cb63a861417cad5e45
SHA5126b624d834f54ef888e309de86caad418516f01e143de626e4bf825eecfb863addf4d697afc8020517785d47e915fea81a94b2fe0551c6ad37131b2d0e150d169
-
Filesize
1.3MB
MD5646d281a28b314a9f5a4e76fe3330941
SHA1e2c8506fef6c3455ae2228955ba8d19ce0f8f018
SHA256eecb93b566d7d66fa01085b9c5b5c67ccd2417274a77b912268f4cd958fcb27f
SHA512e831e8f1cae81e21a1640db03f02ecca0b22dd4173b2084fbd6aff3dc967a9029e6504a80e19e6365b489726cda68766c67f9484a70bd8fb85078ff0140547e8
-
Filesize
793KB
MD5a83185ef7c03bfe0e0fbe10098876a34
SHA1b166fed95e9bcc9f8b0ac4deafa9c45c21e91d0d
SHA2567a923db27ae488a02e77242b1bbceb9a64898b9c2d085372a5ef5fca06b2a4be
SHA512283e698b326d044480c49351531249ab9ed3a851c1d2c4a36c87fc5ecbaf2771af58f39cc0fc1551d08a4674ad766a3d4b96b6ee6ca1e6e967727f320f599f4c
-
Filesize
86KB
MD5dd15af9b32ea193e0c82887e4601f2a7
SHA1bab37b838bc1d858906f1ddc66c5d1168320d192
SHA2567189f55b3d5153bd190991dc5e3349755e300fd20b0e52a34e57579e20308888
SHA512f51542a4f6ae0d92cfe18afe4ff64c4961e04e24f2fa88da1adcaeebae28928c63e3d33e975fd413608fd3d03c5111340dbd8c4ff6a721e72154f5b7c5a54688
-
Filesize
138KB
MD57c30424c525cb64760083e066ca1f77d
SHA169c369028e3db4fe5c2fbc69cbd837d66496c480
SHA256b75685e5fe51601632066ae2cb162738b340c9873f3b30cd4eb0b6f80cc27643
SHA51259d726222ffc846ada2e7c6d040e0f0114e2cb92e72f81f23489aa6681b07a1c8cfceb7e81f9b7d7678d33b313302d9cf39c345d862e43f2768e145df14ef8df
-
Filesize
331B
MD5e7cf6700045181cb6889772d0d915586
SHA1ec2478210baee9d7e7ac72d43b66ce642ffc4147
SHA2563f93a8b1cdb1a748236e3d4230bd856abefa8d3660b691de89c5fc4e249a0fed
SHA51279f764665cabbba8cf707b6af065c92c3a91ee8f393c6bfe121db64e8fc446aef39bbd8d47efea20c948d907454bde6b1deefba3ef3fb847ec3452bf136a3352
-
Filesize
150KB
MD5d67497594cb09cedab2d8c6e48c1373e
SHA1cc75282c4d85bba3e6b350b27b71cdbfbf8d027d
SHA256b31d23ec950a037f524b951726cf597b1f41a40ea9063bf63c41e3161367ec00
SHA5123b6eb0ecda5ea35dfed5d60f4f39314c749034e2288910867071b07a0a48a8e21aeedd6c0dec815f68b7b098fdff947a0f8e9618bbca4ed91e47ce2630dd62a8
-
Filesize
675KB
MD577bd9d03bff5e45b63b0fe8d428115e6
SHA1a4ed79561583bd39535e80ea9ef4a3843f411f61
SHA25654ca08a589509219e065d2d6dfff9436f84595a914d7e8aa9c803def6eb2f248
SHA512ad35f3f2f352843af48778b443b0cdf175b19bdf645349439be00764cab62b291ff6a2373e4c6dd96ec1026cb9c842c0de922a53bc0a022532ed0fa3812ee4be
-
Filesize
602KB
MD50fd455907a9c76cc4fe4e791efe0a6b6
SHA138dbc79321049455a46185229e0e2b9ec14c1d10
SHA2568d6027903c2fba80bd65c5424f462dd7ecee45ebbcfe538c926d55fb8a716ec5
SHA512cfa2c5a921c4638fde0ae2a7ffe9ac6ba81d2c1f8f555f8308b15b3289f53bb419a8a4561024b04b426139d168214ceb57e2eb98377a814d7e083fcf277c2a9b
-
Filesize
307KB
MD5f701760ec90edfe061bec6b7f6b194d1
SHA14740a4d2da2edce55d058488168bf38266b844ed
SHA256de7c9385ff241607e006020ef9c63239bc026fd2851f77e420495a9201dceda4
SHA5125902a82e9368bbd942bb1e31ef3962373a3f165159db05d952eb8786e201258738d0f27395f78d8bed7e2c2084be57c84762ca7b8113630ff52e784ff0c94de8
-
Filesize
872KB
MD5a31f9dff496dd23d7d695ada11399afe
SHA1f0a201fe30d8eb782d5204dae49cc8ca71dc25e6
SHA2563e3a499a9f801736f7ecae871e8113f17a92d5252c13b983fceefa9d1ffc9139
SHA5124fb554bf2a5b05b52d4cc7a1e2e501cde00baf74e23fabbbb0bd4b7de025d04a521431904b80081e46d475cb6ee11de1d2232f447e8ac473bdc6e800ae639f2c
-
Filesize
380KB
MD5baaf851fc4b466499287fd1b20ef7b89
SHA18e5c64ac548d1f356b76bd5fe331dc1f835f5b53
SHA256b5a3f916172b0d3a20a9abd7be7fd78a6bf11891f2d31a5897f58b9b343b3f58
SHA5121af3fb9955cd57bf0bf91d85d4c33f5c66a1822e696384e44c65d02fbb289328b3202ec39551749b4db06bbb229431c44a1424d57f7d291cb917c660ecd31a25
-
Filesize
724KB
MD5accb062917e69c7a2cc608e3361ae0a2
SHA16dffdc9a99179b9e95ba3bbb22fabd299001aa4f
SHA256b344780854ba6907a5bb21b3117c441e9258b9a7c5a3f79b540a03617c34c308
SHA51203dda1b4361467d149c053072372ee10f2e3ef1fdb109094fbc84421a5b6367f3f4bde64b41e330f9332d37f2801a236652300860750d227891b87b6e4bc1caa
-
Filesize
577KB
MD59d509fe6f9954feb73d27d7bff056c5f
SHA1ac7e7a1308719a7a09a1e7897c269c66e3a1d502
SHA2568ac7978338eb3109a6cd63a687dbab295972f1a6a122f1dc6a4c31e89effc158
SHA512f666e5038049746158e0237c83121e465212db5cdaf4abe89149aaf5f770eccb4463fdafba8ae5cc92499a28a682c160a6c76b0e3c6f2270aada54c9be67208c
-
Filesize
454KB
MD541c5b5ec41003bb5a8224b8ccf36fe3d
SHA1056af3f2ffdead5da637e296c7b0c61f898e80b4
SHA25659044e1113d952903407a90bbf92e9ad14533d34b56dfc249169896e0e7e1ca6
SHA51238fd879050f40531f55acebf91ea85b869fca29a5810725190e764bc0efdb5760628b7b417210c0658d9e9adf89ee9ce864b49c27dc8e2ff5d4488d353811f0a
-
Filesize
1.2MB
MD5b9216c57402f56deb49291e0c2725d03
SHA1c83c0d347da6b3b23174b1566b9b7a00a2279b36
SHA2561a5fc83842ceee219e4b0f1dbf497d29728547beb370525cbf144bedbf8f2e80
SHA512851bdfade2b9d1f507babe5a13f39ef851a66d0ac9fed9b14abd97b5a7c7a6085a301d9e194c6ec9fe8ca0f37e7f61174034e62222421b6a7dff5d671c7cdaf6
-
Filesize
749KB
MD57f6bc4ff4ee8f7faf06e6ec44d7e860e
SHA1b27eb7698f3c126315f3a168e49e8774da0e4ee5
SHA256aa6166002474c85f55070d2a97c05b547993596c280be2cc4dc3f609ccbc8da9
SHA5129c68e3ce240e74405544b1b555e36e1e52ef2171aa8f9eccd7fdd7d5f2914ccb24209baf90939214849fb53904bc7d75562fc7fc4fad91176816bd3b1d86e411
-
Filesize
798KB
MD50913b73cf9d1d07b1e11877fc38691df
SHA17ff7beb4724bbe00f2de76388bf982c30e9439e4
SHA2564acea9c97fdcae845180b769896f25a154cebcfbe69cce227f91295a864a8db3
SHA5122b58a7152d7409d852b61bce7ac2b49d624a25bf205389391b629ed1c13e6c95029971b8adcc44c75cd4e20a867d30d1ce62fb1bab7b959c6ead695bb6268424
-
Filesize
700KB
MD5fd598d26ca39aba43877852f80bec7e5
SHA182e34f4440a449f9779abbc28b126999d874faac
SHA256c7adb6d33fc5d38c5085b843e86e43d5b6469714f313814ed555e604c58477cf
SHA512e0349952342b9ea6676dcc347969c80d6c1e612d01956945a35d127f73524961c6ab9f29e9f6a4e37af63498ecea606c22259a2a5f0fa3cfe20b6fda47439be9
-
Filesize
282B
MD59e36cc3537ee9ee1e3b10fa4e761045b
SHA17726f55012e1e26cc762c9982e7c6c54ca7bb303
SHA2564b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026
SHA5125f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790
-
Filesize
675KB
MD5304ce3f2572f45a0e434df1e30629390
SHA17b904711783d8dc55aa127782cb7b03a342ad448
SHA2565658b447b7fa34b0c213d58dccda230df309102e247ecbd144a25fc3d0e0543f
SHA512d67d8d58e04ab7f18c200f4160866c0f7caad972a4befcb5ef6d1b2a26c3aa7f57febd74570eba3919d9533f70a739c9f9a50a0a8b9d4c257ef11ffc06d43435
-
Filesize
602KB
MD53ea2833286efbd369f1e33005ed55b08
SHA1cd4f1492934ca93e0a796f76cda9d208c6383ac6
SHA256ed145c8fcf9a84047f5505bf0e756b934637a3d3b7c4bab8eaa3de0f82c13386
SHA512a020583ba1851d7ec88354954a98a2d8511bab7af7b6e96a15a3b00e4a6bf25f6849bc2cda2758befa6fe1cb60db0ec0f6c00b4af3baf1c298930edc25de4f64
-
Filesize
307KB
MD59b05f7a2280aec5fb91076875e9b7992
SHA148d04a66082525594734f583f41b060647f29099
SHA256b3f887ceda81b77717fbef9359ae7f35c748d2f73622bfd6957fc9352a5d6fcb
SHA5120728f62fc837dd2bc0c2adb172c442cd42da9c17d5c20eafbe134f2693f0ad3d6d9a8ffbf2b08afd8b519136baa80e40897d16c8118e214393e3f08bbacd0c16
-
Filesize
872KB
MD580c63d020adfb1be6420e7253b8a362b
SHA101fad96ca235f37e3f5f66f7f542843c3fa90d09
SHA256e9130a83b3c94a0db9341c6cb8a90a8fb960f0a07ead3f9f73f27e5dbffb0378
SHA512de48bf960bcd2b47c59d7a5eb22b99e09dd0101d0014fb74a831ff4fc9d6718565f041bbeb55ddce78fd23ec499e2eb87f84aee0edea662f16e016343796a192
-
Filesize
380KB
MD5b48d718275a9b456113a71b841fc7b87
SHA15cb114f5ebb9f4474c145593fde2f05b47568c9a
SHA2566721a1cc23ccc6e24e5e2a94da4482ae3151550fe3ea880554e24733bf1e5694
SHA5129a22f9106b43549ef9e34acf9fa599e0e9d3156e47f8b14da419d57241ea80aedd4698ad6b9ae9b85f6bf90f0f016873efd223fd73b2edb834403866b0a5870f
-
Filesize
725KB
MD557aaa626ec1d2e97e8bd14b43da54e0e
SHA1c328bf23a7f06459daa6a155355a0024d9bb70f6
SHA256cc691c4ddb7ced95dc882e46f0a53568a6c1e0e24745ec4f20353ac498eafcaa
SHA512e3cabd5baacb9caa394af0a78c7a129d4882a5d0b4435568c1798738949cb8789186f6700eb35ebcde3995048333c5fda21b052515826b70e22598b467bc0fb7
-
Filesize
577KB
MD5d3748509ce2abd49890a306f8b31216a
SHA13e5a1821fa97e2fa8c1eea75625885117f58efb9
SHA256a96d8bb33a69db65ec91f962aa1278585d7cd39b87fa09acce639bbddee8a498
SHA5122bd9987b02324aa764fda74c8d813fe9662b235b0f8fb7cbf0f64d4739303d790e4097dfaeaf0a8c0d355d58a15a58acd7255e8c91f4e3d6bd9bf3330ae95570
-
Filesize
454KB
MD57a9a2e2d76281d41d895cf9baa65cc7a
SHA10716d2d15b7650724eaacfcfce1691d45629639e
SHA25607ab68dc73d0b771cf9fbcb05daaf3bde35baf3498cd18e5fe2fc0b3316f90c7
SHA512a153c5d3f19ea3ded89dc1e6c2b89470d806ac62d36154cedb5fb2fe827a292aa9f61a28fc860602a9907a3a3b472b2fc75047cdfaad21334c24c2aef6a40be8
-
Filesize
1.2MB
MD5f2332b52537cb769bc41902453cabfa0
SHA11a2754ad7212affc541b0c90794bf0fb58b4a51d
SHA2565863f4971ba107664a084ab965803c46a5bee9882d32f796e2d6e13a0e885f07
SHA512dd262c2f3c086150f7c0fc6c677662639b4d8726abc480948efed24e954ed39b6980ec721512048357b8c6882144917bef66a00a955e32d1076248037ff3dd97
-
Filesize
749KB
MD5625949adb77b0d04efb98473a8c78b2c
SHA1764c299e669360c548911b25eb3c928f71cb861f
SHA2563a604315a21d966703a749513cbfe94660f9a9ff7e809d37550462ff0af986ce
SHA5123cbdc32edc0a93b878e37b040d6d00418066620b50cb446afb7014e5bbd981386be344417615e1f1ee17e68544b8545ed4314df520c62aa90bd7b93e986d88f0
-
Filesize
798KB
MD556d58f024e1da31635efe75d51b48cbf
SHA1bdc549457c99b244135e6eb7ddf9ce0ba13f0035
SHA2567334effd9f09615a5a9bf7b563bddfa40223cc8092f974ac897ef6a580960844
SHA512c5fead71f0755e6c63464f34b6b1a86d0886a27d8814b81b35ff0f3180b06b6bb3c6c8023aa1ae121ec21aaad554602c50c0e2ffeb40fac768ff76179435c7d0
-
Filesize
700KB
MD5bc079715dac6dbf5150d48b2d68f685a
SHA13652bce306ae15ae8cb109f028f7188935417413
SHA256892bd0e53ad84bf4d8eb30183674d91098527eafd2b06b90d31d4f6a07fcd5c4
SHA512a42b98a186273fc3e35b9e17ba3da7bbda265fa33c081972b708e7938ede1eee27dcfc3dc6a1f51926249d22f6f132c3f61b59b79d45a79b88779bb40f742316
-
Filesize
2KB
MD579c872ac551ad173413b0cb6439a0a42
SHA16eda7d14aba6a97ae22514036feaf32726561dde
SHA2564cdea9096a8c487843ba92e63b483e18e0897b563b2a2f550de039a8e99e8217
SHA512368b4a093253cfe825f8ae9b54825ab7fdb24f904c543170a3b866795df5fd3257efa729477ee12f58c7e875e6ecf9d67a9540abfe87dd60528149ed489df815
-
Filesize
405KB
MD579f743e0f5b7b782ea5221055348ceaa
SHA190c54cc149628ad9d8cb527497d1a5384ec2075c
SHA256f89e28a9a60f6b80d321ccc5ab837a54e8bfea2f969b1e3b60086592d386fc97
SHA512aff4397a414f9376acc6f2764d65695f5fe48f4168739e255da78d1c3e2e0f45c2f1f4336989d92ab8d192cd7678236b9ef01f5d463a5654a352e60f1ae8ce7d
-
Filesize
331KB
MD5f804235f3e88a80c3a2bd8571f0d1cdf
SHA1fa251919147a6671e571ec985e144e6f0f910f79
SHA256cf7c44e0a92464613e07810cb9e82ac50a887f155e8e5b4abf8118e4067d47f9
SHA512f4c634fc07baf5bac0c647881f4fbf7fceee573819f2c7db736abf14eaa5d0ac5463b685fe12952f861dc66879f1686469d1924a9339c5393f66644e2be6cba9
-
Filesize
823KB
MD53f93ac6e5ef3a323452294a9a84973cb
SHA1bd0b52a42e1526f5595a6234cd1a567ba81cc903
SHA2569c8c6af1bd50dd746062d739455708f243952c076d7e22a4832ac5a95bef0091
SHA512f04d8c3a1a1736d45fafdef3f09ddb1d4ce4974eb7d33ba8b53d60f7bdb99892f55836a2fc0609df2ae6f77b28d4933939cb5cd498310a28175d451c3e950eb8
-
Filesize
503KB
MD52cf7ed17a2beb158ea709d49eaa91815
SHA1a35c4592bdc905138632c72638d5631ff54520b0
SHA256d6e186cab8d3b695257de965ae4417cd4deb702652d135e52389034cef40c4db
SHA512b3aad62c8780be405b24f12b17e9df8cb7cd97aad88c8aea5f0652572644b6cfe600f94b7649a353e9190a6975b7b48c66ed93837a0be4cc7343a54fa0d81835
-
Filesize
847KB
MD5d7a60497cba076b075e4f2320df253e6
SHA19e75acdbc727ddf1ed7af3aa8575f72ec08b05b1
SHA256d34550c237d1f0a2023b8ddc178969340c926fba5812afd8e31d25c1d3ec7065
SHA5121cb9cae51abb2d6a711fca6433c7d5446d038cc9f52653c2ede79790569e107c767c89170a3294d5bf3429a3dceeaa1e780f74240875f4c205c2115c784a01fb
-
Filesize
651KB
MD55ecd4362187ad24deaad95da477fa258
SHA19bc0c2f2f19715b38aa2ef7a8f02b646e07bc7d5
SHA25620b4607003e285765b5b3fd525daa2818c56fe30acdd9bd1559a1a63ae085570
SHA51208b5a3e5e3425a62c084ecefe2c5f07e75c13b8de0304791bd87969b3c513b073174f9b5ce35320859d322ba72dc692bf06171cfcb8a318d215e6393555f8858
-
Filesize
479KB
MD5407391c7b5144a071e21e4fd963f9e7a
SHA132e21bdf88e74ceca7a1d031153c10c45d703338
SHA25634e6aadca1b24b3c7ac418eb451aa9677452ed8fed80df2bacc6ef8c28f135f5
SHA512bd3e6819818d9056bcc0fcd611a5f0d7a3e6eb2f83e1701dd24f69c7bd8c8d3d98136b729f168c68e719d6355b682e3711a01000f48840ba536b21f641c31274
-
Filesize
528KB
MD58c97d6b303023c293ea00ebf45e9e66c
SHA13613657ab2dabcd6e9e17f7ed37854cf5db5ab12
SHA256cbd90ab2d92acf4dcab7d69ef729a109ecad0e259cbb30879077f49ec0c661c5
SHA512fdfd6a4dc14d7779aaae0899965159aeedccfb7f7f67df004316e193c442ce10c33def770e9f15679487d4edb967921fcc5e601c607ecb4b9ff0b96d198a3dfc
-
Filesize
430KB
MD54f89ebe74fdd2887bc3f6307553e0c81
SHA1148da7427d142abe8b5543415d44aab5e84cb684
SHA256e4132ca0d28e2e055de9bb0810643656e4dd00e95c3e954c59352dc079823496
SHA5120f5fe44592e0263316b66fc54c537950687acff7b27c2f290c3d585b7a69557091b2b7a4d2fae305faee7d08c33a60ac41b625b574d02f7dc41c2cb5316ae5af
-
Filesize
626KB
MD5db137818214813a7dad7681905091d84
SHA1fb31ade085115e511b4e88f58905cf3db7771037
SHA25697320187d059e4ba4ed3571c7ae60ee109783a536e545841cc645880fcdf4dde
SHA51295e9b110a487f3557ba49301a001395c02f9a9236c72b1247e47ad55f9592b9659536521494f937d580d53d9e9fb6cbe3973f195147462e9a76440d74e8d8332
-
Filesize
774KB
MD558a7b5b3b7f8cc9fc5ac72409575d12f
SHA1912e62e9cbd6d7e90e2fb0f81345750eed685062
SHA2560eaf429c03dfa8e3a07be6a4bbb7731a15d6820107a66dfda53e7e3654152672
SHA512e31ebdac263e505746a8b0e62a350c0305db6e104caeb9c3708961b61a110fef36bef85cb5a53249717be1ed61f21bae77c956ca6c9234fa45f9abcdc1d4ae65
-
Filesize
356KB
MD50867861d94e1664930da8996149bfe1c
SHA10d628b49d976d68133ded1304eccefd1dcc3d58d
SHA256c37a0542c8caeac909716bc8ffabda41f0d512de7b0b052858f6a382a74d26b7
SHA512e8d8ad9f054f4a3925542edf4f2499ee89752cdb41fbad562be92fb56f7ec2328ba3f71103bce7fe33d4fc2e2a2112af1fae698d837e3903bb5baad71f8dc726
-
Filesize
552KB
MD568217d5c4299cbc786d82f31f1b4d153
SHA15087f185d2decf39a5e9524eae303c96563f2c86
SHA2569151958697f9d6de813064d2179ca39da7d8e2d8943b15c5c3a65dfd6a3221af
SHA5129f86ca37f0c52e44a59f6fd464951a53850d039d2a83d653a596025d3a562d0377f7efd66722079fe2866efbfa32ca8f1818e2c69e5d25a06a9fe778ff26f280
-
Filesize
288B
MD5ba41cfaa9aff58c3b40c7ac73b4d1cd4
SHA1691f19d9330522a47b16c832c6d6b51a3a2efc72
SHA25630fb6cb48d4689a02731dedf82483a58738ba4131e4be90b2a44bd1ab9fd6a0a
SHA512708ebe3314fd85d51ab0e73d83a7e61cb00d6c0ce5e78530f7ed6c9e6bcd827ca5b3ca4cd34842bc2d7337fdd73c4c1f39407f5e8c94ba6a5fa8e9130533350e
-
Filesize
461KB
MD51c2b2322fd086f699f4edf127917ede7
SHA1b300f2ccd30c641ad7c2da8b0327a6bce037ccc6
SHA256af9c893b6a899ec70c9357ed7273e04676209ebb5efab941170563e060b9251c
SHA5129b7c6573321e671023d06c56cddbaa2b490f0c00e2bad24e859d583949c1e6727665afc8528a445b1703fb562811ac756ac73cf59b1587f0fc927828cabba54c
-
Filesize
218KB
MD55504656ee2fc4e53fa3f9ddaae2deee3
SHA1110428463b6ebcb904ebf66c826d568b47493221
SHA25603ab56dbaea993d3b7b34cf920b0ca08ea35d64e3a38c8f17ebdfe91336b3f34
SHA512f626417c469e3a5028ca2f6ec3c7c1f7ee6a08a3e7fca7fa82ee8d3f6d5c3e1e1560658cba2cad6f73c045c4cfa0d82ee62b3fe35281022a055e2522ff5ec955
-
Filesize
393KB
MD5cbb517e54e3413dd931aa36b092ca210
SHA1cad7c0bacbac724d9e13eec11370f4fd2d6eda6c
SHA2564912fa3b091e756ea7862661348a097868dc8bd20ede54093dbc7a05c6363a23
SHA5126f337727730ed9a550a4619690c66ee5dc1523b5c31fd09ac4d9d495805d847c46753b120045ccb822998fbf1688713d570c0fd8d51c2e72caeb870ad5a51051
-
Filesize
189KB
MD5c1dbbdb300d651bb4318512b915e7a8b
SHA1939545bf050d8f073d95bf2bb6cf9bcdeb1eff89
SHA2563b74296bc26de1af9aca7bb2babd726a0508b9d966ae922d485865785514e4ee
SHA512d0f5ce3fee581e9684ef64c88d2844f08fe40183c29b85004b43caf2effa8dabfbe99346a679b48293030c661ef488090c4f410b4024770790fcfd2ff36ad119
-
Filesize
296KB
MD58a9fd983875dbb5b3efa7d4755049c83
SHA14fbda4352b4af30afc368a4f3e4ff7bce035e656
SHA256844d099b70852da7d2745992944a96758f3f05af45bdad720ce8bf3e8f008b04
SHA512e426b3552ef40ff5c37e952bc8b43fb859b66c82852b7a93b3495722e8bc5ca2834a9503e5051ed3f5bd6c1911d2b3cc9baff17877910498d36d15e0be275b57
-
Filesize
512B
MD53e5d2582a5d0c915afef6c8cafa343d1
SHA17062928a2ec000838f78dce8c48693a1859471e1
SHA25634ae08d15c34e017facda7c39f7b5f9e8cc891b160072b908969a1a2523772aa
SHA5122cb2f561be74448d361099883ea4fdb9a1ea17a82970459fff7e35802617726561b52955b147d5fb23d3a3bb3d88539af645886c2d0e46716fba5c641a2b90b7
-
Filesize
4B
MD5a54f0041a9e15b050f25c463f1db7449
SHA1d9be6524a5f5047db5866813acf3277892a7a30a
SHA256ad95131bc0b799c0b1af477fb14fcf26a6a9f76079e48bf090acb7e8367bfd0e
SHA512ea71bb243b0b2db729b9eb88e3c55a3f490fbff23457825051224a1fe6e6d3f480590cfa3a4a6b12c622d6ac366feb03cd17004ed004cb3f0d52731626946679