dridex | 0a65e748685b606573e04e320955af33a9fc673b50c7dc4ca6a4d53d9235cfc1

Resubmissions

09/03/2024, 01:40

240309-b3w57abc62 10

09/03/2024, 01:37

240309-b14ggsbc37 10

Analysis

max time kernel
63s
max time network
148s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/03/2024, 01:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9b70b4077ca44355b4850e19c6e17d6.dll
Size

2.1MB
MD5

b9b70b4077ca44355b4850e19c6e17d6
SHA1

01eff1a28fdfd36735a92e66ecc1b4ca7fb2c428
SHA256

0a65e748685b606573e04e320955af33a9fc673b50c7dc4ca6a4d53d9235cfc1
SHA512

acc2c62bc6103b766ce5df4bd207fe557e81b3490353e1f32b4b328a1c71769a056386f2497c3fa76bf22f87ccca82035aba269275ddf89e3ead1424d1d63ca6
SSDEEP

12288:5VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:4fP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1360-5-0x00000000025C0000-0x00000000025C1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
2036	mmc.exe
1864	Dxpserver.exe
1096	OptionalFeatures.exe

Loads dropped DLL 7 IoCs

pid	Process
1360	Process not Found
2036	mmc.exe
1360	Process not Found
1864	Dxpserver.exe
1360	Process not Found
1096	OptionalFeatures.exe
1360	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rrbpyxif = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\SPFJY2UU2v\\Dxpserver.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Dxpserver.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OptionalFeatures.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mmc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	Process not Found

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Toolbar	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Process not Found

Modifies data under HKEY_USERS 25 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000103de74bc371da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000109cda4ec371da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\{BDBE736F-34F5-4829-ABE8-B550E65146C4}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\{BDBE736F-34F5-4829-ABE8-B550E65146C4}\GroupView = "0"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\Mode = "6"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f44471a0359723fa74489c55595fe6b30ee0000	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\{BDBE736F-34F5-4829-ABE8-B550E65146C4}\GroupByKey:PID = "0"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\{BDBE736F-34F5-4829-ABE8-B550E65146C4}\FFlags = "18874369"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\GroupView = "0"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\NodeSlot = "3"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\{BDBE736F-34F5-4829-ABE8-B550E65146C4}	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\FFlags = "1092616193"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\{BDBE736F-34F5-4829-ABE8-B550E65146C4}\Mode = "8"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\Rev = "0"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\TV_TopViewID = "{BDBE736F-34F5-4829-ABE8-B550E65146C4}"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 7d281f002d28d5dfa3231f280400000000001b2800003153505305d5cdd59c2e1b10939708002b2cf9ae5727000012000000004100750074006f004c006900730074000000420000001e000000700072006f00700034003200390034003900360037003200390035000000000010270000aea54e38e1ad8a4e8a9b7bea78fff1e9060000800000000001000000020000800100000001000000020000002000000000000000360014001f44471a0359723fa74489c55595fe6b30ee200000001a00eebbfe230000100090e24d373f126545916439c4925e467b00000000000000000000000000000000000000000000000001000000010000800100000004006900740065006d00000000000000000000000000000000000000000000000000000000000000000000000000000000001e1ade7f318ba54993b86be14cfa4943ffffffffffffffffffffffff00000000010000001b00530065006100720063006800200052006500730075006c0074007300200069006e00200044006f0077006e006c006f00610064007300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004007000000030000000000000000000000240f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000b40200b6a6ab3b008000f80b00000000f05f2e0700000000802c6d0b00000000102d6d0b00000000a02d6d0b00000000c02e6d0b00000000302e6d0b00000000502f6d0b00000000e02f6d0b0000000070306d0b0000000080bd700b0000000010be700b00000000a0be700b0000000050c0700b00000000c0bf700b00000000e0c0700b0000000070c1700b0000000000c2700b0000000040c4700b00000000d0c4700b0000000060c5700b00000000f0c5700b0000000080c6700b0000000010c7700b00000000a0c7700b0000000030c8700b0000000090c2700b0000000020c3700b00000000b0c3700b00000000c0c8700b0000000050c9700b00000000e0c9700b0000000070ca700b0000000000cb700b0000000090cb700b0000000020cc700b00000000b0cc700b0000000040cd700b00000000d0cd700b0000000080cf700b00000000f0ce700b0000000010d0700b00000000a0d0700b0000000030d1700b00000000c0d1700b0000000050d2700b0000000000d4700b0000000070d3700b0000000090d4700b0000000020d5700b00000000b0d5700b0000000040d6700b00000000f0d7700b0000000060d7700b00000000a0d9700b0000000010d9700b0000000030da700b00000000c0da700b0000000050db700b00000000804d740b0000000070dc700b00000000104e740b00000000a04e740b00000000304f740b00000000c04f740b000000005050740b00000000e050740b000000007051740b000000000052740b000000009052740b000000002053740b00000000b053740b000000004054740b00000000d054740b000000008056740b00000000f055740b000000001057740b00000000905b740b00000000205c740b00000000b05c740b00000000405d740b00000000d05d740b00000000a057740b000000003058740b00000000c058740b000000005059740b00000000e059740b00000000705a740b00000000005b740b00000000605e740b00000000f05e740b0000000020206d0b00000000b0206d0b00000000805f740b000000001060740b00000000a060740b000000003061740b00000000c061740b000000005062740b00000000e062740b000000007063740b000000000064740b000000002065740b000000009064740b00000000b065740b000000004066740b00000000d066740b000000006067740b00000000f067740b000000008068740b000000001069740b00000000a069740b00000000306a740b00000000c06a740b00000000506b740b00000000e06b740b00000000706c740b0000000080d1740b0000000010d2740b00000000a0d2740b0000000030d3740b00000000c0d3740b0000000050d4740b00000000e0d4740b0000000070d5740b0000000000d6740b0000000090d6740b0000000020d7740b00000000b0d7740b0000000040d8740b00000000d0d8740b0000000060d9740b00000000f0d9740b0000000080da740b0000000010db740b00000000a0db740b0000000030dc740b00000000c0dc740b0000000050dd740b00000000e0dd740b0000000070de740b0000000000df740b0000000090df740b0000000020e0740b00000000b0e0740b0000000040e1740b00000000d0e1740b0000000060e2740b00000000f0e2740b0000000080e3740b0000000010e4740b00000000a0e4740b0000000030e5740b00000000c0e5740b0000000050e6740b00000000e0e6740b0000000070e7740b0000000000e8740b0000000090e8740b0000000020e9740b00000000b0e9740b0000000040ea740b00000000d0ea740b0000000060eb740b00000000f0eb740b0000000080ec740b0000000010ed740b00000000a0ed740b0000000030ee740b00000000c0ee740b0000000050ef740b00000000e0ef740b0000000070f0740b0000000080a1770b0000000010a2770b00000000a0a2770b0000000030a3770b00000000c0a3770b0000000050a4770b00000000e0a4770b0000000070a5770b0000000000a6770b0000000090a6770b0000000020a7770b00000000b0a7770b0000000040a8770b00000000d0a8770b0000000060a9770b00000000f0a9770b0000000080aa770b0000000010ab770b00000000a0ab770b0000000030ac770b00000000c0ac770b0000000050ad770b00000000e0ad770b0000000070ae770b0000000000af770b00000000b0b0770b0000000090af770b0000000040b1770b00000000d0b1770b0000000060b2770b00000000f0b2770b0000000080b3770b0000000010b4770b00000000a0b4770b0000000030b5770b00000000c0b5770b0000000050b6770b00000000e0b6770b0000000070b7770b0000000000b8770b0000000090b8770b0000000020b9770b00000000b0b9770b0000000040ba770b00000000d0ba770b0000000060bb770b00000000f0bb770b0000000080bc770b0000000010bd770b00000000a0bd770b0000000030be770b00000000c0be770b0000000050bf770b00000000e0bf770b0000000070c0770b000000008009780b00000000100a780b0000000020b0770b00000000300b780b00000000a00a780b00000000c00b780b00000000500c780b00000000e00c780b00000000700d780b00000000000e780b00000000900e780b000000004010780b00000000b00f780b00000000d010780b000000006011780b00000000f011780b000000008012780b000000001013780b00000000a013780b000000003014780b00000000c014780b000000005015780b00000000e015780b000000007016780b000000000017780b000000009017780b000000002018780b00000000b018780b000000004019780b00000000d019780b00000000601a780b00000000f01a780b00000000801b780b00000000101c780b00000000a01c780b00000000301d780b00000000e01e780b00000000501e780b00000000701f780b000000000020780b000000009020780b000000002021780b00000000b021780b000000004022780b00000000d022780b000000006023780b00000000f023780b000000008024780b000000001025780b00000000a025780b000000003026780b00000000c026780b00000000a0cf7b0b0000000030d07b0b00000000c0d07b0b0000000050d17b0b00000000e0d17b0b0000000070d27b0b0000000000d37b0b0000000090d37b0b0000000020d47b0b00000000b0d47b0b0000000040d57b0b00000000d0d57b0b0000000060d67b0b000000005027780b00000000e027780b000000007028780b000000000029780b000000009029780b00000000202a780b00000000b02a780b00000000402b780b00000000d02b780b00000000602c780b00000000f02c780b00000000802d780b00000000102e780b00000000a02e780b00000000302f780b00000000c02f780b000000005030780b00000000e030780b000000007031780b000000000032780b000000009032780b000000002033780b00000000b033780b000000004034780b00000000d034780b000000006035780b00000000f035780b000000008036780b000000001037780b00000000a037780b000000003038780b00000000c038780b000000005039780b00000000e039780b00000000703a780b00000000003b780b00000000903b780b00000000203c780b00000000b03c780b00000000403d780b00000000d03d780b00000000603e780b00000000f03e780b00000000803f780b000000001040780b00000000a040780b000000003041780b00000000c041780b000000005042780b00000000e042780b000000007043780b000000000044780b000000009044780b000000002045780b00000000b045780b000000004046780b00000000d046780b000000006047780b00000000f047780b000000008048780b00000000c0ac7b0b0000000050ad7b0b00000000e0ad7b0b0000000070ae7b0b0000000000af7b0b0000000090af7b0b0000000020b07b0b00000000b0b07b0b0000000040b17b0b00000000d0b17b0b0000000060b27b0b00000000f0b27b0b0000000080b37b0b0000000010b47b0b00000000a0b47b0b0000000030b57b0b00000000c0b57b0b0000000050b67b0b00000000e0b67b0b0000000070b77b0b0000000000b87b0b0000000090b87b0b0000000020b97b0b00000000b0b97b0b0000000040ba7b0b00000000d0ba7b0b0000000060bb7b0b00000000f0bb7b0b0000000080bc7b0b0000000010bd7b0b00000000a0bd7b0b0000000030be7b0b00000000c0be7b0b0000000050bf7b0b00000000e0bf7b0b0000000070c07b0b0000000000c17b0b0000000090c17b0b0000000020c27b0b00000000b0c27b0b0000000040c37b0b00000000d0c37b0b0000000060c47b0b00000000f0c47b0b0000000030c77b0b0000000080c57b0b00000000a0c67b0b00000000c0c77b0b0000000050c87b0b000000000000000000000000ea0100ebfca83b0030c9000c00000000600ffa0b0000000070cf860b00000000f0e5860b00000000f0ee860b0000000030d0860b00000000302b870b00000000f038870b00000000f071800b00000000f070800b0000000070d1860b00000000b0d1860b00000000f0d1860b0000000030d2860b0000000070d2860b00000000b0d2860b00000000f0d2860b0000000030d3860b0000000070d3860b00000000b0d3860b0000000030e6860b0000000070e6860b00000000b0e6860b00000000f0e6860b00000000f0d3860b0000000030d4860b0000000070d4860b00000000b0d4860b00000000f0d4860b0000000030d5860b0000000070d5860b00000000b0d5860b0000000030e7860b00000000f0d5860b0000000030d6860b0000000070d6860b00000000b0d6860b00000000f0d6860b0000000030d7860b0000000070d7860b00000000b0d7860b00000000f0d7860b0000000030d8860b0000000070d8860b00000000b0d8860b00000000f0d8860b0000000030d9860b0000000070d9860b0000000070e7860b00000000b0e7860b00000000f0e7860b00000000f062870b00000000f063870b000000007064870b00000000b0d9860b00000000f0d9860b0000000030da860b0000000070da860b00000000b0da860b00000000f0da860b0000000030db860b0000000070db860b00000000b0db860b00000000f0db860b0000000030dc860b0000000070dc860b00000000b0dc860b000000003039870b00000000f0dc860b0000000030dd860b0000000070dd860b00000000b0dd860b00000000f0dd860b0000000030de860b0000000070de860b00000000b0de860b00000000f0de860b0000000030df860b0000000070df860b00000000b0df860b00000000f0df860b00000000f090800b0000000030e0860b0000000070e0860b00000000f080800b00000000b0e0860b00000000f0e0860b0000000030e1860b0000000070e1860b00000000b0e1860b00000000f0e1860b0000000030e2860b00000000b0d0860b0000000070ce860b0000000030cf860b00000000f06f800b0000000070e2860b00000000702b870b00000000f0ce860b00000000b0cf860b00000000f0cf860b00000000b0ce860b0000000070d0860b00000000b0e2860b00000000f0e2860b0000000030e3860b0000000070e3860b00000000b0e3860b00000000f0e3860b0000000030e4860b0000000070e4860b00000000b0e4860b00000000f0e4860b0000000030e5860b0000000070e5860b00000000b0e5860b0000000030e8860b0000000070e8860b00000000b0e8860b00000000f0e8860b0000000030e9860b0000000070e9860b00000000b0e9860b00000000f0e9860b0000000030ea860b0000000070ea860b00000000b0ea860b00000000f0ea860b0000000030eb860b0000000070eb860b00000000b0eb860b00000000f0eb860b0000000030ec860b0000000070ec860b00000000b0ec860b00000000f0ec860b0000000030ed860b0000000070ed860b00000000b0ed860b00000000f0ed860b0000000030ee860b0000000070ee860b00000000b0ee860b0000000030ef860b0000000070ef860b00000000b0ef860b00000000f0ef860b0000000030f0860b0000000070f0860b00000000b0f0860b00000000f0f0860b0000000030f1860b0000000070f1860b00000000b0f1860b00000000f0f1860b0000000030f2860b0000000070f2860b00000000b0f2860b00000000f0f2860b0000000030f3860b0000000070f3860b00000000b0f3860b00000000f0f3860b0000000030f4860b0000000070f4860b00000000b0f4860b00000000f0f4860b0000000030f5860b0000000070f5860b00000000b0f5860b00000000f0f5860b0000000030f6860b0000000070f6860b00000000b0f6860b00000000f0f6860b0000000030f7860b0000000070f7860b00000000b0f7860b00000000f0f7860b0000000030f8860b0000000070f8860b00000000b0f8860b00000000f0f8860b0000000030f9860b0000000070f9860b00000000b0f9860b00000000f0f9860b0000000030fa860b0000000070fa860b00000000b0fa860b00000000f0fa860b0000000030fb860b0000000070fb860b00000000b0fb860b00000000f0fb860b0000000030fc860b0000000070fc860b00000000b0fc860b00000000f0fc860b0000000030fd860b0000000070fd860b00000000b0fd860b00000000f0fd860b0000000030fe860b0000000070fe860b00000000b0fe860b00000000f0fe860b0000000030ff860b0000000070ff860b00000000b0ff860b00000000f0ff860b000000003000870b000000007000870b00000000b000870b00000000f000870b000000003001870b000000007001870b00000000b001870b00000000f001870b000000003002870b000000007002870b00000000b002870b00000000f002870b000000003003870b000000007003870b00000000b003870b00000000f003870b000000003004870b000000007004870b00000000b004870b00000000f004870b000000003005870b000000007005870b00000000b005870b00000000f005870b000000003006870b000000007006870b00000000b006870b00000000f006870b000000003007870b000000007007870b00000000b007870b00000000f007870b000000003008870b000000007008870b00000000b008870b00000000f008870b000000003009870b000000007009870b00000000b009870b00000000f009870b00000000300a870b00000000700a870b00000000b00a870b00000000f00a870b00000000300b870b00000000700b870b00000000b00b870b00000000f00b870b00000000300c870b00000000700c870b00000000b00c870b00000000f00c870b00000000300d870b00000000700d870b00000000b00d870b00000000f00d870b00000000300e870b00000000700e870b00000000b00e870b00000000f00e870b00000000300f870b00000000700f870b00000000b00f870b00000000f00f870b000000003010870b000000007010870b00000000b010870b00000000f010870b000000003011870b000000007011870b00000000b011870b00000000f011870b000000003012870b000000007012870b00000000b012870b00000000f012870b000000003013870b000000007013870b00000000b013870b00000000f013870b000000003014870b000000007014870b00000000b014870b00000000f014870b000000003015870b000000007015870b00000000b015870b00000000f015870b000000003016870b000000007016870b00000000b016870b00000000f016870b000000003017870b000000007017870b00000000b017870b00000000f017870b000000003018870b000000007018870b00000000b018870b00000000f018870b000000003019870b000000007019870b00000000b019870b00000000f019870b00000000301a870b00000000701a870b00000000b01a870b00000000f01a870b00000000301b870b00000000701b870b00000000b01b870b00000000f01b870b00000000301c870b00000000701c870b00000000b01c870b00000000f01c870b00000000301d870b00000000701d870b00000000b01d870b00000000f01d870b00000000301e870b00000000701e870b00000000b01e870b00000000f01e870b00000000301f870b00000000701f870b00000000b01f870b00000000f01f870b000000003020870b000000007020870b00000000b020870b00000000f020870b000000003021870b000000007021870b00000000b021870b00000000f021870b000000003022870b000000007022870b00000000b022870b00000000f022870b000000003023870b000000007023870b00000000b023870b00000000f023870b000000003024870b000000007024870b00000000b024870b00000000f024870b000000003025870b000000007025870b00000000b025870b00000000f025870b000000003026870b000000007026870b00000000b026870b00000000f026870b000000003027870b000000007027870b00000000b027870b00000000f027870b000000003028870b000000007028870b00000000b028870b00000000f028870b000000003029870b000000007029870b00000000b029870b00000000f029870b00000000302a870b00000000702a870b00000000b02a870b00000000f02a870b00000000b02b870b00000000f02b870b00000000302c870b00000000702c870b00000000b02c870b00000000f02c870b00000000302d870b00000000702d870b00000000b02d870b00000000f02d870b00000000302e870b00000000702e870b00000000b02e870b00000000f02e870b00000000302f870b00000000702f870b00000000b02f870b00000000f02f870b000000003030870b000000007030870b00000000b030870b00000000f030870b000000003031870b000000007031870b00000000b031870b00000000f031870b000000003032870b000000007032870b00000000b032870b00000000f032870b000000003033870b000000007033870b00000000b033870b00000000f033870b000000003034870b000000007034870b00000000b034870b00000000f034870b000000003035870b000000007035870b00000000b035870b00000000f035870b000000003036870b000000007036870b00000000b036870b00000000f036870b000000003037870b000000007037870b00000000b037870b00000000f037870b000000003038870b000000007038870b00000000b038870b000000007039870b00000000b039870b00000000f039870b00000000303a870b00000000703a870b00000000b03a870b00000000f03a870b00000000303b870b00000000703b870b00000000b03b870b00000000f03b870b00000000303c870b00000000703c870b00000000b03c870b00000000f03c870b00000000303d870b00000000703d870b00000000b03d870b00000000f03d870b00000000303e870b00000000703e870b00000000b03e870b00000000f03e870b00000000303f870b00000000703f870b00000000b03f870b00000000f03f870b000000003040870b000000007040870b00000000b040870b00000000f040870b000000003041870b000000007041870b00000000b041870b00000000f041870b000000003042870b000000007042870b00000000b042870b00000000f042870b000000003043870b000000007043870b00000000b043870b00000000f043870b000000003044870b000000007044870b00000000b044870b00000000f044870b000000003045870b000000007045870b00000000b045870b00000000f045870b000000003046870b000000007046870b00000000b046870b00000000f046870b000000003047870b000000007047870b00000000b047870b00000000f047870b000000003048870b000000007048870b00000000b048870b00000000f048870b000000003049870b000000007049870b00000000b049870b00000000f049870b00000000304a870b00000000704a870b00000000b04a870b00000000f04a870b00000000304b870b00000000704b870b00000000b04b870b00000000f04b870b00000000304c870b00000000704c870b00000000b04c870b00000000f04c870b00000000304d870b00000000704d870b00000000b04d870b00000000f04d870b00000000304e870b00000000704e870b00000000b04e870b00000000f04e870b00000000304f870b00000000704f870b00000000b04f870b00000000f04f870b000000003050870b000000007050870b00000000b050870b00000000f050870b000000003051870b000000007051870b00000000b051870b00000000f051870b000000003052870b000000007052870b00000000b052870b00000000f052870b000000003053870b000000007053870b00000000b053870b00000000f053870b000000003054870b000000007054870b00000000b054870b00000000f054870b000000003055870b000000007055870b00000000b055870b00000000f055870b000000003056870b000000007056870b00000000b056870b00000000f056870b000000003057870b000000007057870b00000000b057870b00000000f057870b000000003058870b000000007058870b00000000b058870b00000000f058870b000000003059870b000000007059870b00000000b059870b00000000f059870b00000000305a870b00000000705a870b00000000b05a870b00000000f05a870b00000000305b870b00000000705b870b00000000b05b870b00000000f05b870b00000000305c870b00000000705c870b00000000b05c870b00000000f05c870b00000000305d870b00000000705d870b00000000b05d870b00000000f05d870b00000000305e870b00000000705e870b00000000b05e870b00000000f05e870b00000000305f870b00000000705f870b00000000b05f870b00000000f05f870b000000003060870b000000007060870b00000000b060870b00000000f060870b000000003061870b000000007061870b00000000b061870b00000000f061870b000000003062870b000000007062870b00000000b062870b000000003063870b000000007063870b00000000b063870b000000003064870b00000000b064870b00000000f064870b000000003065870b000000007065870b00000000b065870b00000000f065870b000000003066870b000000007066870b00000000b066870b00000000f066870b000000003067870b000000007067870b00000000b067870b00000000f067870b000000003068870b000000007068870b00000000b068870b00000000f068870b000000003069870b000000007069870b00000000b069870b00000000f069870b00000000306a870b00000000706a870b00000000b06a870b00000000f06a870b00000000306b870b00000000706b870b00000000b06b870b00000000f06b870b00000000306c870b00000000706c870b00000000b06c870b00000000f06c870b00000000306d870b00000000706d870b00000000b06d870b00000000f06d870b00000000306e870b00000000706e870b00000000b06e870b00000000f06e870b00000000306f870b00000000706f870b00000000b06f870b00000000f06f870b000000003070870b000000007070870b00000000b070870b00000000f070870b000000003071870b000000007071870b00000000b071870b00000000f071870b000000003072870b000000007072870b00000000b072870b00000000f072870b000000003073870b000000007073870b00000000b073870b00000000f073870b000000003074870b000000007074870b00000000b074870b00000000f074870b000000003075870b000000007075870b00000000b075870b00000000f075870b000000003076870b000000007076870b00000000b076870b00000000f076870b000000003077870b00000000f033810b000000003900000024000000004100750074006f006c0069007300740043006100630068006500540069006d0065000000400000000030133dc371da016f00000022000000004100750074006f006c00690073007400430061006300680065004b006500790000001f0000001d000000530065006100720063006800200052006500730075006c0074007300200069006e00200044006f0077006e006c006f0061006400730030000000000000000000000000000000741a595e96dfd3488d671733bcee28ba671b730433d90a4590e64acd2e9408fe2a0000001300efbe000000200000000000000000000000000000000000000000000000000100000053280000	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\{BDBE736F-34F5-4829-ABE8-B550E65146C4}\GroupByDirection = "1"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "1"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\TV_TopViewVersion = "0"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\LogicalViewMode = "2"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\FFlags = "1092616209"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = ffffffff	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\{BDBE736F-34F5-4829-ABE8-B550E65146C4}\Rev = "0"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\{BDBE736F-34F5-4829-ABE8-B550E65146C4}\Vid = "{30C2C434-0889-4C8D-985D-A9F71830B0A9}"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\{BDBE736F-34F5-4829-ABE8-B550E65146C4}\IconSize = "32"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_Classes\Local Settings	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\GroupByDirection = "1"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\{BDBE736F-34F5-4829-ABE8-B550E65146C4}\Sort = 0000000000000000000000000000000003000000901c6949177e1a10a91c08002b2ecda903000000ffffffff30f125b7ef471a10a5f102608c9eebac0e000000ffffffff30f125b7ef471a10a5f102608c9eebac0a00000001000000	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2176	rundll32.exe
2176	rundll32.exe
2176	rundll32.exe
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1360	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1360	Process not Found
Token: SeShutdownPrivilege	1360	Process not Found
Token: SeManageVolumePrivilege	1224	SearchIndexer.exe
Token: 33	1224	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1224	SearchIndexer.exe
Token: SeShutdownPrivilege	1360	Process not Found
Token: SeShutdownPrivilege	1360	Process not Found
Token: SeShutdownPrivilege	1360	Process not Found
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	1360	Process not Found
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
1360	Process not Found
2088	SearchProtocolHost.exe
2088	SearchProtocolHost.exe
2088	SearchProtocolHost.exe
2088	SearchProtocolHost.exe
2088	SearchProtocolHost.exe
2864	SearchProtocolHost.exe
2864	SearchProtocolHost.exe
2864	SearchProtocolHost.exe
2864	SearchProtocolHost.exe
2864	SearchProtocolHost.exe
2864	SearchProtocolHost.exe
1360	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1360 wrote to memory of 2908	1360	Process not Found	28
PID 1360 wrote to memory of 2908	1360	Process not Found	28
PID 1360 wrote to memory of 2908	1360	Process not Found	28
PID 1360 wrote to memory of 2036	1360	Process not Found	29
PID 1360 wrote to memory of 2036	1360	Process not Found	29
PID 1360 wrote to memory of 2036	1360	Process not Found	29
PID 1360 wrote to memory of 1712	1360	Process not Found	30
PID 1360 wrote to memory of 1712	1360	Process not Found	30
PID 1360 wrote to memory of 1712	1360	Process not Found	30
PID 1360 wrote to memory of 1820	1360	Process not Found	32
PID 1360 wrote to memory of 1820	1360	Process not Found	32
PID 1360 wrote to memory of 1820	1360	Process not Found	32
PID 1360 wrote to memory of 1864	1360	Process not Found	33
PID 1360 wrote to memory of 1864	1360	Process not Found	33
PID 1360 wrote to memory of 1864	1360	Process not Found	33
PID 1360 wrote to memory of 1352	1360	Process not Found	34
PID 1360 wrote to memory of 1352	1360	Process not Found	34
PID 1360 wrote to memory of 1352	1360	Process not Found	34
PID 1360 wrote to memory of 1096	1360	Process not Found	35
PID 1360 wrote to memory of 1096	1360	Process not Found	35
PID 1360 wrote to memory of 1096	1360	Process not Found	35
PID 1224 wrote to memory of 2088	1224	SearchIndexer.exe	40
PID 1224 wrote to memory of 2088	1224	SearchIndexer.exe	40
PID 1224 wrote to memory of 2088	1224	SearchIndexer.exe	40
PID 1224 wrote to memory of 1748	1224	SearchIndexer.exe	41
PID 1224 wrote to memory of 1748	1224	SearchIndexer.exe	41
PID 1224 wrote to memory of 1748	1224	SearchIndexer.exe	41
PID 1224 wrote to memory of 2864	1224	SearchIndexer.exe	42
PID 1224 wrote to memory of 2864	1224	SearchIndexer.exe	42
PID 1224 wrote to memory of 2864	1224	SearchIndexer.exe	42
PID 1360 wrote to memory of 2168	1360	Process not Found	43
PID 1360 wrote to memory of 2168	1360	Process not Found	43
PID 1360 wrote to memory of 2168	1360	Process not Found	43
PID 2168 wrote to memory of 3052	2168	chrome.exe	44
PID 2168 wrote to memory of 3052	2168	chrome.exe	44
PID 2168 wrote to memory of 3052	2168	chrome.exe	44
PID 2168 wrote to memory of 2588	2168	chrome.exe	46
PID 2168 wrote to memory of 2588	2168	chrome.exe	46
PID 2168 wrote to memory of 2588	2168	chrome.exe	46
PID 2168 wrote to memory of 2588	2168	chrome.exe	46
PID 2168 wrote to memory of 2588	2168	chrome.exe	46
PID 2168 wrote to memory of 2588	2168	chrome.exe	46
PID 2168 wrote to memory of 2588	2168	chrome.exe	46
PID 2168 wrote to memory of 2588	2168	chrome.exe	46
PID 2168 wrote to memory of 2588	2168	chrome.exe	46
PID 2168 wrote to memory of 2588	2168	chrome.exe	46
PID 2168 wrote to memory of 2588	2168	chrome.exe	46
PID 2168 wrote to memory of 2588	2168	chrome.exe	46
PID 2168 wrote to memory of 2588	2168	chrome.exe	46
PID 2168 wrote to memory of 2588	2168	chrome.exe	46
PID 2168 wrote to memory of 2588	2168	chrome.exe	46
PID 2168 wrote to memory of 2588	2168	chrome.exe	46
PID 2168 wrote to memory of 2588	2168	chrome.exe	46
PID 2168 wrote to memory of 2588	2168	chrome.exe	46
PID 2168 wrote to memory of 2588	2168	chrome.exe	46
PID 2168 wrote to memory of 2588	2168	chrome.exe	46
PID 2168 wrote to memory of 2588	2168	chrome.exe	46
PID 2168 wrote to memory of 2588	2168	chrome.exe	46
PID 2168 wrote to memory of 2588	2168	chrome.exe	46
PID 2168 wrote to memory of 2588	2168	chrome.exe	46
PID 2168 wrote to memory of 2588	2168	chrome.exe	46
PID 2168 wrote to memory of 2588	2168	chrome.exe	46
PID 2168 wrote to memory of 2588	2168	chrome.exe	46
PID 2168 wrote to memory of 2588	2168	chrome.exe	46

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b9b70b4077ca44355b4850e19c6e17d6.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2176

C:\Windows\system32\mmc.exe
C:\Windows\system32\mmc.exe
1⤵
PID:2908

C:\Users\Admin\AppData\Local\l2qFVh5\mmc.exe
C:\Users\Admin\AppData\Local\l2qFVh5\mmc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2036

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1712

C:\Windows\system32\Dxpserver.exe
C:\Windows\system32\Dxpserver.exe
1⤵
PID:1820

C:\Users\Admin\AppData\Local\SlhxT8fmx\Dxpserver.exe
C:\Users\Admin\AppData\Local\SlhxT8fmx\Dxpserver.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1864

C:\Windows\system32\OptionalFeatures.exe
C:\Windows\system32\OptionalFeatures.exe
1⤵
PID:1352

C:\Users\Admin\AppData\Local\ChgXHc5\OptionalFeatures.exe
C:\Users\Admin\AppData\Local\ChgXHc5\OptionalFeatures.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1096

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-406356229-2805545415-1236085040-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-406356229-2805545415-1236085040-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2088
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 512 516 524 65536 520
  2⤵
  PID:1748
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef4d49758,0x7fef4d49768,0x7fef4d49778
  2⤵
  PID:3052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1188 --field-trial-handle=1252,i,9529194864623722528,15657219600499382656,131072 /prefetch:2
  2⤵
  PID:2588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1524 --field-trial-handle=1252,i,9529194864623722528,15657219600499382656,131072 /prefetch:8
  2⤵
  PID:2524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1616 --field-trial-handle=1252,i,9529194864623722528,15657219600499382656,131072 /prefetch:8
  2⤵
  PID:2416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2112 --field-trial-handle=1252,i,9529194864623722528,15657219600499382656,131072 /prefetch:1
  2⤵
  PID:588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2316 --field-trial-handle=1252,i,9529194864623722528,15657219600499382656,131072 /prefetch:1
  2⤵
  PID:268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1496 --field-trial-handle=1252,i,9529194864623722528,15657219600499382656,131072 /prefetch:2
  2⤵
  PID:2828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2264 --field-trial-handle=1252,i,9529194864623722528,15657219600499382656,131072 /prefetch:2
  2⤵
  PID:2956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=2188 --field-trial-handle=1252,i,9529194864623722528,15657219600499382656,131072 /prefetch:1
  2⤵
  PID:1768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3856 --field-trial-handle=1252,i,9529194864623722528,15657219600499382656,131072 /prefetch:8
  2⤵
  PID:2476

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
c5d0435dfb9c35483566b872670e5889

SHA1
6a953801732060a197e949031be3e670ba141a32

SHA256
8ae38ecb80d0bb15f325b95e09be64235f7bed0e7e4d00293c7eda2c0a9390e6

SHA512
0d40517720271c799a790debbde357e65cf29266c220d212fc688ad043461a93cd0674bac48dfead99c211a60af6bcfcfa8d59679652c87ef380163138e72785

Download Submit
C:\Users\Admin\AppData\Local\ChgXHc5\OptionalFeatures.exe

Filesize
95KB

MD5
eae7af6084667c8f05412ddf096167fc

SHA1
0dbe8aba001447030e48e8ad5466fd23481e6140

SHA256
01feebd3aca961f31ba4eac45347b105d1c5772627b08f5538047721b61ff9bc

SHA512
172a8accaa35a6c9f86713a330c5899dfeeffe3b43413a3d276fc16d45cd62ed9237aa6bff29cc60a2022fba8dcc156959723c041df4b7463436a3bdabef2a9d

Download Submit
C:\Users\Admin\AppData\Local\ChgXHc5\appwiz.cpl

Filesize
281KB

MD5
bd3585fd98a3204acc6bc7503c6e2aa4

SHA1
63fd293ecdf84a654dd263958ee83ba0e739731f

SHA256
27dbf39c418fc91e9336c888f9caa159586c020a1df0d69ff36e2602f696463e

SHA512
96adf5758fce393a6313d4a0ee489c5ee8b7f6155afd70ae7dfabb056ac17dd19aab7d91aac3c8e838ca4e051552f28aadaa737f73c11054976970b13e031e8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
986B

MD5
da76df4e4239058f4ea707d73874f897

SHA1
39abcd90702a71a37d8e09fe938199103c4ffa32

SHA256
f9615637351792a6ca7a9572e0e3931ff1e7e0e2401ab45de12a14ba2c364c00

SHA512
0118c8f2b5479afe7f9b105e482b589704407f516976a4d4687f9688dfe1d000bfe8b426852860e4aa5b7114db41d57bf5d34f58d17efebd24887c00b034140a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
fd96a0ae09dba03c8590101eb548b8af

SHA1
3d49fdb1bdeb8c9be55222a4287d3f1a0b8af2e4

SHA256
d2640d62223a1a99216c81a3f85b4f74aa694f8eff518c0f8b535b3132acc6f4

SHA512
174ff5ac824b826e3ea21b6aa1f706a1bf3035b6a0dc7d6e928ee4adf2a1a703b9870c2ef46a920d2bacd1f478844837c5eab80cdaf2f0f2151ab2f6bce4b2b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
41b6fb01e94badeb699994d69346da71

SHA1
60b82808588520a46b6fa505b827cd21ae6e7b21

SHA256
d010c532f3a6834ddba704405c320618275ea3d1aed72692e71a689716fe5faf

SHA512
6851236451f12eaae638fa6a33ef990aafa51e6a12f26560d7a0036fbc7aca7a5279cb11917260cf2395c1d6f6ee84df7510d0377051e98d0f4ac35667078530

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\1033\StructuredQuerySchema.bin

Filesize
292KB

MD5
ae71383c3cbc5a7c64ee793a5779015b

SHA1
1cabfd5c590a76fe86af0c042b4d9a6e1546cf78

SHA256
29bbdf534e97add374f41c9a2e5a1a34952b8eac501f1a8828f5999e7e0d79f7

SHA512
f7703b0e5b67e2c3bbba42efe912eda68c90d7fe4425c7d2f20f02f2d6e659f71870286055eb87095a0861e4ba04a9fbf72bfb328bda10aadafe2880fd06e51d

Download Submit
C:\Users\Admin\AppData\Local\SlhxT8fmx\XmlLite.dll

Filesize
2.1MB

MD5
0d86aca4bb536f4afc80e5c38432132d

SHA1
b41175fb9d684b066a14d6e4d204b837f67243f9

SHA256
d52a7042c61df061d9bfa4c0b21db01d52fd89e7c3ba4c537e6782e9ff761ccd

SHA512
502f937d790c06834c04da7e67b5dbf078c1af68b82739392c8d56d527f24ab84c67f6c607b29088016ba357e75d01d782ff26ee8349ba17df4735f9e28ebda6

Download Submit
C:\Users\Admin\AppData\Local\l2qFVh5\DUser.dll

Filesize
2.1MB

MD5
9d58c1293f2e4456da4598fba459b3a7

SHA1
a9876e1230c5d7172d321575ef640d5c56a04cf7

SHA256
d69ace6ee04e348481add30b2be288d3b2ae8d639f7760963d46faad325c2629

SHA512
97721e7390e86e95767a8fdc97458abf4fcc4f993064ba4a2b7945c3f5aac6f14b204bfe9342fd1812b5b444cad6205f265cc8715640ab499e6a74008faafeb3

Download Submit
C:\Users\Admin\AppData\Local\l2qFVh5\mmc.exe

Filesize
2.0MB

MD5
9fea051a9585f2a303d55745b4bf63aa

SHA1
f5dc12d658402900a2b01af2f018d113619b96b8

SHA256
b212e59e4c7fe77f6f189138d9d8b151e50eb83a35d6eadfb1e4bb0b4262c484

SHA512
beba79f0b6710929871fbdf378d3c0a41f230ac30cbfa87173f7b77c35e06425f48db42ed3b16d5d9bcb7ef0098dffcd0d2947da8fb7ec1136ea62205f1afc76

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Jsonhdwp.lnk

Filesize
1KB

MD5
6468ce01aaaf06fa1baee7f2147ddb48

SHA1
8f3d1faf7e7eaa55441093181bae8828292e05e1

SHA256
44fdd76ad65574a94dc170b93c3143c455a88b5f363dc0992850806949411129

SHA512
2c7d4a5e445b9ced06fa7f3e6fa2d8a22bff4932afd7d140563548015163bb41dfed2c0f5e46c2298329cf78a1368f62f4bf012a573f7b8e5135f98a7a36ddab

Download Submit
\Users\Admin\AppData\Local\ChgXHc5\appwiz.cpl

Filesize
2.1MB

MD5
a413a58cbc5b5f783358202654b222f9

SHA1
bec615b566ecb5499376c110d638d7e312697ca2

SHA256
0ca2b60e9f44563f477d672755496f982646fe6004d5271b243526083b423f06

SHA512
c7cd62c448d0cbcacddc9ec0dd156c20d3e0eefda6288fa6efaebe216d8bddb4324e74e07e8b1be8d1614b05748d75fc4611ebc669613dae45ef427aa07399ea

Download Submit
\Users\Admin\AppData\Local\SlhxT8fmx\Dxpserver.exe

Filesize
259KB

MD5
4d38389fb92e43c77a524fd96dbafd21

SHA1
08014e52f6894cad4f1d1e6fc1a703732e9acd19

SHA256
070bc95c486c15d2edc3548ba416dc9565ead401cb03a0472f719fb55ac94e73

SHA512
02d8d130cff2b8de15139d309e1cd74a2148bb786fd749e5f22775d45e193b0f75adf40274375cabce33576480ff20456f25172d29a034cd134b8084d40a67ba

Download Submit
memory/1096-119-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download
memory/1360-24-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1360-50-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1360-4-0x0000000077AF6000-0x0000000077AF7000-memory.dmp

Filesize
4KB

Download
memory/1360-22-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1360-23-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1360-26-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1360-25-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1360-27-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1360-29-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1360-30-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1360-28-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1360-31-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1360-33-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1360-32-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1360-34-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1360-35-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1360-36-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1360-37-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1360-38-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1360-39-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1360-40-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1360-41-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1360-42-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1360-43-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1360-44-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1360-45-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1360-46-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1360-47-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1360-49-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1360-48-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1360-51-0x0000000002580000-0x0000000002587000-memory.dmp

Filesize
28KB

Download
memory/1360-21-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1360-58-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1360-59-0x0000000077C01000-0x0000000077C02000-memory.dmp

Filesize
4KB

Download
memory/1360-62-0x0000000077D60000-0x0000000077D62000-memory.dmp

Filesize
8KB

Download
memory/1360-65-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1360-71-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1360-20-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1360-19-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1360-5-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/1360-18-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1360-17-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1360-7-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1360-13-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1360-16-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1360-15-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1360-14-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1360-141-0x0000000077AF6000-0x0000000077AF7000-memory.dmp

Filesize
4KB

Download
memory/1360-12-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1360-10-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1360-11-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1360-9-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1748-367-0x000007FEEED90000-0x000007FEEEED3000-memory.dmp

Filesize
1.3MB

Download
memory/1748-368-0x000007FF50810000-0x000007FF5081A000-memory.dmp

Filesize
40KB

Download
memory/1748-401-0x000007FF50810000-0x000007FF5081A000-memory.dmp

Filesize
40KB

Download
memory/1748-400-0x000007FEEED90000-0x000007FEEEED3000-memory.dmp

Filesize
1.3MB

Download
memory/1864-101-0x0000000000080000-0x0000000000087000-memory.dmp

Filesize
28KB

Download
memory/2036-84-0x0000000000150000-0x0000000000157000-memory.dmp

Filesize
28KB

Download
memory/2176-8-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/2176-1-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/2176-0-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download