Analysis
-
max time kernel
263s -
max time network
248s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
12/03/2024, 18:44
Static task
static1
Behavioral task
behavioral1
Sample
Exo_AA_software.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral2
Sample
Exo_AA_software.exe
Resource
macos-20240214-en
General
-
Target
Exo_AA_software.exe
-
Size
6.6MB
-
MD5
8b5eeeeed392e1ae5bad0b5a94c5690b
-
SHA1
da3ad5180bd3bb9021c8b9eec256c1e2aecd3b4f
-
SHA256
3fa20a022ceafed663d70a0d7d41c2efe9fb185f1f9d2ed947e608c6076e9fae
-
SHA512
42fe98a71de00f25e3628ca82a78c32338abf2214e7d6958335e381d3890cbc55d02473b6aade8ab7192d883fa04bb30e9d1a749d7e7e5265d8dec5af77e31ee
-
SSDEEP
98304:R0Wrsjet17vxLYLD++e2+S1ycVzjr5epB1W9DkfjsbQ1/cbAK54oMjU1:Ui1dYBe2+SA0TczP+RMjU
Malware Config
Signatures
-
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\ViGEmBus.sys DrvInst.exe File created C:\Windows\system32\drivers\keyboard.sys TMP7427.tmp File created C:\Windows\system32\drivers\mouse.sys TMP7427.tmp -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation TMPA2A4.tmp -
Executes dropped EXE 8 IoCs
pid Process 2212 devcon.exe 5104 TMP7427.tmp 2416 TMPA2A4.tmp 2096 ReturnKeys.exe 412 ReturnKeys.exe 3352 ReturnKeys.exe 4800 ReturnKeys.exe 4656 ConfigCSAEngine.exe -
Loads dropped DLL 5 IoCs
pid Process 3000 MsiExec.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe -
Blocklisted process makes network request 2 IoCs
flow pid Process 18 3748 msiexec.exe 20 3748 msiexec.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe -
Drops file in System32 directory 17 IoCs
description ioc Process File opened for modification C:\Windows\System32\DriverStore\Temp\{cf7979af-2d40-314b-9bb9-c563c51ab507}\vigembus.inf DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{cf7979af-2d40-314b-9bb9-c563c51ab507}\SET70BB.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{cf7979af-2d40-314b-9bb9-c563c51ab507}\SET70CC.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{cf7979af-2d40-314b-9bb9-c563c51ab507}\SET70CC.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{cf7979af-2d40-314b-9bb9-c563c51ab507}\SET70CD.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{cf7979af-2d40-314b-9bb9-c563c51ab507}\SET70BB.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{cf7979af-2d40-314b-9bb9-c563c51ab507}\ViGEmBus.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{cf7979af-2d40-314b-9bb9-c563c51ab507}\ViGEmBus.sys DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vigembus.inf_amd64_f92aab85c34952aa\ViGEmBus.cat DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{cf7979af-2d40-314b-9bb9-c563c51ab507} DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\vigembus.inf_amd64_f92aab85c34952aa\vigembus.PNF devcon.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vigembus.inf_amd64_f92aab85c34952aa\ViGEmBus.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{cf7979af-2d40-314b-9bb9-c563c51ab507}\SET70CD.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vigembus.inf_amd64_f92aab85c34952aa\ViGEmBus.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vigembus.inf_amd64_f92aab85c34952aa\vigembus.inf DrvInst.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 3984 Exo_AA_software.exe 2640 Exo_AA_software.exe -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon-LICENSE msiexec.exe File created C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\LICENSE msiexec.exe File created C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\ViGEmBus.cat msiexec.exe File created C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\ViGEmBus.inf msiexec.exe File created C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\ViGEmBus.sys msiexec.exe File created C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe msiexec.exe -
Drops file in Windows directory 17 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\e5765af.msi msiexec.exe File opened for modification C:\Windows\Installer\e5765af.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI6CB5.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File created C:\Windows\inf\oem3.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log devcon.exe File opened for modification C:\Windows\inf\oem3.inf DrvInst.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\SourceHash{93D91F60-7C94-4A79-863F-EA713D2EB3F3} msiexec.exe File opened for modification C:\Windows\Installer\MSI6B3D.tmp msiexec.exe File created C:\Windows\Installer\e5765b3.msi msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\{93D91F60-7C94-4A79-863F-EA713D2EB3F3}\ViGEm.ico msiexec.exe File opened for modification C:\Windows\Installer\{93D91F60-7C94-4A79-863F-EA713D2EB3F3}\ViGEm.ico msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID devcon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID devcon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 devcon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags devcon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\LowerFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom devcon.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID devcon.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 devcon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs devcon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Filters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID devcon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom devcon.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\UpperFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs devcon.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs devcon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 devcon.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs devcon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags devcon.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID DrvInst.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 4804 tasklist.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs devcon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed devcon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates devcon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA devcon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs devcon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople devcon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root devcon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates devcon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates devcon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs devcon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates devcon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates devcon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs devcon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust devcon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed devcon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs devcon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs devcon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs devcon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs devcon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates devcon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates devcon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs devcon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust devcon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs devcon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates devcon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA devcon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs devcon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs devcon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs devcon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs devcon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F19D3949C797A468F3AE17D3E23B3F\Language = "1033" msiexec.exe Set value (data) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = 0100000000000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F19D3949C797A468F3AE17D3E23B3F\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F19D3949C797A468F3AE17D3E23B3F\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F19D3949C797A468F3AE17D3E23B3F\SourceList\Media\1 = ";" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\06F19D3949C797A468F3AE17D3E23B3F\ProductFeature msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F19D3949C797A468F3AE17D3E23B3F\PackageCode = "0009B4F754538334F9B3C4D0AA2552EE" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F19D3949C797A468F3AE17D3E23B3F\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\1\0 = 84003100000000006c58c3951100446f63756d656e7473006c0009000400efbe874fdb496c58cb952e000000fa050000000001000000000000000000420000000000a7f2230144006f00630075006d0065006e0074007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380030003100000018000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F19D3949C797A468F3AE17D3E23B3F\ProductIcon = "C:\\Windows\\Installer\\{93D91F60-7C94-4A79-863F-EA713D2EB3F3}\\ViGEm.ico" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F19D3949C797A468F3AE17D3E23B3F\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F19D3949C797A468F3AE17D3E23B3F\InstanceType = "0" msiexec.exe Set value (data) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\1\0\0\MRUListEx = ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\06F19D3949C797A468F3AE17D3E23B3F msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F19D3949C797A468F3AE17D3E23B3F\Assignment = "1" msiexec.exe Set value (data) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F19D3949C797A468F3AE17D3E23B3F\Version = "17891661" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F19D3949C797A468F3AE17D3E23B3F\SourceList\PackageName = "TMP60EC.tmp" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\1\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\1\0\MRUListEx = 00000000ffffffff explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616209" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\SniffedFolderType = "Generic" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\1 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\1\0\0 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F19D3949C797A468F3AE17D3E23B3F\SourceList\Net msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\1\0 explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\ED20A4A03EB04FB4190FE14AA72D8618\06F19D3949C797A468F3AE17D3E23B3F msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F19D3949C797A468F3AE17D3E23B3F\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F19D3949C797A468F3AE17D3E23B3F\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\1\0\0 = 6a003100000000006c58c3951000434f4e4649477e320000520009000400efbe6c58c3956c58c3952e0000002431020000000c000000000000000000000000000000a7f2230143006f006e0066006900670043005300410043006f006e006600690067007300000018000000 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\1\0\0\NodeSlot = "10" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F19D3949C797A468F3AE17D3E23B3F\ProductName = "Nefarius Virtual Gamepad Emulation Bus Driver" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F19D3949C797A468F3AE17D3E23B3F\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F19D3949C797A468F3AE17D3E23B3F msiexec.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 448 explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3984 Exo_AA_software.exe 3984 Exo_AA_software.exe 3748 msiexec.exe 3748 msiexec.exe 2640 Exo_AA_software.exe 2640 Exo_AA_software.exe 2640 Exo_AA_software.exe 2640 Exo_AA_software.exe 2640 Exo_AA_software.exe 2640 Exo_AA_software.exe 2640 Exo_AA_software.exe 2640 Exo_AA_software.exe 2640 Exo_AA_software.exe 2640 Exo_AA_software.exe 2640 Exo_AA_software.exe 2640 Exo_AA_software.exe 2640 Exo_AA_software.exe 2640 Exo_AA_software.exe 2640 Exo_AA_software.exe 2640 Exo_AA_software.exe 2640 Exo_AA_software.exe 2640 Exo_AA_software.exe 2640 Exo_AA_software.exe 2640 Exo_AA_software.exe 2640 Exo_AA_software.exe 2640 Exo_AA_software.exe 2640 Exo_AA_software.exe 2640 Exo_AA_software.exe 2640 Exo_AA_software.exe 2640 Exo_AA_software.exe 2640 Exo_AA_software.exe 2640 Exo_AA_software.exe 2640 Exo_AA_software.exe 2640 Exo_AA_software.exe 2640 Exo_AA_software.exe 2640 Exo_AA_software.exe 2640 Exo_AA_software.exe 2640 Exo_AA_software.exe 2640 Exo_AA_software.exe 2640 Exo_AA_software.exe 2640 Exo_AA_software.exe 2640 Exo_AA_software.exe 2640 Exo_AA_software.exe 2640 Exo_AA_software.exe 2640 Exo_AA_software.exe 2640 Exo_AA_software.exe 2640 Exo_AA_software.exe 2640 Exo_AA_software.exe 2640 Exo_AA_software.exe 2640 Exo_AA_software.exe 2640 Exo_AA_software.exe 2640 Exo_AA_software.exe 2640 Exo_AA_software.exe 2640 Exo_AA_software.exe 2640 Exo_AA_software.exe 2640 Exo_AA_software.exe 2640 Exo_AA_software.exe 2640 Exo_AA_software.exe 2640 Exo_AA_software.exe 2640 Exo_AA_software.exe 2640 Exo_AA_software.exe 2640 Exo_AA_software.exe 2640 Exo_AA_software.exe 2640 Exo_AA_software.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 448 explorer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4056 msiexec.exe Token: SeIncreaseQuotaPrivilege 4056 msiexec.exe Token: SeSecurityPrivilege 3748 msiexec.exe Token: SeCreateTokenPrivilege 4056 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4056 msiexec.exe Token: SeLockMemoryPrivilege 4056 msiexec.exe Token: SeIncreaseQuotaPrivilege 4056 msiexec.exe Token: SeMachineAccountPrivilege 4056 msiexec.exe Token: SeTcbPrivilege 4056 msiexec.exe Token: SeSecurityPrivilege 4056 msiexec.exe Token: SeTakeOwnershipPrivilege 4056 msiexec.exe Token: SeLoadDriverPrivilege 4056 msiexec.exe Token: SeSystemProfilePrivilege 4056 msiexec.exe Token: SeSystemtimePrivilege 4056 msiexec.exe Token: SeProfSingleProcessPrivilege 4056 msiexec.exe Token: SeIncBasePriorityPrivilege 4056 msiexec.exe Token: SeCreatePagefilePrivilege 4056 msiexec.exe Token: SeCreatePermanentPrivilege 4056 msiexec.exe Token: SeBackupPrivilege 4056 msiexec.exe Token: SeRestorePrivilege 4056 msiexec.exe Token: SeShutdownPrivilege 4056 msiexec.exe Token: SeDebugPrivilege 4056 msiexec.exe Token: SeAuditPrivilege 4056 msiexec.exe Token: SeSystemEnvironmentPrivilege 4056 msiexec.exe Token: SeChangeNotifyPrivilege 4056 msiexec.exe Token: SeRemoteShutdownPrivilege 4056 msiexec.exe Token: SeUndockPrivilege 4056 msiexec.exe Token: SeSyncAgentPrivilege 4056 msiexec.exe Token: SeEnableDelegationPrivilege 4056 msiexec.exe Token: SeManageVolumePrivilege 4056 msiexec.exe Token: SeImpersonatePrivilege 4056 msiexec.exe Token: SeCreateGlobalPrivilege 4056 msiexec.exe Token: SeRestorePrivilege 3748 msiexec.exe Token: SeTakeOwnershipPrivilege 3748 msiexec.exe Token: SeRestorePrivilege 3748 msiexec.exe Token: SeTakeOwnershipPrivilege 3748 msiexec.exe Token: SeRestorePrivilege 3748 msiexec.exe Token: SeTakeOwnershipPrivilege 3748 msiexec.exe Token: SeRestorePrivilege 3748 msiexec.exe Token: SeTakeOwnershipPrivilege 3748 msiexec.exe Token: SeRestorePrivilege 3748 msiexec.exe Token: SeTakeOwnershipPrivilege 3748 msiexec.exe Token: SeRestorePrivilege 3748 msiexec.exe Token: SeTakeOwnershipPrivilege 3748 msiexec.exe Token: SeRestorePrivilege 3748 msiexec.exe Token: SeTakeOwnershipPrivilege 3748 msiexec.exe Token: SeRestorePrivilege 3748 msiexec.exe Token: SeTakeOwnershipPrivilege 3748 msiexec.exe Token: SeRestorePrivilege 3748 msiexec.exe Token: SeTakeOwnershipPrivilege 3748 msiexec.exe Token: SeRestorePrivilege 3748 msiexec.exe Token: SeTakeOwnershipPrivilege 3748 msiexec.exe Token: SeRestorePrivilege 3748 msiexec.exe Token: SeTakeOwnershipPrivilege 3748 msiexec.exe Token: SeRestorePrivilege 3748 msiexec.exe Token: SeTakeOwnershipPrivilege 3748 msiexec.exe Token: SeRestorePrivilege 3748 msiexec.exe Token: SeTakeOwnershipPrivilege 3748 msiexec.exe Token: SeRestorePrivilege 3748 msiexec.exe Token: SeTakeOwnershipPrivilege 3748 msiexec.exe Token: SeRestorePrivilege 3748 msiexec.exe Token: SeTakeOwnershipPrivilege 3748 msiexec.exe Token: SeRestorePrivilege 3748 msiexec.exe Token: SeTakeOwnershipPrivilege 3748 msiexec.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe 4968 taskmgr.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2640 Exo_AA_software.exe 448 explorer.exe 448 explorer.exe 4656 ConfigCSAEngine.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3984 wrote to memory of 4056 3984 Exo_AA_software.exe 92 PID 3984 wrote to memory of 4056 3984 Exo_AA_software.exe 92 PID 3748 wrote to memory of 3000 3748 msiexec.exe 96 PID 3748 wrote to memory of 3000 3748 msiexec.exe 96 PID 3748 wrote to memory of 3000 3748 msiexec.exe 96 PID 3000 wrote to memory of 2212 3000 MsiExec.exe 97 PID 3000 wrote to memory of 2212 3000 MsiExec.exe 97 PID 2780 wrote to memory of 3332 2780 svchost.exe 101 PID 2780 wrote to memory of 3332 2780 svchost.exe 101 PID 2780 wrote to memory of 2956 2780 svchost.exe 103 PID 2780 wrote to memory of 2956 2780 svchost.exe 103 PID 3984 wrote to memory of 5104 3984 Exo_AA_software.exe 105 PID 3984 wrote to memory of 5104 3984 Exo_AA_software.exe 105 PID 3984 wrote to memory of 5104 3984 Exo_AA_software.exe 105 PID 2640 wrote to memory of 2416 2640 Exo_AA_software.exe 128 PID 2640 wrote to memory of 2416 2640 Exo_AA_software.exe 128 PID 2640 wrote to memory of 2416 2640 Exo_AA_software.exe 128 PID 2416 wrote to memory of 4928 2416 TMPA2A4.tmp 129 PID 2416 wrote to memory of 4928 2416 TMPA2A4.tmp 129 PID 2416 wrote to memory of 4928 2416 TMPA2A4.tmp 129 PID 2416 wrote to memory of 2096 2416 TMPA2A4.tmp 131 PID 2416 wrote to memory of 2096 2416 TMPA2A4.tmp 131 PID 2416 wrote to memory of 412 2416 TMPA2A4.tmp 133 PID 2416 wrote to memory of 412 2416 TMPA2A4.tmp 133 PID 2416 wrote to memory of 3352 2416 TMPA2A4.tmp 135 PID 2416 wrote to memory of 3352 2416 TMPA2A4.tmp 135 PID 2416 wrote to memory of 4800 2416 TMPA2A4.tmp 137 PID 2416 wrote to memory of 4800 2416 TMPA2A4.tmp 137 PID 2416 wrote to memory of 4656 2416 TMPA2A4.tmp 139 PID 2416 wrote to memory of 4656 2416 TMPA2A4.tmp 139 PID 2640 wrote to memory of 4656 2640 Exo_AA_software.exe 139 PID 2640 wrote to memory of 4656 2640 Exo_AA_software.exe 139 PID 2640 wrote to memory of 4656 2640 Exo_AA_software.exe 139 PID 2640 wrote to memory of 4656 2640 Exo_AA_software.exe 139 PID 2640 wrote to memory of 4656 2640 Exo_AA_software.exe 139 PID 2640 wrote to memory of 4656 2640 Exo_AA_software.exe 139 PID 2640 wrote to memory of 4656 2640 Exo_AA_software.exe 139 PID 2640 wrote to memory of 4656 2640 Exo_AA_software.exe 139 PID 2640 wrote to memory of 4656 2640 Exo_AA_software.exe 139 PID 2640 wrote to memory of 4656 2640 Exo_AA_software.exe 139 PID 2640 wrote to memory of 4656 2640 Exo_AA_software.exe 139 PID 2640 wrote to memory of 4656 2640 Exo_AA_software.exe 139 PID 2640 wrote to memory of 4656 2640 Exo_AA_software.exe 139 PID 2640 wrote to memory of 4656 2640 Exo_AA_software.exe 139 PID 2640 wrote to memory of 4656 2640 Exo_AA_software.exe 139 PID 2640 wrote to memory of 4656 2640 Exo_AA_software.exe 139 PID 2640 wrote to memory of 4656 2640 Exo_AA_software.exe 139 PID 2640 wrote to memory of 4656 2640 Exo_AA_software.exe 139 PID 2640 wrote to memory of 4656 2640 Exo_AA_software.exe 139 PID 2640 wrote to memory of 4656 2640 Exo_AA_software.exe 139 PID 2640 wrote to memory of 4656 2640 Exo_AA_software.exe 139 PID 2640 wrote to memory of 4656 2640 Exo_AA_software.exe 139 PID 2640 wrote to memory of 4656 2640 Exo_AA_software.exe 139 PID 2640 wrote to memory of 4656 2640 Exo_AA_software.exe 139 PID 2640 wrote to memory of 4656 2640 Exo_AA_software.exe 139 PID 2640 wrote to memory of 4656 2640 Exo_AA_software.exe 139 PID 2640 wrote to memory of 4656 2640 Exo_AA_software.exe 139 PID 2640 wrote to memory of 4656 2640 Exo_AA_software.exe 139 PID 2640 wrote to memory of 4656 2640 Exo_AA_software.exe 139 PID 2640 wrote to memory of 4656 2640 Exo_AA_software.exe 139 PID 2640 wrote to memory of 4656 2640 Exo_AA_software.exe 139 PID 2640 wrote to memory of 4656 2640 Exo_AA_software.exe 139 PID 2640 wrote to memory of 4656 2640 Exo_AA_software.exe 139 PID 2640 wrote to memory of 4656 2640 Exo_AA_software.exe 139
Processes
-
C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe"C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Windows\SYSTEM32\msiexec.exemsiexec /i C:\Users\Admin\AppData\Local\Temp\TMP60EC.tmp /quiet2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4056
-
-
C:\Users\Admin\AppData\Local\Temp\TMP7427.tmpC:\Users\Admin\AppData\Local\Temp\TMP7427.tmp /install2⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:5104
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C40F007A9B2DA01EE5A8378AF9EB0447 E Global\MSI00002⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe"C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe" install "C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\ViGEmBus.inf" Nefarius\ViGEmBus\Gen13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:2212
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "1" "c:\program files\nefarius software solutions\virtual gamepad emulation bus driver\vigembus.inf" "9" "429a86e87" "0000000000000134" "WinSta0\Default" "0000000000000164" "208" "c:\program files\nefarius software solutions\virtual gamepad emulation bus driver"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:3332
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\SYSTEM\0001" "C:\Windows\INF\oem3.inf" "oem3.inf:c14ce88408607219:ViGEmBus_Device:1.17.333.0:nefarius\vigembus\gen1," "429a86e87" "0000000000000134"2⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:2956
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2532
-
C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe"C:\Users\Admin\AppData\Local\Temp\Exo_AA_software.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Users\Admin\AppData\Local\Temp\TMPA2A4.tmpC:\Users\Admin\AppData\Local\Temp\TMPA2A4.tmp Run2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe" C:\Users\Public\Documents\ConfigCSAConfigs3⤵PID:4928
-
-
C:\Users\Public\Documents\ConfigCSA\ReturnKeys.exe"C:\Users\Public\Documents\ConfigCSA\ReturnKeys.exe"3⤵
- Executes dropped EXE
PID:2096
-
-
C:\Users\Public\Documents\ConfigCSA\ReturnKeys.exe"C:\Users\Public\Documents\ConfigCSA\ReturnKeys.exe"3⤵
- Executes dropped EXE
PID:412
-
-
C:\Users\Public\Documents\ConfigCSA\ReturnKeys.exe"C:\Users\Public\Documents\ConfigCSA\ReturnKeys.exe"3⤵
- Executes dropped EXE
PID:3352
-
-
C:\Users\Public\Documents\ConfigCSA\ReturnKeys.exe"C:\Users\Public\Documents\ConfigCSA\ReturnKeys.exe"3⤵
- Executes dropped EXE
PID:4800
-
-
C:\Users\Public\Documents\ConfigCSA\ConfigCSAEngine.exe"C:\Users\Public\Documents\ConfigCSA\ConfigCSAEngine.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4656 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tasklist | findstr /i "dnspy"4⤵PID:3640
-
C:\Windows\system32\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
PID:4804
-
-
C:\Windows\system32\findstr.exefindstr /i "dnspy"5⤵PID:5072
-
-
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:448
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4968
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5456ef623e55f96b2b391714bf9bbae7b
SHA1a2d3749393f2be1eef8f7fe76218021c2a91d119
SHA2561d165f7efb7cae7d65bb65772776c52e0727100664f95ba82e5a910031aa8a6a
SHA51230815a868a7934f1ef8a7d2892b68fce7f666917ecc352dee78abe856959bac7d65484b4c70e09070f420a9dfffe6527450d5cab16c72199cd93d20db31b5222
-
Filesize
3KB
MD5cd0027aa0f5a8a47a6596d880f06964b
SHA1167b62bfd7471179cf68cb5b2f83c8365edf4875
SHA256634b032a33cecbf2e43c46c5896a3c359cdda452c632da6396452419ffa301d6
SHA51219563a3fc7d985ee48a158f6f051e5b8ba200a092b2f1e902024aa9c6a8d6f5a6f04b80c8ea0587bd23802dcfd7775a7a625164387ae61ded5124ccea61b8ef9
-
Filesize
494KB
MD568d2ea8e31ce2f290c19611732d7c104
SHA19f72145d9b96a1c838041a3b1815835470018e33
SHA2566591ea75bd60ab2e094b078ffe3de9011694a975c5c84ae8103aa18a73093dc3
SHA512918ed578dc0c92e20a04536aaebaed7b0de4dfff49ff83ef5ee031e67862a687e40be59bd734e7d0d9da3189e6f586bf253a01cd3dd2b6e8b818f2dd251aea58
-
Filesize
856KB
MD5d8d2cff2eae7f1d956e3f8a2edaf891d
SHA1bc33e35ed5d60c492bd6733462bd6cbc19c2cd59
SHA2565abbba8a4a07aaaeb50b4666183b2f243e0e5ad288026d2a9f3595ed237c4b28
SHA51250d98dd7d81e309cf764da7d40e321270f2e5ebc387d7b35ddb414c2efcfaa1bf302e51d5dfd3fa4cf871a3449705dc5e57466a3e97fdd5c16f5af3cd3051447
-
Filesize
459KB
MD50f0b50d92e030b8965ce669c8058fa6e
SHA1257b3f0402285a29f4618b32958c208b3e9d4c4d
SHA256e137863a79da797f08e7a137280ff2a123809044a888fd75ce9c973198915abe
SHA512fc7c384fd6f682ad01b598abf87c522b38068f4488cea6dc7bd6dedd66e995e4d8fb583c54c6afed0c4c7a9a2318bb6ed257bb3cbd0e48fae83a7819d1167d79
-
Filesize
119KB
MD5fd813c4110a3132b5f209aa74bf613c5
SHA1b2845351b7b2f8a8bb9f8971811ad40905a46f4d
SHA25688e9af50aa27fe4072de001b5b90bd9a970f36fdf1d87b084f6f54f86959a4b2
SHA5123c2ca18fe57cf01390773dee48d1c7a3b8e7048755a37b9e7c5dcabdcd9d402d539713dc6f48c5a68ee9293b113acb175112c02bdde7f9152bfdc7dcc0800009
-
Filesize
491KB
MD5b77ba203f4d3c2830835567a4fcd8ad7
SHA1a6f908b61cefaf2584aca5ad712deba1d4fba09b
SHA256378dff510775d05a87b7099ddf665a5d70add7fbdb6c9278784702a81ab5c024
SHA5125d7b359a508749279dd7edbd87f65dc46b6ede414bcec8f30fbc28c8a6fdc10cb7c05148065a4886929ac931f1199263f15ae4e4a0feb43f6ccd8c722b91a005
-
Filesize
38B
MD51da00f9e1f81a7d6e8a241337c5c9d92
SHA1a623f97ec3316fea8d4636743547aae9181b5eb0
SHA2565384d62fd035e13cd43fb57be42cf515749ea9af08ba32f373ac082aab704f0e
SHA512dc173fec66902fcc307f5247cfaee4b4423744b44b549d64b41fd739eac8b7d87967ecd1b2cf7c1d96f0f52135c58c86181f38920d5ce88aac29e58dc582e808
-
Filesize
26KB
MD5ec605ecb2f3314e8eaa1a0e96fb580be
SHA1b35625d08757b08c2bcc71e9774f8ecb9200930c
SHA256cb4c6cd4cba2c0ff4094ea1fbb30527bce230382a3a068b1a6285b433760f020
SHA512737cc96bf07357379bbbcc1caccf8ed1c4f7d49987dac9a53c7a9428da949ec4ebc1134f0a94461a24cf8c5f7e6bd174efa285febb5eebb945426ddfa2e151b2
-
Filesize
211KB
MD5a3ae5d86ecf38db9427359ea37a5f646
SHA1eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA51296ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0
-
Filesize
161KB
MD587fe350c6ffe8d60ce58dbc16a2d091e
SHA17e2727a31c54df2fe4fba73a6b0537afa5faf534
SHA2568fb8402b7266fa9b9ea8841708317c8c25367b2947eeda9b6462c0e4801f05a4
SHA512f892b87a8d45ddb14a99e736eff26f7257c492dade5754362acf4d2522927c337dd3d6ec4d47b0553681764e5cf15db61f8a96098889a7b5a56c052b53dced63
-
Filesize
10KB
MD55312064607460baaa4562aabc42b8922
SHA1c8a0758e5ae7158acb0f6f111ad298fbc0b1a2ae
SHA25658b8a1bf9160fd4310a183b3431580eda2bc0a5ecaac2e0fbd6399184ff02404
SHA512dcfc68f09d339695aa3b8eea02a7adafc21473d259df9d6dd7cbb7d29fb8f3ff9b3184f8921d9f829c665b1447ebec7ce97729914fb7367bf6e07d9fd02d2aba