Analysis
-
max time kernel
262s -
max time network
252s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system -
submitted
10/07/2024, 13:51
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://download malware github
Resource
win11-20240709-en
windows11-21h2-x64
46 signatures
150 seconds
General
-
Target
http://download malware github
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fagot.a.exe -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit32.exe" Fagot.a.exe -
Modifies firewall policy service 3 TTPs 25 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DynamicKeywords\Addresses\NonAutoResolve Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\Mdm\DynamicKeywords\Addresses\NonAutoResolve Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\Mdm Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedInterfaces Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\Mdm\DynamicKeywords\Addresses Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\Mdm\DynamicKeywords Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DynamicKeywords Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\TenantRestrictions Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DynamicKeywords\Addresses\AutoResolve Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DynamicKeywords\Addresses Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedInterfaces\IfIso Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\Mdm\DynamicKeywords\Addresses\AutoResolve Fagot.a.exe -
Modifies security service 2 TTPs 9 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Security Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\SERVICES\MPSSVC\PARAMETERS\ACSERVICE Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Parameters\PortKeywords Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Parameters Fagot.a.exe -
Detects Floxif payload 1 IoCs
resource yara_rule behavioral1/files/0x000400000002ab34-453.dat floxif -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 21 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3853CC31-559E-32A7-B749-89E04145A139} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95} Fagot.a.exe -
Boot or Logon Autostart Execution: Port Monitors 1 TTPs 13 IoCs
Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation.
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Local Port Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Ports Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\IPP Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Microsoft Shared Fax Monitor Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Appmon Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\USB Monitor Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\WSPrint Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\WSPrint\OfflinePorts Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port\Ports Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Appmon\Ports Fagot.a.exe -
Downloads MZ/PE file
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 51 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sdxhelper.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msosync.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msosrec.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32Info.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setlang.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powerpnt.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excelcnv.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrCEF.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoxmled.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msfeedssync.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ExtExport.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msohtmed.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\splwow64.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenotem.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PresentationHost.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\2 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\orgchart.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wordconv.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PrintDialog.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ie4uinit.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ngentask.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msqry32.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SystemSettings.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\selfcert.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenote.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoasb.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoadfsb.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runtimebroker.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ieinstal.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\graph.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ngen.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorsvw.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\1 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ieUnatt.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excel.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrServicesUpdater.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PrintIsolationHost.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ielowutil.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clview.exe Fagot.a.exe -
Manipulates Digital Signatures 1 TTPs 64 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AAB9-8E78-11D0-8C47-00C04FC295EE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{5598CFF1-68DB-4340-B57F-1CACF88C9A51} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2001 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{06C9E010-38CE-11D4-A2A3-00104BD35090} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2130 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2001 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.4.3 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{000C10F1-0000-0000-C000-000000000046} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{D41E4F1F-A407-11D1-8BC9-00C04FA30A41} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{6078065b-8f22-4b13-bd9b-5b762776f386} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.12 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{000C10F1-0000-0000-C000-000000000046} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\Ldap Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{6078065b-8f22-4b13-bd9b-5b762776f386} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2012 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2007 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.1.1 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{189A3842-3041-11D1-85E1-00C04FC295EE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{6078065b-8f22-4b13-bd9b-5b762776f386} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetCaps\{DE351A42-8E59-11D0-8C47-00C04FC295EE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{DE351A43-8E59-11D0-8C47-00C04FC295EE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2007 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{000C10F1-0000-0000-C000-000000000046} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2009 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.26 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.4 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\Certificates Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{1A610570-38CE-11D4-A2A3-00104BD35090} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.30 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2002 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-AABA-11D0-8CCB-00C04FC295EE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{31D1ADC1-D329-11D1-8ED8-0080C76516C6} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{7801EBD0-CF4B-11D0-851F-0060979387EA} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2009 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{6078065b-8f22-4b13-bd9b-5b762776f386} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{1A610570-38CE-11D4-A2A3-00104BD35090} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllProtectPrompt\DEFAULT Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2000 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CertDllVerifyRevocation Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{189A3842-3041-11D1-85E1-00C04FC295EE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.30 Fagot.a.exe -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x000400000002ab34-453.dat acprotect -
Boot or Logon Autostart Execution: Print Processors 1 TTPs 2 IoCs
Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Print Processors\winprint Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Print Processors Fagot.a.exe -
Executes dropped EXE 3 IoCs
pid Process 1776 Floxif.exe 1000 Floxif.exe 3140 Fagot.a.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys Fagot.a.exe -
Loads dropped DLL 2 IoCs
pid Process 1776 Floxif.exe 1000 Floxif.exe -
Modifies system executable filetype association 2 TTPs 54 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\DropHandler Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\CLSID Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\Compatibility Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\PropertySheetHandlers Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\DropHandler Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers\Compatibility Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\IconHandler Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex\DropHandler Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\PintoStartScreen Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\PropertySheetHandlers Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\DefaultIcon Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\PropertySheetHandlers Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\{8895b1c6-b41f-4c1c-a562-0d564250836f} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DropHandler Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\tabsets Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\OpenContainingFolderMenu Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\IconHandler Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\{00021401-0000-0000-C000-000000000046} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\DropHandler Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\command Fagot.a.exe -
resource yara_rule behavioral1/files/0x000400000002ab34-453.dat upx behavioral1/memory/1776-456-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/1776-460-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/1000-482-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/1000-485-0x0000000010000000-0x0000000010030000-memory.dmp upx -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Fagot.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dllhost32 = "C:\\Windows\\system32\\dllhost32.exe" Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce Fagot.a.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects Fagot.a.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 57 raw.githubusercontent.com 51 raw.githubusercontent.com -
Maps connected drives based on registry 3 TTPs 3 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum Fagot.a.exe -
Modifies WinLogon 2 TTPs 13 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93} Fagot.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AltDefaultUserName = "COCK_SUCKING_FAGGOT" Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39} Fagot.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName = "COCK_SUCKING_FAGGOT" Fagot.a.exe -
Drops file in System32 directory 57 IoCs
description ioc Process File created C:\Windows\SysWOW64\alg.exe:SmartScreen:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\win.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\userinit32.exe Fagot.a.exe File created C:\Windows\SysWOW64\userinit32.exe:SmartScreen:$DATA Fagot.a.exe File created C:\windows\SysWOW64\ntkrnlpa.exe Fagot.a.exe File created C:\Windows\SysWOW64\dumprep.exe:SmartScreen:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\imapi.exe:SmartScreen:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\wuauclt.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\dllhost32.exe Fagot.a.exe File created C:\windows\SysWOW64\progman.exe Fagot.a.exe File created C:\Windows\SysWOW64\ntkrnlpa.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\bootok.exe:SmartScreen:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\logon.exe:SmartScreen:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\userinit32.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\windows\SysWOW64\regedit.exe Fagot.a.exe File created C:\Windows\SysWOW64\ntoskrnl.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\windows\SysWOW64\dumprep.exe Fagot.a.exe File created C:\Windows\SysWOW64\wowexec.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\ntoskrnl.exe:SmartScreen:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\MDM.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\progman.exe:SmartScreen:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\services.exe:SmartScreen:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\services.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\wuauclt.exe:SmartScreen:$DATA Fagot.a.exe File created C:\windows\SysWOW64\systray.exe Fagot.a.exe File created C:\Windows\SysWOW64\wowexec.exe:SmartScreen:$DATA Fagot.a.exe File created C:\windows\SysWOW64\chkntfs.exe Fagot.a.exe File created C:\windows\SysWOW64\bootok.exe Fagot.a.exe File created C:\windows\SysWOW64\recover.exe Fagot.a.exe File created C:\Windows\SysWOW64\dumprep.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\logon.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\windows\SysWOW64\services.exe Fagot.a.exe File opened for modification C:\Windows\SysWOW64\userinit32.exe Fagot.a.exe File created C:\Windows\SysWOW64\progman.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\windows\SysWOW64\ctfmon.exe Fagot.a.exe File created C:\Windows\SysWOW64\dllhost32.exe:SmartScreen:$DATA Fagot.a.exe File created C:\windows\SysWOW64\alg.exe Fagot.a.exe File created C:\Windows\SysWOW64\chcp.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\WINDOWS\SysWOW64\userinit.exe Fagot.a.exe File created C:\windows\SysWOW64\wowexec.exe Fagot.a.exe File created C:\windows\SysWOW64\imapi.exe Fagot.a.exe File created C:\Windows\SysWOW64\imapi.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\ntkrnlpa.exe:SmartScreen:$DATA Fagot.a.exe File created C:\windows\SysWOW64\chcp.exe Fagot.a.exe File created C:\Windows\SysWOW64\chcp.exe:SmartScreen:$DATA Fagot.a.exe File created C:\windows\SysWOW64\ntoskrnl.exe Fagot.a.exe File created C:\Windows\SysWOW64\alg.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\windows\SysWOW64\logon.exe Fagot.a.exe File created C:\Windows\SysWOW64\win.exe:SmartScreen:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\dllhost32.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\windows\SysWOW64\autochk.exe Fagot.a.exe File created C:\Windows\SysWOW64\MDM.exe:SmartScreen:$DATA Fagot.a.exe File created C:\windows\SysWOW64\win.exe Fagot.a.exe File created C:\windows\SysWOW64\wuauclt.exe Fagot.a.exe File created C:\windows\SysWOW64\shutdown.exe Fagot.a.exe File created C:\Windows\SysWOW64\bootok.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\windows\SysWOW64\MDM.exe Fagot.a.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\Common Files\System\symsrv.dll Floxif.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\NOTEPAD.EXE Fagot.a.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh Fagot.a.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh Fagot.a.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 1108 1776 WerFault.exe 117 3720 1000 WerFault.exe 123 -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties Fagot.a.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Storport Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK Fagot.a.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Storport Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 Fagot.a.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport Fagot.a.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 Fagot.a.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Fagot.a.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Storport Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM Fagot.a.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties Fagot.a.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters Fagot.a.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 Fagot.a.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr Fagot.a.exe -
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor Fagot.a.exe -
Enumerates system info in registry 2 TTPs 64 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 Fagot.a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 Fagot.a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 Fagot.a.exe -
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_SQM_UPLOAD_FOR_APP Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\SearchSuggestions Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Application Compatibility Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\AUTOAPPENDIE Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6F750200-1362-4815-A476-88533DE61D0C} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6470DE80-1635-4B5D-93A3-3701CE148A79} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{5D80A6D1-B500-47DA-82B8-EB9875F85B4D} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{EDC0F17F-F4B7-47E4-B73E-887FAEB376FA} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{fbeb8a05-beee-4442-804e-409d6c4515e9} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\UnattendBackup\ActiveSetup\FavoritesDelete Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{7823A620-9DD9-11CF-A662-00AA00C066D2} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{353359C1-39E1-491b-9951-464FD8AB071C} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2745E5F5-D234-11D0-847A-00C04FD7BB08} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{E12DA4F2-BDFB-4EAD-B12F-2725251FA6B0} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AE24FDAE-03C6-11D1-8B76-0080C744F389} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\NavigatorPluginsList Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9da1d2cb-796d-4bec-bbaa-0aa9ccd80e15} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\Roaming\ThirdPartyCookies Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{f5078f1f-c551-11d3-89b9-0000f81fe221} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{B401C5EB-8457-427F-84EA-A4D2363364B0} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9E797ED0-5253-4243-A9B7-BD06C58F8EF3} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{16E349E0-702C-11CF-A3A9-00A0C9034920} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0F1BE7F8-45CA-11D2-831F-00A0244D2298} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0D3983A9-4E29-4F33-8313-DA22B29D3F87} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VIEWLINKEDWEBOC_IS_UNSAFE Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm69.dll Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm65.dll Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{FEF10FA2-355E-4E06-9381-9B24D7F7CC88} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{FB7199AB-79BF-11D2-8D94-0000F875C541} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{A80D199B-CFDD-4DA4-8C47-2310D5B8DD97} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{08B0e5c0-4FCB-11CF-AAA5-00401C608501} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{025B1052-CB0B-11CF-A071-00A0C9A06E05} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7278BD0-7970-47D6-8954-99B2343EED88} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\CD_LMZ_LOCKDOWN Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2EA10031-0033-450E-8072-E27D9E768142} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_DISPPARAMS Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\MULTIMEDIA Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D02AAC50-027E-11D3-9D8E-00C04F72D980} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\Restriction Policies\Hashes\6D3BC8D0F5F3DAA9BF40880FD115FE497F2C4AA1 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6980ACA5-CFB6-11D0-BF8B-0000F81E8509} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{00000032-9593-4264-8B29-930B3E4EDCCD} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AEC-AECE-4E27-9BCB-5358B13F9FF9} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\Roaming\AutocompleteFormData Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{FB7FE605-A832-11D1-88A8-0000E8D220A6} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{B3E0E785-BD78-4366-9560-B7DABE2723BE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\UnattendBackup\ActiveSetup\DisableWelcomePage Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{898EA8C8-E7FF-479B-8935-AEC46303B9E5} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C86EE68A-9C77-4441-BD35-14CC6CC4A189} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{3BEE4890-4FE9-4A37-8C1E-5E7E12791C1F} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm7o.dll Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{f5078f1e-c551-11d3-89b9-0000f81fe221} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{E94137E0-92ED-4579-9251-18AF2A08CCD1} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8C63DABA-CBA8-4B5D-A0F7-AE00F2920929} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0519F3C1-0ED3-4ef1-98F5-CC3FB10218C7} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\UnattendBackup\GroupTabs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm5z.dll Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{93C5524B-97AE-491E-8EB7-2A3AD964F926} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CF9DEB90-8DE3-11D5-BAE4-00105AAAFF94} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{B26E6120-DD35-4BEA-B1E3-E75F546EBF2A} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{f5078f1d-c551-11d3-89b9-0000f81fe221} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{3EEEBC9A-580F-46EF-81D9-55510266413D} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm7k.dll Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm61.dll Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{724D43A9-0D85-11D4-9908-00400523E39A} Fagot.a.exe -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3666881604-935092360-1617577973-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "www.blacksnake.com" Fagot.a.exe -
Modifies data under HKEY_USERS 45 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "109" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "109" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "109" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe -
Modifies registry class 64 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Chart.8\shell Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.tar Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.mrw\ShellEx\{e357fccd-a995-4576-b01f-234630154e96} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\DeviceDisplayObject\InterfaceClass\{00001116-0000-1000-8000-00805F9B34FB}\Commands Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\wordhtmlfile\shell\Open\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\image\DefaultIcon Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{1AF10A4C-5C92-3AB5-9EAA-77BE9EC8E6E0}\15.0.0.0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A1736625-6C96-3273-A423-BC03D412AF89}\15.0.0.0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.ScreenSketch_11.2104.2.0_neutral_split.scale-125_8wekyb3d8bbwe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\AdobeAcrobat.OpenDocuments.2\CurVer Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.hxs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Windows.XamlDocument\shell Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\System.Diagnostics.StackTrace Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\SettingContent Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{19A0F9EB-53E7-3F1F-B9C8-DCA08D6FC370} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.dng Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C0936-0000-0000-C000-000000000046}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{05589F80-C356-11CE-BF01-00AA0055595A} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.FLAC\shell Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{96D5FC9F-70DB-3DA7-BAFB-279993DD5EBF}\15.0.0.0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset\iso-8859-1 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0002E157-0000-0000-C000-000000000046}\5.3\0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{521FDB42-7130-4806-822A-FC5163FAD983}\Elevation Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\SPCFile Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Package\shell\runasuser\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{84bc978c-a683-4a50-8c0f-4ad760ecceeb} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020821-0000-0000-C000-000000000046}\Conversion\ReadWritable\Main Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocMIME.MK3D Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\RecentDocument\shell Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.protocol\ms-print-addprinter\AppX0enk2acdsmv8ydhntbtea6yjp27223q6 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C033E-0000-0000-C000-000000000046}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.dav\shell\Open Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{BA5ED019-F669-3C35-93AC-3ABF776B62B3} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.avifs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BAECB0BD-A946-4771-BC30-E8B24F8D45C1} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A1736B3A-A139-4377-97F1-C4D174B6F2D3} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{230A0071-62EF-4CAE-AAC0-8988C37024BF}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC020317-E6E2-4A62-B9FA-B3EFE16626F4}\VersionIndependentProgID Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A5-7548-11CF-A520-0080C77EF58A} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shellex\ContextMenuHandlers\Compatibility Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{566833C7-F4A0-30EE-BD7E-44752AD570E6}\2.0.0.0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset\x-user-defined Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.odt\OpenWithList Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.ics Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\xslfile\shell Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{79EAC9CF-BAF9-11CE-8C82-00AA004BA90B} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.obt Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.URL Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7673B35E-907A-449D-A49F-E5CE47F0B0B2}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{3F83F6C0-D880-32CE-97A9-D13517AA8F3F} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CDO.NNTPPostConnector\CurVer Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\DiskManagement.DataObject Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5477469E-83B1-11D2-8B49-00A0C9B7C9C4}\2.4 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{F00164C2-B17B-11CE-A95D-00AA006CB389}\11.0.0.0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\OneNote.TableOfContents.12\shell\Open\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JSFile\ScriptHostEncode Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C282417B-2662-44B8-8A94-3BFF61C50900}\Conversion\Readable Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mpe\shell\AddToPlaylistVLC\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\OrgPlusWOPX.4\Protocol Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_56.64.8781_x64\Dependents Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Macrosheet\shell\Open\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\VersionIndependentProgID Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\CLSID Fagot.a.exe -
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0119E81BE9A14CD8E22F40AC118C687ECBA3F4D8 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\PasspointTrustedRoots\Certificates\BB4924831847952BDB1A12B038EC5154ADCBDE43 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\OemEsim\CRLs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\FlightRoot Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\Certificates\D73F0C22273FA4C717A3A735F7E992F31190F010 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\PasspointTrustedRoots\Certificates\51501FBFCE69189D609CFAF140C576755DCC1FDF Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\Certificates\6CA22E5501CC80885FF281DD8B3338E89398EE18 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7E04DE896A3E666D00E687D33FFAD93BE83D349E Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\Certificates Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\Certificates\11194FAB14616ED8259FB94DCD17CE99DAB04CDD Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BE36A4562FB2EE05DBB3D32323ADF445084ED656 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\OemEsim\CTLs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\109F1CAED645BB78B3EA2B94C0697C740733031C Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\73A5E64A3BFF8316FF0EDCCC618A906E4EAE4D74 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\Certificates Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\PasspointTrustedRoots Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\CRLs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\CTLs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\Certificates Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\245C97DF7514E7CF2DF8BE72AE957B9E04741E85 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\CTLs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3B1EFD3A66EA28B16697394703A72CA340A05BD5 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CRLs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AAD Token Issuer Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3679CA35668772304D30A5FB873B0FA77BB70D54 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\Certificates\8A334AA8052DD244A647306A76B8178FA215F344 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\OemEsim Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\FEE449EE0E3965A5246F000E87FDE2A065FD89D4 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\CRLs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs\A377D1B1C0538833035211F4083D00FECC414DAB Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\Certificates\A4B37F4F6DE956922273D5CB8E7E0AAFB7033B90 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\92B46C76E13054E104F230517E6E504D43AB10B5 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\PasspointTrustedRoots\Certificates Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\31F9FC8BA3805986B721EA7295C65B3A44534274 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\Certificates\F8DB7E1C16F1FFD4AAAD4AAD8DFF0F2445184AEB Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\Certificates Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CTLs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs\27748148BBE67A43CDBFEC6C3784862CE134E6EA Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D559A586669B08F46A30A133F8A9ED3D038E2EA8 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates\2C85006A1A028BCC349DF23C474724C055FDE8B6 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\Certificates\2BD63D28D7BCD0E251195AEB519243C13142EBC3 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CDD4EEAE6000AC7F40C3802C171E30148030C072 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\06F1AA330B927B753A40E68CDF22E34BCBEF3352 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\Certificates Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7F88CD7223F3C813818C994614A89C99FA3B5247 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\OemEsim\Certificates Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18F7C1FCC3090203FD5BAA2F861A754976C8DD25 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates\B68D8F953E551914324E557E6164D68B9926650C Fagot.a.exe -
NTFS ADS 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 248933.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Fagot.a.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 181143.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Floxif.exe:Zone.Identifier msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2468 msedge.exe 2468 msedge.exe 3452 msedge.exe 3452 msedge.exe 1488 identity_helper.exe 1488 identity_helper.exe 3152 msedge.exe 3152 msedge.exe 1316 msedge.exe 1316 msedge.exe 2880 msedge.exe 2880 msedge.exe 3536 msedge.exe 3536 msedge.exe 3140 Fagot.a.exe 3140 Fagot.a.exe 3140 Fagot.a.exe 3140 Fagot.a.exe 3140 Fagot.a.exe 3140 Fagot.a.exe 3140 Fagot.a.exe 3140 Fagot.a.exe 3140 Fagot.a.exe 3140 Fagot.a.exe 3140 Fagot.a.exe 3140 Fagot.a.exe 3140 Fagot.a.exe 3140 Fagot.a.exe 3140 Fagot.a.exe 3140 Fagot.a.exe 3140 Fagot.a.exe 3140 Fagot.a.exe 3140 Fagot.a.exe 3140 Fagot.a.exe 3140 Fagot.a.exe 3140 Fagot.a.exe 3140 Fagot.a.exe 3140 Fagot.a.exe 3140 Fagot.a.exe 3140 Fagot.a.exe 3140 Fagot.a.exe 3140 Fagot.a.exe 3140 Fagot.a.exe 3140 Fagot.a.exe 3140 Fagot.a.exe 3140 Fagot.a.exe 3140 Fagot.a.exe 3140 Fagot.a.exe 3140 Fagot.a.exe 3140 Fagot.a.exe 3140 Fagot.a.exe 3140 Fagot.a.exe 3140 Fagot.a.exe 3140 Fagot.a.exe 3140 Fagot.a.exe 3140 Fagot.a.exe 3140 Fagot.a.exe 3140 Fagot.a.exe 3140 Fagot.a.exe 3140 Fagot.a.exe 3140 Fagot.a.exe 3140 Fagot.a.exe 3140 Fagot.a.exe 3140 Fagot.a.exe -
Suspicious behavior: LoadsDriver 64 IoCs
pid Process 5072 Process not Found 4848 Process not Found 2536 Process not Found 3568 Process not Found 2700 Process not Found 3792 Process not Found 1976 Process not Found 3656 Process not Found 1456 Process not Found 4476 Process not Found 1060 Process not Found 2716 Process not Found 4688 Process not Found 3608 Process not Found 2748 Process not Found 1008 Process not Found 1896 Process not Found 3372 Process not Found 2288 Process not Found 3536 Process not Found 2128 Process not Found 3884 Process not Found 3088 Process not Found 1084 Process not Found 3900 Process not Found 2472 Process not Found 4524 Process not Found 4636 Process not Found 4924 Process not Found 3996 Process not Found 3932 Process not Found 1408 Process not Found 2912 Process not Found 3720 Process not Found 1616 Process not Found 4928 Process not Found 1252 Process not Found 3668 Process not Found 1692 Process not Found 2872 Process not Found 1172 Process not Found 1968 Process not Found 4456 Process not Found 4412 Process not Found 4452 Process not Found 4328 Process not Found 3688 Process not Found 3036 Process not Found 2916 Process not Found 3560 Process not Found 5096 Process not Found 2988 Process not Found 2192 Process not Found 1316 Process not Found 3096 Process not Found 2332 Process not Found 448 Process not Found 1452 Process not Found 1852 Process not Found 2360 Process not Found 2600 Process not Found 4120 Process not Found 2220 Process not Found 5060 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs
pid Process 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1776 Floxif.exe Token: SeDebugPrivilege 1000 Floxif.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe 3452 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3452 wrote to memory of 1988 3452 msedge.exe 80 PID 3452 wrote to memory of 1988 3452 msedge.exe 80 PID 3452 wrote to memory of 2652 3452 msedge.exe 81 PID 3452 wrote to memory of 2652 3452 msedge.exe 81 PID 3452 wrote to memory of 2652 3452 msedge.exe 81 PID 3452 wrote to memory of 2652 3452 msedge.exe 81 PID 3452 wrote to memory of 2652 3452 msedge.exe 81 PID 3452 wrote to memory of 2652 3452 msedge.exe 81 PID 3452 wrote to memory of 2652 3452 msedge.exe 81 PID 3452 wrote to memory of 2652 3452 msedge.exe 81 PID 3452 wrote to memory of 2652 3452 msedge.exe 81 PID 3452 wrote to memory of 2652 3452 msedge.exe 81 PID 3452 wrote to memory of 2652 3452 msedge.exe 81 PID 3452 wrote to memory of 2652 3452 msedge.exe 81 PID 3452 wrote to memory of 2652 3452 msedge.exe 81 PID 3452 wrote to memory of 2652 3452 msedge.exe 81 PID 3452 wrote to memory of 2652 3452 msedge.exe 81 PID 3452 wrote to memory of 2652 3452 msedge.exe 81 PID 3452 wrote to memory of 2652 3452 msedge.exe 81 PID 3452 wrote to memory of 2652 3452 msedge.exe 81 PID 3452 wrote to memory of 2652 3452 msedge.exe 81 PID 3452 wrote to memory of 2652 3452 msedge.exe 81 PID 3452 wrote to memory of 2652 3452 msedge.exe 81 PID 3452 wrote to memory of 2652 3452 msedge.exe 81 PID 3452 wrote to memory of 2652 3452 msedge.exe 81 PID 3452 wrote to memory of 2652 3452 msedge.exe 81 PID 3452 wrote to memory of 2652 3452 msedge.exe 81 PID 3452 wrote to memory of 2652 3452 msedge.exe 81 PID 3452 wrote to memory of 2652 3452 msedge.exe 81 PID 3452 wrote to memory of 2652 3452 msedge.exe 81 PID 3452 wrote to memory of 2652 3452 msedge.exe 81 PID 3452 wrote to memory of 2652 3452 msedge.exe 81 PID 3452 wrote to memory of 2652 3452 msedge.exe 81 PID 3452 wrote to memory of 2652 3452 msedge.exe 81 PID 3452 wrote to memory of 2652 3452 msedge.exe 81 PID 3452 wrote to memory of 2652 3452 msedge.exe 81 PID 3452 wrote to memory of 2652 3452 msedge.exe 81 PID 3452 wrote to memory of 2652 3452 msedge.exe 81 PID 3452 wrote to memory of 2652 3452 msedge.exe 81 PID 3452 wrote to memory of 2652 3452 msedge.exe 81 PID 3452 wrote to memory of 2652 3452 msedge.exe 81 PID 3452 wrote to memory of 2652 3452 msedge.exe 81 PID 3452 wrote to memory of 2468 3452 msedge.exe 82 PID 3452 wrote to memory of 2468 3452 msedge.exe 82 PID 3452 wrote to memory of 232 3452 msedge.exe 83 PID 3452 wrote to memory of 232 3452 msedge.exe 83 PID 3452 wrote to memory of 232 3452 msedge.exe 83 PID 3452 wrote to memory of 232 3452 msedge.exe 83 PID 3452 wrote to memory of 232 3452 msedge.exe 83 PID 3452 wrote to memory of 232 3452 msedge.exe 83 PID 3452 wrote to memory of 232 3452 msedge.exe 83 PID 3452 wrote to memory of 232 3452 msedge.exe 83 PID 3452 wrote to memory of 232 3452 msedge.exe 83 PID 3452 wrote to memory of 232 3452 msedge.exe 83 PID 3452 wrote to memory of 232 3452 msedge.exe 83 PID 3452 wrote to memory of 232 3452 msedge.exe 83 PID 3452 wrote to memory of 232 3452 msedge.exe 83 PID 3452 wrote to memory of 232 3452 msedge.exe 83 PID 3452 wrote to memory of 232 3452 msedge.exe 83 PID 3452 wrote to memory of 232 3452 msedge.exe 83 PID 3452 wrote to memory of 232 3452 msedge.exe 83 PID 3452 wrote to memory of 232 3452 msedge.exe 83 PID 3452 wrote to memory of 232 3452 msedge.exe 83 PID 3452 wrote to memory of 232 3452 msedge.exe 83 -
System policy modification 1 TTPs 11 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI\Clipboard Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Servicing Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI\Clipboard\ExceptionFormats Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\Users Fagot.a.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://download malware github1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe0e453cb8,0x7ffe0e453cc8,0x7ffe0e453cd82⤵PID:1988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,5209168772886780333,16650892136539811742,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1956 /prefetch:22⤵PID:2652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1944,5209168772886780333,16650892136539811742,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1944,5209168772886780333,16650892136539811742,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:82⤵PID:232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,5209168772886780333,16650892136539811742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3164 /prefetch:12⤵PID:2332
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,5209168772886780333,16650892136539811742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:12⤵PID:4328
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,5209168772886780333,16650892136539811742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3952 /prefetch:12⤵PID:3568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,5209168772886780333,16650892136539811742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:12⤵PID:3192
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,5209168772886780333,16650892136539811742,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:12⤵PID:2188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,5209168772886780333,16650892136539811742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:12⤵PID:3592
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1944,5209168772886780333,16650892136539811742,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,5209168772886780333,16650892136539811742,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:12⤵PID:3888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1944,5209168772886780333,16650892136539811742,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4184 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,5209168772886780333,16650892136539811742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:12⤵PID:1612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,5209168772886780333,16650892136539811742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:12⤵PID:2476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,5209168772886780333,16650892136539811742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1712 /prefetch:12⤵PID:1124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,5209168772886780333,16650892136539811742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:12⤵PID:2912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1944,5209168772886780333,16650892136539811742,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=652 /prefetch:82⤵PID:4240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1944,5209168772886780333,16650892136539811742,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3920 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,5209168772886780333,16650892136539811742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:12⤵PID:3656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,5209168772886780333,16650892136539811742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:12⤵PID:4668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,5209168772886780333,16650892136539811742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:12⤵PID:3560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,5209168772886780333,16650892136539811742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:12⤵PID:1400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1944,5209168772886780333,16650892136539811742,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6548 /prefetch:82⤵PID:1700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1944,5209168772886780333,16650892136539811742,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6528 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:2880
-
-
C:\Users\Admin\Downloads\Floxif.exe"C:\Users\Admin\Downloads\Floxif.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1776 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 4563⤵
- Program crash
PID:1108
-
-
-
C:\Users\Admin\Downloads\Floxif.exe"C:\Users\Admin\Downloads\Floxif.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1000 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1000 -s 4243⤵
- Program crash
PID:3720
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,5209168772886780333,16650892136539811742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:12⤵PID:4112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1944,5209168772886780333,16650892136539811742,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1816 /prefetch:82⤵PID:3108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1944,5209168772886780333,16650892136539811742,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6660 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3536
-
-
C:\Users\Admin\Downloads\Fagot.a.exe"C:\Users\Admin\Downloads\Fagot.a.exe"2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies security service
- Boot or Logon Autostart Execution: Active Setup
- Boot or Logon Autostart Execution: Port Monitors
- Event Triggered Execution: Image File Execution Options Injection
- Manipulates Digital Signatures
- Boot or Logon Autostart Execution: Print Processors
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Modifies system executable filetype association
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Maps connected drives based on registry
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Event Triggered Execution: Netsh Helper DLL
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:3140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,5209168772886780333,16650892136539811742,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3912 /prefetch:22⤵PID:1700
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2192
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3768
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 1776 -ip 17761⤵PID:3624
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1000 -ip 10001⤵PID:3404
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa394e055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
PID:4360
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000128 0000008c1⤵PID:1700
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa37e2855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
PID:1160
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa1342055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
PID:196
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
7Active Setup
1Port Monitors
1Print Processors
1Registry Run Keys / Startup Folder
2Winlogon Helper DLL
2Browser Extensions
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
3Change Default File Association
1Image File Execution Options Injection
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
7Active Setup
1Port Monitors
1Print Processors
1Registry Run Keys / Startup Folder
2Winlogon Helper DLL
2Create or Modify System Process
2Windows Service
2Event Triggered Execution
3Change Default File Association
1Image File Execution Options Injection
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Safe Mode Boot
1Modify Registry
13Subvert Trust Controls
2Install Root Certificate
1SIP and Trust Provider Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD5ccf7e487353602c57e2e743d047aca36
SHA199f66919152d67a882685a41b7130af5f7703888
SHA256eaf76e5f1a438478ecf7b678744da34e9d9e5038b128f0c595672ee1dbbfd914
SHA512dde0366658082b142faa6487245bfc8b8942605f0ede65d12f8c368ff3673ca18e416a4bf132c4bee5be43e94aef0531be2008746c24f1e6b2f294a63ab1486c
-
Filesize
152B
MD5caaeb604a99d78c4a41140a3082ca660
SHA16d9cd8a52c0f2cd9b48b00f612ec33cd7ca0aa97
SHA25675e15f595387aec18f164aa0d6573c1564aaa49074547a2d48a9908d22a3b5d6
SHA5121091aa1e8bf74ed74ad8eb8fa25c4e24b6cfd0496482e526ef915c5a7d431f05360b87d07c11b93eb9296fe386d71e99d214afce163c2d01505349c52f2d5d66
-
Filesize
152B
MD51fe10b6cb6b345a095320391bda78b22
SHA146c36ab1994b86094f34a0fbae3a3921d6690862
SHA25685a627e9b109e179c49cf52420ad533db38e75bc131714a25c1ae92dd1d05239
SHA5129f9d689662da014dfae3565806903de291c93b74d11b47a94e7e3846537e029e1b61ad2fad538b10344641003da4d7409c3dd834fed3a014c56328ae76983a2a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD5234fa65f4cf99d4e4e4213320909fab5
SHA1a89d6e7c6f0a033aa8087e4d1415458f51010a64
SHA256efaa890459886ae07c79aa9c9a9a5d22c5e53a79ecc9783ca453b14fe1544075
SHA51263f0d6f9c5dbaffee1e20749eed6406cf65bcf16e16b4e121514879207be40661a6cc8a280d91faa132177851caad691f398b8e2abec549acefb118f81264ebe
-
Filesize
865B
MD5bb8beb6dce1c78c6ca9571107b7a0bb6
SHA180eb62e2f8e2e150658d29016909f745065dc2f7
SHA256e7c2e42b6c7680dd8bdddd7c2f3053def15e4c9afd5cd1bd443a15a5e5b8f96a
SHA51205a27de9cba9c1fe9299368a6d7b6f672444d8f189c12c387734c172c99ca1a95c08ccf4cbd83c46acc037f341902241dbc53b41b1f0a4db1da9460af8c9b0fe
-
Filesize
5KB
MD5dbdb1e67de1a876d5bc09341bbeb89a9
SHA1e2bce5048613a8f749683793f7a1685f80cab8c1
SHA256221b3c7f1cdc13ddffd66ebf85f28d4dbeed59479676fed9d96bf1024e0c53c0
SHA51231ca40286f5b99fb67d642885ed119fd96dd04af2b262f5ef4ebe9916481b6520f995ba8c55b8b75eb684d00d9fe4849367f6715b027e881e0fd5b84a00cb3fe
-
Filesize
5KB
MD54d71ae80f23c7815ac2d941a1562ce74
SHA11cb35d2c789822ef4b259b6b3e2996f34401738b
SHA256fc7c61d2bae354004a181b32a51112a61d794b9ff62a1f5000f1aa1bc0efe2bf
SHA512081950c6ec51185b90050d18a871a6466436f2b2e9fafb556fca7198175939543707826b30adfb061bccee35f3d33e017ee4740045c491f933d3f566ecf57af7
-
Filesize
6KB
MD58b93c29191837107b22ce4e872d33355
SHA17d094db0ce846158b4a736ce13f61a83995f1ba3
SHA25670b28907f79bcbcdae996731767d1a2512b568efba83ee01b5cc43533bafc4e5
SHA512f9143d3376252ba5ff59ef4d5cdd5417de357878b37cfb3eed7ccde865e7e1f250952cbbcbb379a2d3a0630bb973d5e9dec3b4710f9a048ae474b1e2272c8ebb
-
Filesize
6KB
MD59bcfaa008909d15d57bf3f65c80350ef
SHA1c637e8b6228773487450c3631f7b9c5d0fa87a57
SHA25645fcca9d541f1892340d8b24a9a25a8009f09ce5bc8689f295a90886c3c918fe
SHA512ba9ce2c87f2daf74dbfdcdb7fe83b73dc607fcd721b7290f644e5561ec25bd7558208f82d05e2ca647aa92a6c3541013fae1d9d1c3780f64d313bcb6f87b5c13
-
Filesize
1KB
MD5433cb37e446d1e6e383bbb8eabc88227
SHA1d3fd6dddb3edcefe8f8d119e6a3d5b9e3336ea05
SHA25602a5eacfcc9431f5f0b9bd346133f4a20309e94865dd9c9e4121a247c8dcba3b
SHA512babefc697ef7ede744af2a84a19a872b732cbf3cfbd73d52abb1206234d49b1c737a828dcb54a1038c945d09b636ea249660cce8db0c5a73cd1e81ac8584ad3a
-
Filesize
1KB
MD5f9ce7dee76dccf23310107407e559501
SHA13830823c8cb7644d658f720d8b59d3907136579d
SHA2564d80b1341d9796a04e0202fba9004b5384cf85a27dfcbf1b52c48168d5fbefc5
SHA5128ea3ccc681824d1f071cdbd5fd3453bb881d0d1d540acb1cb12e6d927411e625df1b545ab40af58e8875bee6adc53ad094f1af4788093d8482bc24ff9fb028f7
-
Filesize
1KB
MD5ee147f21d36d72211f10e05fb771e8bf
SHA1792a9881c3152aab4e9098831da6e2e316b79351
SHA2561b834fd368e10ba1e3321d79899978f491b77aff0984a573752fa360cad9bfec
SHA512567463709bf8e11b17670b3e893d498eb4467e996555cb1383426e285aecaef061f7eda4e0c4474b6e1ff082df26ff085681cd1594770430ce91d82290e48780
-
Filesize
1KB
MD5f4eeec8749f4f41129b4aec1e21e7371
SHA17d855fc15c2816dd1e851ca0547743f67e3478ce
SHA256d576c2b223bd102c07a8997beef482a6d43b9404bcbe6b07e2e484951c4e2b1e
SHA512163093ee328e340165e87ca0297940b3f4b17343655904720d59c1717015deacc1998a67c734a415ffcc532e58b105147e3906a1458dd4d28251d9e86ee01306
-
Filesize
1KB
MD5ecc7acaa7d2a7dfc8f4f69c7b73d6af8
SHA1bcd5409f47da2328264c3a9cc0e2d40bc83c8cea
SHA256b20f45b71071c3672c19ba8dbbd5c971d58b373865af6e0c7826e1aa1f633e74
SHA51239cbf1b3082203b34e8d4a5433be3b87d8c70f42887a12023396851a2633d54e93fb43e6524157d9b0df674f80bc82049c9c44ac8c1168bc8b1afac452c67987
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
12KB
MD5ff3a2596993d0cf5e4465dae5af11a23
SHA1019ab63e8d626aeda864df45d8bb16030bc23770
SHA256d8386202b934482c9eaacc8a1c4fa7479d7f1a1043320b8512cfaf036ad8c953
SHA5121e0e32ad5bde5e220c77567a999118667436c7c344bea054025ac66dde8c1880d014e0d763ef34a50d109354e204cfd0eb6c7362719ecd393d97093245c001d0
-
Filesize
12KB
MD5b2583306b0035c2136f0a83002575d9c
SHA1612e5679843f67c9d2ea6ef233e872bf147af260
SHA2560d1d73dd222ccf789e318e1dda6fca606cc0a1c0efacf7a69e13ef1971e24318
SHA512832d67b6ad91a53e1e50aef577f98c9fcb1d43fd9785d6473c41ee1980f1ff94585363f439e0592681554c7dfb0ab459416a2f494568906fc25b33bd47af2cf8
-
Filesize
11KB
MD56bd115587302211ffb13bd8696908932
SHA132ac338e38b1481c2508818f77f0dd6913d1b50e
SHA25684013fa355845b25f814827444f2b8f03e54a7fa8f9236a445570af13c9c40c1
SHA5121c871da5cd8fed71b187610ae7463dc78a7d031c564027361836580298c703ca7a188c3aac916a3b70a4bdff61c4bc817a60ff21b4efe0c60a4baa081a4d88a9
-
Filesize
55B
MD50f98a5550abe0fb880568b1480c96a1c
SHA1d2ce9f7057b201d31f79f3aee2225d89f36be07d
SHA2562dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1
SHA512dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6
-
Filesize
532KB
MD500add4a97311b2b8b6264674335caab6
SHA13688de985909cc9f9fa6e0a4f2e43d986fe6d0ec
SHA256812af0ec9e1dfd8f48b47fd148bafe6eecb42d0a304bc0e4539750dd23820a7f
SHA512aaf5dae929e6b5809b77b6a79ab833e548b66fb628afeb20b554d678947494a6804cb3d59bf6bbcb2b14cede1a0609aa41f8e7fe8a7999d578e8b7af7144cb70
-
Filesize
373KB
MD530cdab5cf1d607ee7b34f44ab38e9190
SHA1d4823f90d14eba0801653e8c970f47d54f655d36
SHA2561517527c1d705a6ebc6ec9194aa95459e875ac3902a9f4aab3bf24b6a6f8407f
SHA512b465f3b734beaea3951ff57759f13971649b549fafca71342b52d7e74949e152c0fbafe2df40354fc00b5dc8c767f3f5c6940e4ba308888e4395d8fd21e402b3
-
Filesize
7B
MD54047530ecbc0170039e76fe1657bdb01
SHA132db7d5e662ebccdd1d71de285f907e3a1c68ac5
SHA25682254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750
SHA5128f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e