Analysis
-
max time kernel
150s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-fr -
resource tags
arch:x64arch:x86image:win10v2004-20240802-frlocale:fr-fros:windows10-2004-x64systemwindows -
submitted
19-08-2024 15:25
Static task
static1
Behavioral task
behavioral1
Sample
test-fExjf.exe
Resource
win10v2004-20240802-fr
General
-
Target
test-fExjf.exe
-
Size
67.8MB
-
MD5
d4411c96712eb6170d89a68de02ce140
-
SHA1
65151d33e8d31afc0f902e4601473ce1aadf3b0f
-
SHA256
577c2db834653d5fd393f8dfa0a80f7b580be3e6f4e88947c23b7e0b915e5082
-
SHA512
20f8fc59b4349a7e4475601c7a5dd89b7b03036bf14a14da23d51fd98839b9a3fd9367f33b9d67f441b758897bc7e9156d6815fb9eed7740b4d83bb5beae2f14
-
SSDEEP
1572864:1AOQpgcsftMl7vFQqMrlpA+Ql4JdexTivfSyWqPEb26:1AOOgBtMlJyklmexentWB26
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
pid Process 3476 powershell.exe 716 powershell.exe 2964 powershell.exe 2740 powershell.exe 4192 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation Soundpad.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ .scr test-fExjf.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\ .scr taskmgr.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ .scr test-fExjf.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ .scr attrib.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 3 IoCs
pid Process 3180 bound.exe 4364 Soundpad.exe 836 SoundpadService.exe -
Loads dropped DLL 62 IoCs
pid Process 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 4364 Soundpad.exe 4364 Soundpad.exe 2156 regsvr32.exe 3792 AUDIODG.EXE 2360 test-fExjf.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x000700000002386a-780.dat upx behavioral1/memory/2360-784-0x00007FF9E4CB0000-0x00007FF9E52A2000-memory.dmp upx behavioral1/files/0x0007000000023449-786.dat upx behavioral1/files/0x0002000000022a8b-793.dat upx behavioral1/memory/2360-792-0x00007FF9FAAF0000-0x00007FF9FAB14000-memory.dmp upx behavioral1/memory/2360-794-0x00007FF9FBDE0000-0x00007FF9FBDEF000-memory.dmp upx behavioral1/files/0x0007000000023447-795.dat upx behavioral1/memory/2360-798-0x00007FF9FAA90000-0x00007FF9FAAA9000-memory.dmp upx behavioral1/files/0x000700000002344c-797.dat upx behavioral1/memory/2360-800-0x00007FF9F5110000-0x00007FF9F513D000-memory.dmp upx behavioral1/files/0x000b000000023354-844.dat upx behavioral1/files/0x0007000000023868-846.dat upx behavioral1/memory/2360-847-0x00007FF9F50D0000-0x00007FF9F5106000-memory.dmp upx behavioral1/memory/2360-849-0x00007FF9FB140000-0x00007FF9FB14D000-memory.dmp upx behavioral1/memory/2360-850-0x00007FF9FAA80000-0x00007FF9FAA8D000-memory.dmp upx behavioral1/memory/2360-848-0x00007FF9F56A0000-0x00007FF9F56B9000-memory.dmp upx behavioral1/memory/2360-851-0x00007FF9F50A0000-0x00007FF9F50CE000-memory.dmp upx behavioral1/files/0x00070000000234a8-843.dat upx behavioral1/memory/2360-854-0x00007FF9F4F30000-0x00007FF9F4FEC000-memory.dmp upx behavioral1/memory/2360-853-0x00007FF9FAAF0000-0x00007FF9FAB14000-memory.dmp upx behavioral1/memory/2360-852-0x00007FF9E4CB0000-0x00007FF9E52A2000-memory.dmp upx behavioral1/memory/2360-855-0x00007FF9F4D50000-0x00007FF9F4D7B000-memory.dmp upx behavioral1/memory/2360-856-0x00007FF9F3D60000-0x00007FF9F3D93000-memory.dmp upx behavioral1/memory/2360-857-0x00007FF9E4870000-0x00007FF9E493D000-memory.dmp upx behavioral1/memory/2360-859-0x00007FF9E4340000-0x00007FF9E4869000-memory.dmp upx behavioral1/memory/2360-860-0x00007FF9F0FC0000-0x00007FF9F1047000-memory.dmp upx behavioral1/memory/2360-865-0x00007FF9E4220000-0x00007FF9E433C000-memory.dmp upx behavioral1/memory/2360-864-0x00007FF9EB390000-0x00007FF9EB3B6000-memory.dmp upx behavioral1/memory/2360-863-0x00007FF9F5710000-0x00007FF9F571B000-memory.dmp upx behavioral1/memory/2360-862-0x00007FF9F03C0000-0x00007FF9F03D4000-memory.dmp upx behavioral1/memory/2360-861-0x00007FF9F56A0000-0x00007FF9F56B9000-memory.dmp upx behavioral1/memory/2360-866-0x00007FF9F48E0000-0x00007FF9F48F8000-memory.dmp upx behavioral1/memory/2360-867-0x00007FF9F4F30000-0x00007FF9F4FEC000-memory.dmp upx behavioral1/memory/2360-870-0x00007FF9E4870000-0x00007FF9E493D000-memory.dmp upx behavioral1/memory/2360-869-0x00007FF9E49B0000-0x00007FF9E4B2E000-memory.dmp upx behavioral1/memory/2360-868-0x00007FF9F48B0000-0x00007FF9F48D3000-memory.dmp upx behavioral1/memory/2360-873-0x00007FF9F4870000-0x00007FF9F48A6000-memory.dmp upx behavioral1/memory/2360-871-0x00007FF9F3D60000-0x00007FF9F3D93000-memory.dmp upx behavioral1/memory/2360-875-0x00007FF9E4340000-0x00007FF9E4869000-memory.dmp upx behavioral1/memory/2360-884-0x00007FF9F1B10000-0x00007FF9F1B1E000-memory.dmp upx behavioral1/memory/2360-894-0x00007FF9F48E0000-0x00007FF9F48F8000-memory.dmp upx behavioral1/memory/2360-893-0x00007FF9E5FF0000-0x00007FF9E6002000-memory.dmp upx behavioral1/memory/2360-892-0x00007FF9F12D0000-0x00007FF9F12DD000-memory.dmp upx behavioral1/memory/2360-896-0x00007FF9F1060000-0x00007FF9F106C000-memory.dmp upx behavioral1/memory/2360-895-0x00007FF9F48B0000-0x00007FF9F48D3000-memory.dmp upx behavioral1/memory/2360-891-0x00007FF9F1AC0000-0x00007FF9F1ACC000-memory.dmp upx behavioral1/memory/2360-890-0x00007FF9F1AE0000-0x00007FF9F1AEB000-memory.dmp upx behavioral1/memory/2360-889-0x00007FF9F1B00000-0x00007FF9F1B0C000-memory.dmp upx behavioral1/memory/2360-888-0x00007FF9F1AD0000-0x00007FF9F1ADC000-memory.dmp upx behavioral1/memory/2360-887-0x00007FF9F1AF0000-0x00007FF9F1AFB000-memory.dmp upx behavioral1/memory/2360-886-0x00007FF9E4220000-0x00007FF9E433C000-memory.dmp upx behavioral1/memory/2360-885-0x00007FF9EB390000-0x00007FF9EB3B6000-memory.dmp upx behavioral1/memory/2360-883-0x00007FF9F36E0000-0x00007FF9F36EC000-memory.dmp upx behavioral1/memory/2360-882-0x00007FF9F0FC0000-0x00007FF9F1047000-memory.dmp upx behavioral1/memory/2360-881-0x00007FF9F4100000-0x00007FF9F410C000-memory.dmp upx behavioral1/memory/2360-880-0x00007FF9F4CE0000-0x00007FF9F4CEC000-memory.dmp upx behavioral1/memory/2360-879-0x00007FF9F5090000-0x00007FF9F509B000-memory.dmp upx behavioral1/memory/2360-878-0x00007FF9F4840000-0x00007FF9F484B000-memory.dmp upx behavioral1/memory/2360-877-0x00007FF9F4850000-0x00007FF9F485C000-memory.dmp upx behavioral1/memory/2360-876-0x00007FF9F4860000-0x00007FF9F486B000-memory.dmp upx behavioral1/memory/2360-874-0x00007FF9F54C0000-0x00007FF9F54CB000-memory.dmp upx behavioral1/memory/2360-899-0x00007FF9E4990000-0x00007FF9E49AC000-memory.dmp upx behavioral1/memory/2360-898-0x00007FF9E5FC0000-0x00007FF9E5FE9000-memory.dmp upx behavioral1/memory/2360-897-0x00007FF9E49B0000-0x00007FF9E4B2E000-memory.dmp upx -
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
flow ioc 27 raw.githubusercontent.com 28 raw.githubusercontent.com 33 discord.com 34 discord.com 50 discord.com 53 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 46 ip-api.com -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\system32\UniteFx1.8.0.dll Soundpad.exe -
Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs
pid Process 2920 cmd.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\Soundpad\SoundpadService.exe Soundpad.exe File created C:\Program Files\Common Files\Soundpad\SoundpadService.exe Soundpad.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bound.exe -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 4532 netsh.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 4108 WMIC.exe -
Modifies registry class 49 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Soundpad.Soundlist\DefaultIcon Soundpad.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Soundpad.Soundlist\shell\open\command Soundpad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Soundpad\ = "URL:Soundpad Protocol" Soundpad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Soundpad\URL Protocol Soundpad.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Soundpad\shell\open\command\ Soundpad.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\.spl\OpenWithList\ehshell.exe Soundpad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\MinOutputConnections = "1" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Soundpad.Soundlist Soundpad.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\.spl\OpenWithList Soundpad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\APOInterface0 = "{FD7F2B29-24D0-4B5C-B177-592C39F9CA10}" regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Soundpad.Soundlist\ = "Soundpad liste des sons" Soundpad.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Soundpad.Soundlist\shell\open\command\ Soundpad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\.spl\ = "Soundpad.Soundlist" Soundpad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\MajorVersion = "1" regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Soundpad.Soundlist\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bound_781566e8-2e85-441b-b014-7a6259bb13e1\\Soundpad.exe,1" Soundpad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\InprocServer32\ThreadingModel = "Both" Soundpad.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Soundpad.Soundlist\shell\open Soundpad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Soundpad.Soundlist\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\bound_781566e8-2e85-441b-b014-7a6259bb13e1\\Soundpad.exe\" \"%1\"" Soundpad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\.spl\PerceivedType = "audio" Soundpad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC3-9519-C60EBCAA2C71} regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\.spl\Content Type = "audio/soundpadlist" Soundpad.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Soundpad.Soundlist\shell Soundpad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\NumAPOInterfaces = "1" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\.spl Soundpad.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\.spl\OpenWithList\ehshell.exe\ Soundpad.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\.spl\OpenWithProgids Soundpad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\MinInputConnections = "1" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\MaxOutputConnections = "1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\ = "UniteFx Class" Soundpad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\.spl\OpenWithList\ehshell.exe\ Soundpad.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Soundpad Soundpad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Soundpad\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bound_781566e8-2e85-441b-b014-7a6259bb13e1\\Soundpad.exe,0" Soundpad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\MaxInputConnections = "1" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Soundpad\DefaultIcon Soundpad.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\ Soundpad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\InprocServer32\ = "C:\\Windows\\system32\\UniteFx1.8.0.dll" Soundpad.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Soundpad\shell\open\command Soundpad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\Copyright = "Copyright (C) 2016-2024 Leppsoft" regsvr32.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\InprocServer32\ Soundpad.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2718105630-359604950-2820636825-1000\{FEC804AC-D740-46CC-960C-5182D823A34B} test-fExjf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\.spl\OpenWithProgids\Soundpad.Soundlist Soundpad.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Soundpad\shell\open Soundpad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Soundpad\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\bound_781566e8-2e85-441b-b014-7a6259bb13e1\\Soundpad.exe\" -c \"%1\"" Soundpad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\FriendlyName = "UniteFx" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\MinorVersion = "8" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\Flags = "14" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\MaxInstances = "4294967295" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Soundpad\shell Soundpad.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 3788 taskmgr.exe 3788 taskmgr.exe 2740 powershell.exe 2740 powershell.exe 2740 powershell.exe 3476 powershell.exe 3476 powershell.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 2360 test-fExjf.exe 3476 powershell.exe 3788 taskmgr.exe 4192 powershell.exe 4192 powershell.exe 4192 powershell.exe 2964 powershell.exe 2964 powershell.exe 2964 powershell.exe 3788 taskmgr.exe 716 powershell.exe 716 powershell.exe 716 powershell.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3788 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2360 test-fExjf.exe Token: SeDebugPrivilege 3788 taskmgr.exe Token: SeSystemProfilePrivilege 3788 taskmgr.exe Token: SeCreateGlobalPrivilege 3788 taskmgr.exe Token: SeDebugPrivilege 2740 powershell.exe Token: SeDebugPrivilege 3476 powershell.exe Token: SeDebugPrivilege 4192 powershell.exe Token: SeDebugPrivilege 2964 powershell.exe Token: SeDebugPrivilege 716 powershell.exe Token: SeTakeOwnershipPrivilege 4364 Soundpad.exe Token: 33 3792 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3792 AUDIODG.EXE Token: SeIncreaseQuotaPrivilege 2776 WMIC.exe Token: SeSecurityPrivilege 2776 WMIC.exe Token: SeTakeOwnershipPrivilege 2776 WMIC.exe Token: SeLoadDriverPrivilege 2776 WMIC.exe Token: SeSystemProfilePrivilege 2776 WMIC.exe Token: SeSystemtimePrivilege 2776 WMIC.exe Token: SeProfSingleProcessPrivilege 2776 WMIC.exe Token: SeIncBasePriorityPrivilege 2776 WMIC.exe Token: SeCreatePagefilePrivilege 2776 WMIC.exe Token: SeBackupPrivilege 2776 WMIC.exe Token: SeRestorePrivilege 2776 WMIC.exe Token: SeShutdownPrivilege 2776 WMIC.exe Token: SeDebugPrivilege 2776 WMIC.exe Token: SeSystemEnvironmentPrivilege 2776 WMIC.exe Token: SeRemoteShutdownPrivilege 2776 WMIC.exe Token: SeUndockPrivilege 2776 WMIC.exe Token: SeManageVolumePrivilege 2776 WMIC.exe Token: 33 2776 WMIC.exe Token: 34 2776 WMIC.exe Token: 35 2776 WMIC.exe Token: 36 2776 WMIC.exe Token: SeIncreaseQuotaPrivilege 2776 WMIC.exe Token: SeSecurityPrivilege 2776 WMIC.exe Token: SeTakeOwnershipPrivilege 2776 WMIC.exe Token: SeLoadDriverPrivilege 2776 WMIC.exe Token: SeSystemProfilePrivilege 2776 WMIC.exe Token: SeSystemtimePrivilege 2776 WMIC.exe Token: SeProfSingleProcessPrivilege 2776 WMIC.exe Token: SeIncBasePriorityPrivilege 2776 WMIC.exe Token: SeCreatePagefilePrivilege 2776 WMIC.exe Token: SeBackupPrivilege 2776 WMIC.exe Token: SeRestorePrivilege 2776 WMIC.exe Token: SeShutdownPrivilege 2776 WMIC.exe Token: SeDebugPrivilege 2776 WMIC.exe Token: SeSystemEnvironmentPrivilege 2776 WMIC.exe Token: SeRemoteShutdownPrivilege 2776 WMIC.exe Token: SeUndockPrivilege 2776 WMIC.exe Token: SeManageVolumePrivilege 2776 WMIC.exe Token: 33 2776 WMIC.exe Token: 34 2776 WMIC.exe Token: 35 2776 WMIC.exe Token: 36 2776 WMIC.exe Token: SeIncreaseQuotaPrivilege 4176 wmic.exe Token: SeSecurityPrivilege 4176 wmic.exe Token: SeTakeOwnershipPrivilege 4176 wmic.exe Token: SeLoadDriverPrivilege 4176 wmic.exe Token: SeSystemProfilePrivilege 4176 wmic.exe Token: SeSystemtimePrivilege 4176 wmic.exe Token: SeProfSingleProcessPrivilege 4176 wmic.exe Token: SeIncBasePriorityPrivilege 4176 wmic.exe Token: SeCreatePagefilePrivilege 4176 wmic.exe Token: SeBackupPrivilege 4176 wmic.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 4364 Soundpad.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 4364 Soundpad.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 4364 Soundpad.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe 3788 taskmgr.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4364 Soundpad.exe 4364 Soundpad.exe 836 SoundpadService.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 2056 wrote to memory of 2360 2056 test-fExjf.exe 89 PID 2056 wrote to memory of 2360 2056 test-fExjf.exe 89 PID 2360 wrote to memory of 4816 2360 test-fExjf.exe 90 PID 2360 wrote to memory of 4816 2360 test-fExjf.exe 90 PID 2360 wrote to memory of 2864 2360 test-fExjf.exe 99 PID 2360 wrote to memory of 2864 2360 test-fExjf.exe 99 PID 2360 wrote to memory of 4696 2360 test-fExjf.exe 100 PID 2360 wrote to memory of 4696 2360 test-fExjf.exe 100 PID 2360 wrote to memory of 2348 2360 test-fExjf.exe 103 PID 2360 wrote to memory of 2348 2360 test-fExjf.exe 103 PID 2360 wrote to memory of 2920 2360 test-fExjf.exe 105 PID 2360 wrote to memory of 2920 2360 test-fExjf.exe 105 PID 2348 wrote to memory of 3476 2348 cmd.exe 107 PID 2348 wrote to memory of 3476 2348 cmd.exe 107 PID 2864 wrote to memory of 2740 2864 cmd.exe 108 PID 2864 wrote to memory of 2740 2864 cmd.exe 108 PID 2920 wrote to memory of 2268 2920 cmd.exe 110 PID 2920 wrote to memory of 2268 2920 cmd.exe 110 PID 4696 wrote to memory of 3180 4696 cmd.exe 109 PID 4696 wrote to memory of 3180 4696 cmd.exe 109 PID 4696 wrote to memory of 3180 4696 cmd.exe 109 PID 2360 wrote to memory of 4532 2360 test-fExjf.exe 111 PID 2360 wrote to memory of 4532 2360 test-fExjf.exe 111 PID 3180 wrote to memory of 4364 3180 bound.exe 113 PID 3180 wrote to memory of 4364 3180 bound.exe 113 PID 2360 wrote to memory of 4780 2360 test-fExjf.exe 114 PID 2360 wrote to memory of 4780 2360 test-fExjf.exe 114 PID 4780 wrote to memory of 4192 4780 cmd.exe 116 PID 4780 wrote to memory of 4192 4780 cmd.exe 116 PID 4364 wrote to memory of 836 4364 Soundpad.exe 117 PID 4364 wrote to memory of 836 4364 Soundpad.exe 117 PID 4780 wrote to memory of 2964 4780 cmd.exe 119 PID 4780 wrote to memory of 2964 4780 cmd.exe 119 PID 4780 wrote to memory of 716 4780 cmd.exe 122 PID 4780 wrote to memory of 716 4780 cmd.exe 122 PID 4364 wrote to memory of 2156 4364 Soundpad.exe 123 PID 4364 wrote to memory of 2156 4364 Soundpad.exe 123 PID 2360 wrote to memory of 4016 2360 test-fExjf.exe 127 PID 2360 wrote to memory of 4016 2360 test-fExjf.exe 127 PID 4016 wrote to memory of 2776 4016 cmd.exe 129 PID 4016 wrote to memory of 2776 4016 cmd.exe 129 PID 2360 wrote to memory of 4176 2360 test-fExjf.exe 131 PID 2360 wrote to memory of 4176 2360 test-fExjf.exe 131 PID 2360 wrote to memory of 3620 2360 test-fExjf.exe 133 PID 2360 wrote to memory of 3620 2360 test-fExjf.exe 133 PID 3620 wrote to memory of 4108 3620 cmd.exe 135 PID 3620 wrote to memory of 4108 3620 cmd.exe 135 PID 2360 wrote to memory of 2104 2360 test-fExjf.exe 136 PID 2360 wrote to memory of 2104 2360 test-fExjf.exe 136 PID 2104 wrote to memory of 3864 2104 cmd.exe 138 PID 2104 wrote to memory of 3864 2104 cmd.exe 138 PID 2360 wrote to memory of 2236 2360 test-fExjf.exe 139 PID 2360 wrote to memory of 2236 2360 test-fExjf.exe 139 PID 2236 wrote to memory of 4332 2236 cmd.exe 141 PID 2236 wrote to memory of 4332 2236 cmd.exe 141 PID 2360 wrote to memory of 3172 2360 test-fExjf.exe 142 PID 2360 wrote to memory of 3172 2360 test-fExjf.exe 142 PID 3172 wrote to memory of 720 3172 cmd.exe 144 PID 3172 wrote to memory of 720 3172 cmd.exe 144 PID 2360 wrote to memory of 3368 2360 test-fExjf.exe 145 PID 2360 wrote to memory of 3368 2360 test-fExjf.exe 145 PID 3368 wrote to memory of 1020 3368 cmd.exe 147 PID 3368 wrote to memory of 1020 3368 cmd.exe 147 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2268 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\test-fExjf.exe"C:\Users\Admin\AppData\Local\Temp\test-fExjf.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Users\Admin\AppData\Local\Temp\test-fExjf.exe"C:\Users\Admin\AppData\Local\Temp\test-fExjf.exe"2⤵
- Drops startup file
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"3⤵PID:4816
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"3⤵
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "start bound.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Users\Admin\AppData\Local\Temp\bound.exebound.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Users\Admin\AppData\Local\Temp\bound_781566e8-2e85-441b-b014-7a6259bb13e1\Soundpad.exe"C:\Users\Admin\AppData\Local\Temp\bound_781566e8-2e85-441b-b014-7a6259bb13e1\Soundpad.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Users\Admin\AppData\Local\Temp\bound_781566e8-2e85-441b-b014-7a6259bb13e1\SoundpadService.exe"C:\Users\Admin\AppData\Local\Temp\bound_781566e8-2e85-441b-b014-7a6259bb13e1\SoundpadService.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:836
-
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Windows\system32\UniteFx1.8.0.dll"6⤵
- Loads dropped DLL
- Modifies registry class
PID:2156
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2"3⤵
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3476
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ .scr"3⤵
- Hide Artifacts: Hidden Files and Directories
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\system32\attrib.exeattrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ .scr"4⤵
- Drops startup file
- Views/modifies file attributes
PID:2268
-
-
-
C:\Windows\SYSTEM32\netsh.exenetsh wlan show profiles3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
PID:4532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe','.py'""3⤵
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4192
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2964
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -ExclusionExtension '.exe','.py'"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"3⤵
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2776
-
-
-
C:\Windows\System32\Wbem\wmic.exewmic cpu get Name3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4176
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
PID:4108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"3⤵
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory4⤵PID:3864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"3⤵
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\System32\wbem\WMIC.exeC:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid4⤵PID:4332
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path softwarelicensingservice get OA3xOriginalProductKey"3⤵
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\System32\Wbem\WMIC.exewmic path softwarelicensingservice get OA3xOriginalProductKey4⤵PID:720
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"3⤵
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName4⤵PID:1020
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops startup file
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3788
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4bc 0x33c1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3792
Network
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
2Component Object Model Hijacking
1Netsh Helper DLL
1Privilege Escalation
Event Triggered Execution
2Component Object Model Hijacking
1Netsh Helper DLL
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
91B
MD55aa796b6950a92a226cc5c98ed1c47e8
SHA16706a4082fc2c141272122f1ca424a446506c44d
SHA256c4c83da3a904a4e7114f9bd46790db502cdd04800e684accb991cd1a08ee151c
SHA512976f403257671e8f652bf988f4047202e1a0fd368fdb2bab2e79ece1c20c7eb775c4b3a8853c223d4f750f4192cd09455ff024918276dc1dd1442fa3b36623ad
-
Filesize
23B
MD55638715e9aaa8d3f45999ec395e18e77
SHA14e3dc4a1123edddf06d92575a033b42a662fe4ad
SHA2564db7f6559c454d34d9c2d557524603c3f52649c2d69b26b6e8384a3d179aeae6
SHA51278c96efab1d941e34d3137eae32cef041e2db5b0ebbf883e6a2effa79a323f66e00cfb7c45eb3398b3cbd0469a2be513c3ff63e5622261857eefc1685f77f76b
-
Filesize
309KB
MD5a4ad7ee15c34c424538af8550c13cb54
SHA19498dca60ebb9af88ff4c58b40474accefc55aad
SHA2565bb75e3722ba99aae24f840e5df9449b64897fb98cbc902d05931a7b247c82b7
SHA5129a5115b713e0a527a28740f940dc4d8efbd9e902ac287585bc22e705cf4904ece918001a753e993a89b4e04668584fe421bc48b9009cfd059a03fefae084137d
-
Filesize
636KB
MD509359b3eae1d75d05e87779c648ddeb2
SHA1491a36983e121f942c07582f812dbb97f7ff9663
SHA2568833dbc26479f7e3ab09aeaef2501ac169c950094ed2c7478c5852bc8b7cb6b0
SHA512d0d5dd8fce93e9fb8496ac86bd7990489307537f314523bf84302acba6bb17db5b1478998dbda3369f625eb1372c65908789f7137343040df2da72113b505dd2
-
Filesize
545KB
MD5e2a3e3dce4d59d38e8a5db4c71566812
SHA19203ca93d0229f8b4c101d72b441276f42446f47
SHA256f1aa1f8a883e4da28586521a726a490af177255178f3c47073ae144390d7eec2
SHA51231c18a8a732dd51c7305fcca7256746c343071382eb432007499b95e1dbcaabdf0981035878900d81d4da0e81547d21a69304cf16917e37978d97d5bd1533aec
-
Filesize
363KB
MD5a710a6930006781a76582a6509e56fd6
SHA17ce7f8c9b13d307fd31e676bc094b3cc09970fc0
SHA25625651244a4acde2a112ee1126fc7b14b132cc105584a7aadeac7e13136a45004
SHA512b9940acec8fa6fc697e3041842e17763bf3e5e15a74146d22541136a1ac18dd2d806df69db972c7a127138d0860395fe92c8b34f589537e206a9c01cf6e1507e
-
Filesize
14KB
MD569fd06c5502d84855af6804fadff833c
SHA1ddc8eeab083a239ec2fe76ac96a6fc07cb13ba15
SHA256d9790b2ff0881f1849903cc8516289949015be85dbe313658606686b3b5c27cb
SHA5129805e49136c3f2539a264c88a98428943d628ef4a903f30d7c92a0225dfcc7c531635ba8059723168e9f84650dcd4bbf2d835f975d828e4dbaeb28078e37126c
-
Filesize
116KB
MD5be8dbe2dc77ebe7f88f910c61aec691a
SHA1a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA2564d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA5120da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655
-
Filesize
48KB
MD59b2fe91f44358bb186aa2ff12221e171
SHA1d0596928e4dfcd711af5ff657f892317f6cfebab
SHA25672476f3cdd0b41d9d91764c5ec25a8bf93bf34ca552c4b53e89091ebe54c1cd9
SHA5129b7760281f9ada3c2ad54dbe8def04074d2ac2765048e6969928cf74d438d35d1b8ad416b87344597bc78222f272a201862c34adf9e2caf2a74352d577a27bd4
-
Filesize
58KB
MD58d43d1f8f4df815bc4d672035f9d144c
SHA14b7a4e969e9abad3132a504763b2f2dbf7106baa
SHA256b55cf9c9222d64755ea351f7346697e993f0fb96085247d5d406598ce9424323
SHA512ea19a635e9b542457d31b2fefc444449505040691b09be6817a8c3f1cbfdb64db25dd853e4b63127b4f3b4ebbd61560a930cb4811145c037369d4f61a0a8bb7a
-
Filesize
86KB
MD5c44d5de9c32609d34a0d19b949edadf8
SHA10ab26915a1fab494e6e136121c88842cfddc5504
SHA2562fedd80b3ced31bcf1575a034a75c31abdecf77347c27ce5d32b73239433eb31
SHA512e16e261ed8dfae851b4d00dfe6da3667bc5d2b756740ecb5243c74e7c4f13e596e215cff9b711611406b8448627d1b2686f557b45a27f6e6307f8939e326b673
-
Filesize
22KB
MD52a634408d4b7fe6289758c0a9aea9703
SHA1ddb0c80be3dbe6b801517742f408966d5368c134
SHA256ab7d468d6dc3be7acd571e75e9447817964d36d4b34df004c60dff621551bb21
SHA512b33775520bb17a1afc260b31083e50118c4eed216a4780b43c1d62595120b1ac6ea968bb280e15d9ae2b4e4f563b83671318ffb67705d4eab750ba583e855e6d
-
Filesize
22KB
MD52e8c0b251b58f3f2dedf9053b97b1835
SHA1a3b2faff51778efcee59d782836cd3271da5d0e7
SHA256146cb31671f76950fe60315b23a7ce0ec30237d721e6f6020ddd56f94a8951ae
SHA5120b3bba689ea6e46aa90c35c3360f524fdfe7e20042fac9aef33c4da2077f61021961c239b2ede489dcc4cf96533fcabd3e0bb6c6c7f41f80f1dd07ece962f0a0
-
Filesize
22KB
MD52b5bfefd109f6a2e6b69c4b80eb8a9b2
SHA15789b01b5148d807c9f7b8d0e69f1b71923d61e4
SHA256b9e8c24181b386feff1edc6e73a61577bdf8e141b20743160db28537a1bfb1d7
SHA512ccb97f15661347cceccde345dd7cfee7f9474cbc4b948200578507b71a7007070bbc92f41393e3431f22e48cb6c418e314b8a41873e96ffb3bdcc80da87d7f8b
-
Filesize
22KB
MD53741c89798a1a7f5f21d4e88375f1fd4
SHA1a10fa6c464b23db6b0e0d05a0602bbe5d28d8288
SHA256ca1d7b8f79cf9686e3f64039f234983b1a481db74c4dfe0c45df2b064138a771
SHA5123e95ea822218b91203ec13694c9e6868e121e87c505e240d49f263daab3b336cc649258f7bb05f96d03bdaa34a0a0ba6c834ab63e8a7766544b481b9cbfcec0f
-
Filesize
22KB
MD59e6bf4a99b69a6c9549630053820779f
SHA1211800bedd656790c58193f47658802ff6cee508
SHA2566da0efee024ef3b08770c82ae346352ec6d37c9d37ea1bc30ae1b3f6d7f71afb
SHA51209f6024f8b54433c8cefff81230a71a2cb8edefb58cb8e6348e09d03fae77d528b5d405298f4130abc5541c54eedca9c245cc3a0ad526f626dacb769ed57626b
-
Filesize
26KB
MD5a2ee2ccd1806241f5e3748f28ec13de1
SHA15bb3fca3523ad439c2982408c28df4abf2a52688
SHA256949c449724ee0abbd9132a7fe1ed194325905b9411a8fa32fd34d19d5ed9c32e
SHA512b5fa26e479eac423a42d3d99371a8dad5c3a18cbdaf689fde4556e66c0c2501635a909955f2568542a2f04c4c9e1c651a42a78776b9c97af2651fd496efc3ae1
-
Filesize
22KB
MD541e8fa0ea82e40f56648b1c58a9ad763
SHA11ab6cafa7fb8435e8d0315e1e3e202a48d8fb4b0
SHA2567509e30d7156b6a480a85280445674cc4ac64bbb8e8180b3d0f479d5edc0ce60
SHA5126e00cec61c6fc19860175b47c201ad77c4af2bbad368a71d1a1bc94c972cfa25b7e449bb0dac36390a7c6235309cec23337d5f0eba659fa4b6a5dd3c190a799b
-
Filesize
22KB
MD5cb1ddfe277e28a19646394c1c41a0f96
SHA1b2ee421e5f4d92676314e413506e699c6fa8667c
SHA25637ae4f6446c94b3817a8a0b9506c67d47f2372059a8a5101152e6bf365ded2ac
SHA512e9c8a010d9c71cefeaa9ec77a09715ff785decebdefd37732590b9523fc78e58c96722ffc03e26d03bce797cc1da06d21f4e8be7c1b056d2e9b7ca291c247e14
-
Filesize
22KB
MD5950715078bde45146a9968d7029f96ac
SHA191e1ced54f4e7ac8dcb68b50594555cd20035684
SHA25663cfd1e99cd27651a129faec07f348b8f68e6904889b2d3a694041764e495696
SHA5129f7cbb2bba4225b28c16e658307b1faa4e86ca08f95f529a958db9da2afabf26e419b0014c61522fc7fbb4e11f1594e05d9c32a69d88fde836236ee875b98dc5
-
Filesize
22KB
MD577167a1da5fb5c78401d43855f8581b0
SHA1cd95cf53949a4638d17286972a94ba509342be24
SHA2568924e80edf100c2cc27629e2475aa1168750622ca426b235ac3bc8fe4447bfb0
SHA512c670da31e09e6b719f2ad16c4ea0eb76a126b170a408c6da095a8fd4c945595d2f184d498ce47e985a596e8800aba9cf20bb2e547c772e74ddf10e78d1d10448
-
Filesize
22KB
MD590e49c43352beb28c5071256ef71e690
SHA1dac118b8dfad0d74626cfbc20d3db70ea01b72fc
SHA256098c607ca9e1812ea9ecf516c0268f15b82b99dc47315f024098dc0cf132323b
SHA512f3b72db04b2a32272bf3ecc3b5e4c9dd8f10bf2983646ab2afe8a6f47174efa4a45f9f619e327ea27c4c89bf9746fde1dd85c424f006c50f8eb7aa1bb7c5de4c
-
Filesize
22KB
MD52796d7edf328e159719a79e1d20df837
SHA1c74be542704ae68da161aa18db38692bccfc983b
SHA256583f12544b23f388ea7237b6f969be7bd8400ab747c3d4988d1399127d34aafa
SHA512dd0c7dad51ff6729106f1600e833cdc75f1c6fda74d01500a83180edd869c8e0c3bc4e94ae6694ae1ac0aa8ee01947a10e516c188d88e33310e88911d84c350d
-
Filesize
22KB
MD514bc5fd174cb3854da8dc4e2a770b2ca
SHA143462798689a0e76e80fb56b908a96f97819e7e7
SHA256ecfe952c778460f204f65560ff5a98f33f7a3cf98d2301983098d197bd08f0cf
SHA512169e7df65bbb4864eea14ab405e55e53f755b79c5e0476bdc56cbead3edea97d09377d530729536c5584066b7bc13a00c6201e4c6dc85982ba5884eb5fe3306c
-
Filesize
22KB
MD5faba2737798c3ab4098c2f09c8d8ccce
SHA16a2b04f9c5c3bdfed69685b216f226d16172abdd
SHA2563cfadc0132a3a36dabb42dedeb9704d3607180479eec4ac6f71057df1810dda7
SHA512913024d8ec694a1d2ce1597d21b84284c190fc280b85f6260e863d9391b29c30fa757e86181bbb581f4be5120991ac88ecf41ca93e637bcc8bd8cb6ca10bc979
-
Filesize
22KB
MD5438d9d911ad135fcb8a8d653fe85ac0e
SHA10d0720566fac26a10d1c4b9dc8eff4f6e90ba894
SHA25672854e88ce615118509b5d258e8d57216ac77558df60db18ac28ef97254320aa
SHA512dc80c06d1e99f9029cba1e210ceda7d987699bc013df61167ec72165ada33f79d28150ef3e87073dfbf7eba82d3a6cc8df600c5ae514964e80a493ee1a496a1b
-
Filesize
22KB
MD5b18adb8db8dac26dc7cd901a8b48b69f
SHA1a695968906046c62a541b58c8a48407e6adbad5d
SHA256c6f3b98709021c05792ebc18278e2451002163428fe1357258b7d740defd926e
SHA512d1554649a3dae34c530f48ff2c8663e497ba0dad12887c6c4209aebe71c869184dbe3d43e4603a2edb34d3afa2c1f915dd2fc158c1785e43747a072c2ccf42fe
-
Filesize
22KB
MD52fd34bdda0a1b1e178c67f48160010be
SHA11113977e9d787d0378a105c98743ce86942e3312
SHA25601bc49501d59614ec435b24369733bebecefb6f18834493999addcae7a5f6da4
SHA512dd2e973522d6623b05dd884985b4a1e1c04592940d2c2feb670727fc35abe0b82488bc86acdf81354435cbbef29cfd8df2e06756a3550c488d45ad9003f776f3
-
Filesize
22KB
MD5e3a77ab9cb4e56c1782b5ee7f81cc80d
SHA12f37f25fe81cc8d3b84fd739222b748c1e21422b
SHA256d2813925346d16942e1be36784db8eb78cc41e110ac1c81ea802b77fda321b86
SHA51221ac0f5515ced436cb57e7c6db64b7dd8a595af24d1de626be13e3d6ceeae94942a4c882e1ea0bd08667ff08e3fae7d36c72a17d505ae89eaea8c0cfeed924ae
-
Filesize
22KB
MD537fbc3f4232199066c43ea5fa91b28c7
SHA1fa27a240691d8f5727d64afdac9c665ca810ef48
SHA2563df5a3857b3cc0bbde6e11a028e83ba89c2510f695b2c1e10244b668910891d6
SHA512f6eb807de4dbb851303e1b72dc23a9bb838adf526310ccb0a5ff7818de1dd98682830b902c5b6f152f4dbe9f28a85e824bd8f0f1003cb401a132aefe56ce706c
-
Filesize
22KB
MD5cf54ebc2c19667ab0363563aebf26534
SHA187ddfe0e270cd83f5c9abc668971f8f1cde29bca
SHA2560dad735d078c8161337cbac3555953f926e73e504b7b4d846162380674bc9f84
SHA51276fb8554998125b4f1d6edfa833fd7d1f6f91572a0518bc371044c1642ed435b8afdfef1b0c51fe8bb9cb01f7df71ae90e68d513fd362ac90460dfe9693c2abb
-
Filesize
22KB
MD533e6e68c1a5922cc2ce54f584d6ff364
SHA1bcf4ba393688e7b6842e986782db6c35f863ed87
SHA2560e82385198168e2ad5a77e5620b9ba9c36277795984ade921bdce0ee6109b76c
SHA512500db845dbd37a81c0a6309bb811f9ae2b83a9dbfd1207c84460113dd73e7294b9ee243f622ac7cec30242576dad390e0ee6921a803b43fc3481bccf3d551b37
-
Filesize
22KB
MD5624215316fde23ccbe653cb3c9d1e808
SHA10d40a803c57ab870d8899bc2fc0a82258e3eee19
SHA2561c087c3273ca26917e9bc52e3091cfcf9e32aef8758540b9beaee9b4080209db
SHA512758b26ad7fd9f4433dc4446ae7f9ac386045d0c0d88ee0e244ebc14c8d9051837c3821d63394a626dc2bf3cc6a3f8f4bc5a5d3cb5e58a858ed83bbfb53143598
-
Filesize
22KB
MD5f64a78093a0b493e8719b1e2c46232f3
SHA161f88da0bcff904add797da67df567d19952073b
SHA256da79322d8a06c3f35505484e0b51a2bd9b3054fd35ddc683b1ab4fb6ae738ba3
SHA512ce74b0fec89cabc8c5dfe7deccd8ec6362eed6f57cd0e9b93b8e923dba6e4060a7e529f334cc808d217fa13702500e7fbb8df2411838612a1e21701da29160d2
-
Filesize
22KB
MD54caa7f9dfc7e6df28f4f0e00717b1105
SHA15c166754137f7b8ef2aa9315941ebde1330215aa
SHA256fe6400ba43a128263dcd7bdeac2f4589d0c50515610964f5c2ba00c9a14ad2be
SHA51218181ce48b14200291f0347d26910cdc8b2461a5bd103d680d948b2489d160418d970db16cccc6e57cb7a86611b8dc3f53b85f166ed2ddd629324c34c5a8fb45
-
Filesize
22KB
MD51873273b894647ad63134bf2a0def8fd
SHA1b6f593b3b413b1f502c543fdc7a00bafb07accab
SHA2560af3e58319f2ae02478a115718f813da65d1407b62fdf6ae0cfea83d664d999d
SHA5124d0ed0752164cec8f66e4069931fe11af26149e0969ede498e08ec1363020115f47492810553eeb6c99fc4c6698c50056cf1f70af77791fc13214d68fe5992e8
-
Filesize
22KB
MD582f122f39c100d4c7d44adbfb0356a35
SHA10d10d0d06e3847855f1a016450ffd0b1103d4b24
SHA2568189598ae1c53267641e2368c148c61a842145e698d3a6ae771a60eb88bf455b
SHA51234846b4c862a9541e374be2d7eb168c66f023be480d9a74c5654839d4d397f01f3fb34abcf994b34964da67f1fd25ba3c0accdb7ad7bbfc432c4e6ff878ba379
-
Filesize
22KB
MD519cd5a77df667e6f2b54e3cac4af3da1
SHA11ce194fd7dcee63a237a5646a74d9c7d8d4c80cc
SHA256ddff97de0d3598b544652f49a5049f7535e43eaa95ed79583387da3a940023ea
SHA5121116ba1675c5777433704e75a45255401ae150a1f09327ba7deaa7bea6c2664f150f6e3086bad403cbbf429a88641340af030593082c5fe86922171928b02e78
-
Filesize
26KB
MD53747db6a541d522b534a2cd6e843fd3d
SHA1e3fb025b5ae5e2d507f464ba3c9b1405267719c6
SHA256c74b56c6a17c48d928e30af7bfaddc9cf920dc6b679f369292dee6daaee736c1
SHA512cf4652df7fea02adce21f6f3aa8c0684300a79b63f280301a690e4d92230a49a2c69fe0f8db1288fd2e242dcd811a314ce700734fe1ad65cc771c851ab9bb085
-
Filesize
22KB
MD518b4b5a9c622334d1c64b04de8bce582
SHA1027155c2d2267fea0880f79eab7446f93dc2538a
SHA25671fcd88c2c7e8b5081dfb7cb50a3e4cb0663d57a418fd72a778d8989f2a07f0b
SHA51208ec3a63503f166f1c94c7dbfe52abb8b9715d37670a0e8c66d963966b7bc3002c12aac5bc700f57d37ee3290d778371b162ad316e5c6567fd9ce926c56ff7f5
-
Filesize
22KB
MD598b3eab92e4a89a44b7753da8c30243f
SHA143aff1903f3083974b30c33a7f782f4d879fc089
SHA2566f0a7a9d36f0765bbfb6be1862dd789d33cfdc27154bb962e407e7c86f6c9eb4
SHA5120dc69f08d2b17a87c3112d29af5bee63c411c5068dce2f1a5d0df20009f0f67406de244546a1c626cff9dddf0d1021943b1e019eccebf9e7b013ad30b6a12973
-
Filesize
22KB
MD5b549e8aefec84ae9bdc9ee4f6711c9f6
SHA18ddf1e6984560a20c429a6369d4a00ef60abc09b
SHA2568fb31f284fe28e088e386b60ea40fadc258315574a825e5f597971153677a010
SHA512c04047c6e43a33540ad7cc6d8cba4bc7a49d4e7abad4377c93bc50bf90f0647af24efaf1130c4c101e7dca5adba6ffed93a4b82434d9035acf056f69813c18ca
-
Filesize
22KB
MD5cefb2f89dbc6bc3011945a65950413e8
SHA11cd47df38bb33521e26994d62b11096d655d2372
SHA2560c46652c5ea0d8ffb7537a785f47d41803721eea897e2a062f55eac57e985557
SHA512db2bc0043fc2c43f7894a31a54f50d5853df7388a1b04b7486bf9ff652a6dd9742d6f296c20c0c8cdb1d142d5564f0eca713a02579f034b3bc0aa13463957e04
-
Filesize
30KB
MD50ec1fc035d1f0053b531fb2177833dde
SHA10234175b084db72807dfbefe44222e9d5082b596
SHA2565ecfe2ffe88dc02fb2ee2d73f9863846e7c96a95353477cef2d942a926235840
SHA512a4867754081ec999db3ec4a22cde9f6f818dcc3cbaf81bf76f9e5f16d0083bde85070ce36a044d11b10cceb840737594154a404081bd6a8f221cccb0ff5b0f21
-
Filesize
30KB
MD5b97a91602c7b7863c161aae7a9ce245e
SHA141103a916c1234ba66901982a62beb6fbac7ea46
SHA2568ffca6053efde126638029acdb741c5a9f2eeb7d2494be2a86b21c38e6a1c92b
SHA5120b870322165145b4516a33ca4814df2b7ddcd8ce914c51c478249b3a5f3120550f48a5500fd658ef505ac13b44eb1395e03bd1f1d4dcf6df2c8bff8a4d5ad4b1
-
Filesize
74KB
MD5a0a96fdb6c3aecfb45b1784af2ea8681
SHA1b401867afa9dbce75ab70f7118284df768ee6f1c
SHA2561e2289bf0014fc57c64bf2b4aee6e091e694843c76cf54433abed43310734fa0
SHA5123e98eb7c01c3587945e283de8e8d3f69c899a8bbadbaa13f05fe3d843ff962921072182ad65c1430167b56aaf14f965f62860b88fd58d26cb4a8ad870d469e8f
-
Filesize
22KB
MD59822f49b501f00501fe9f0e7e65a63b1
SHA19d0e209fd0e26dda1a366e7bf56f5c928e96c316
SHA256b5c7055d1caa8fc3426991de5d379958fd80a56ce38d1bc24e393e7d19f022e3
SHA51228cbfb19b0f1b38a8dde42a75145b1cb70e1bc4e5dc87415fd30c5223997d1db62d57114d52d4c05e3de9a1e81daf387917eb9b88438d602c3175c2a685485b8
-
Filesize
26KB
MD55711c92d207146c56293c13d70921f4b
SHA1a54c1e920407c80231318ef4f6e1376bd37e29be
SHA256f56272d5ba88098cba75b6fddbfdf66c972c70c2ca474a01a8fb6004b28e9cd2
SHA5129c2e6fec4177a87f5f1b0675e8d62ee5c0b926049f44b2c132b2437897f9958247ffd653c872775be4aeba615814fa2341cd286b92da94361b6ede6fcfcf9528
-
Filesize
26KB
MD5daf5dcd1863ac995028cf4fe0e697c46
SHA1b99b38ebd266a3b95cf835bc0d00390f8a7892c9
SHA256545ec8a4978ab553f6f37a92655670c7053c8899ef8f80d5bd888ca9c6604eef
SHA512cc280391d588fb1c19d675ecbbbd9ad033a686306c177363cc5a046d6e79acb8a2c09b78abe298f7d1801c4e19bdfbd8a2f0de1306f3884be462f5aceb9d10d5
-
Filesize
26KB
MD520fce027b3c775661e78b474f09123f1
SHA1f3b3aeade900d455f07e9a647a50c7019923dfa0
SHA2561ac5214032320ce22380587c2e04217c2e763676fe26e505a242f290874d9b1c
SHA512b946da8811a1014836c7a3fcb784dce3e8319cf1ed5721d93d40be63cf98ff9f721e4b3535f349f5949f048eb53aea239f3c30a719928f87ef900e88665d0562
-
Filesize
22KB
MD5bbd056d0c704c2ed609826debd3e3070
SHA151b010d8e7a59529ad55538a76e52db4f3c65b55
SHA2566692692fa9f0fb312474c3150a51893a98f254c64b42140b157829a6a7b2e2f0
SHA512638fc0ac81dda4f3bcac2cfabb1cfdb6807d8b166ba9734bdd06aa858bbe9eaa7f601d012bbf812737ddb91f5133c1186f185fbd9b5ab8010be7cae8f0beaf3f
-
Filesize
22KB
MD560c166a938da05283bde44d5f7dd40f2
SHA1c235297c63c52619b8f0fc90ee3614838a9535bc
SHA25639bc6a28f3522f33ba1fa4077e44bdeb1e4188d76e85373de6a233c9eb238eb0
SHA5122d7ba5bfe54c6ae6c79f9082c01fd488e7d4316a9324e3b28154375e04cc37c44ced7f357ef35df50064cdcbf455c67552642e709b369d018be9897df51dd264
-
Filesize
1.4MB
MD5bec1bfd6f5c778536e45ff0208baeeb8
SHA1c6d20582764553621880c695406e8028bab8d49e
SHA256a9d7fa44e1cc77e53f453bf1ca8aba2a9582a842606a4e182c65b88b616b1a17
SHA5121a684f5542693755e8ca1b7b175a11d8a75f6c79e02a20e2d6433b8803884f6910341555170441d2660364596491e5b54469cfd16cb04a3790128450cd2d48fe
-
Filesize
10.0MB
MD51044fc5a0d6227277ff5e9ee74241978
SHA18b64d9e3d464d5d3f3709f4e5fb0868b9810566b
SHA256da4f7ce4a7f233e8d69f1a050200e0de23a0645dbcd112fe5758c641606a52de
SHA5121fadef7ec06b3fbe0ab215e9cbb8e8642e3a7583d169ef27f4272c9de831363ceff1e9cd7461268c2691228efd3d737dc350cda7646656bc8d40a44ab76436a2
-
Filesize
1.6MB
MD563eb76eccfe70cff3a3935c0f7e8ba0f
SHA1a8dd05dce28b79047e18633aee5f7e68b2f89a36
SHA256785c8dde9803f8e1b279895c4e598a57dc7b01e0b1a914764fcedef0d7928b4e
SHA5128da31fa77ead8711c0c6ffedcef6314f29d02a95411c6aacec626e150f329a5b96e9fdeae8d1a5e24d1ca5384ae2f0939a5cc0d58eb8bdbc5f00e62736dcc322
-
Filesize
29KB
MD5be8ceb4f7cb0782322f0eb52bc217797
SHA1280a7cc8d297697f7f818e4274a7edd3b53f1e4d
SHA2567d08df2c496c32281bf9a010b62e8898b9743db8b95a7ebee12d746c2e95d676
SHA51207318c71c3137114e0cfec7d8b4815fd6efa51ce70b377121f26dc469cefe041d5098e1c92af8ed0c53b21e9c845fddee4d6646d5bd8395a3f1370ba56a59571
-
Filesize
222KB
MD57e87c34b39f3a8c332df6e15fd83160b
SHA1db712b55f23d8e946c2d91cbbeb7c9a78a92b484
SHA25641448b8365b3a75cf33894844496eb03f84e5422b72b90bdcb9866051939c601
SHA512eceda8b66736edf7f8e7e6d5a17e280342e989c5195525c697cc02dda80fd82d62c7fd4dc6c4825425bae69a820e1262b8d8cc00dbcd73868a26e16c14ac5559
-
Filesize
87KB
MD553b8eb8992d7dd3b6cff890fb4f35672
SHA1f2968fce6c59c27712bbc20ae71af40148e7bea0
SHA256357f85165b1c7631e2cb2d04cbb9037ddbc3db6a0b6163122dc128098655ed70
SHA5125dc0cbc0e598d22cba43eaeb3bba5c7cd65695f7c5eb99f6cceca0770ed184bb94694d5fa4e6d41286690724ce4675596fd94c44a596bdcece1c337df3fcd093
-
Filesize
87KB
MD580ce635e3a2d2844608538bf8a2c220e
SHA1181d216c3c258a2c1cd00338699dbcdecfad7630
SHA25623dc21d24cc0262d5d7463fb6010962c5d668d0fd8dbafd39665e7d7f8426f34
SHA512d03458c739e98cd942b70905bda749977470c54a6e00256e5d3e02f7261d49ac6845573937508f6c694cd93c7ef84c0a9a3cc01b2de76b6a216a2a24417ad002
-
Filesize
65KB
MD57e07c63636a01df77cd31cfca9a5c745
SHA1593765bc1729fdca66dd45bbb6ea9fcd882f42a6
SHA256db84bc052cfb121fe4db36242ba5f1d2c031b600ef5d8d752cf25b7c02b6bac6
SHA5128c538625be972481c495c7271398993cfe188e2f0a71d38fb51eb18b62467205fe3944def156d0ff09a145670af375d2fc974c6b18313fa275ce6b420decc729
-
Filesize
1.6MB
MD51d5d46f4a8f8062de2d7d3b6dec9d14d
SHA1adc2a8561f1639fe41702d2249153ce67c4e1fb8
SHA256b5ff3eed100d81d560144d68b551a729849815ec771a689a572f1fba01e04f86
SHA5120aee2b6bfd0c43a5a5488b41d3ec2ab9ec93c072f3bfaf9b2a778ba13dfebef143e9d837d2923ea596984648fb3f441815ec614fdec55a2a20fc7d16b85210c3
-
Filesize
1.1MB
MD5ce61d777d8b6e98f1b85c54e8ccbadd7
SHA1f3edb1780c3d0bf6603687f14716aef4fd25fb03
SHA256c74c386223cca6096c17828add7c13e25525c1653fa05261c36782b287e9fe66
SHA512917f2a70ffbcd7178b5a4724aefed95b02b819d867e59468a438178295959de4372e00bc6a338b60f82b296d91f1528a76778a55d239a321aecd10ea5a85eb82
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\bound_781566e8-2e85-441b-b014-7a6259bb13e1\languages\de\translation.mo
Filesize66KB
MD52e19463d9f8d2192f8fc35febf0eae32
SHA16a3ce06834376b73e7844aa68154b309dc576bf1
SHA25667c8e7e3be1fc9da05c65053f115e304fa92e510f3732e8f69ca09879c68791b
SHA5127ed88bb3e3cf30d48cb990bb6fb4526f00439cdb6219f877ead0242ca92962cf81b989ba6c386374713c29795ad2f64535b1ba41f19f1705c5e895c2011ff593
-
C:\Users\Admin\AppData\Local\speech\Microsoft\Speech\Files\UserLexicons\SP_6B9A33676C9A4F938AAC6DBF430F3BBD.dat
Filesize940B
MD50fc99420d496c7aa3639c6af07135263
SHA139c81f761235e8f83ef09ddbc5098ef4952d7f27
SHA256e37d10cd8c8799fbb47aba270f433d7dc7631d535a7ebe0376c755f2d5f82610
SHA5127a36943d682f2d30c6b1dcd3534e0590f9327e1b3b1fcb3da9e41a55401e64029b0936da36fe802bbe349679966164d319c0d713c46464d52571af55e133a9e6
-
Filesize
20KB
MD5a603e09d617fea7517059b4924b1df93
SHA131d66e1496e0229c6a312f8be05da3f813b3fa9e
SHA256ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7
SHA512eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc