Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
299s -
max time network
288s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
23/09/2024, 05:00
Behavioral task
behavioral1
Sample
07d4b7768e13d79ac5f05f81167b29bb6fbf97828a289d8d11eec38939846834.exe
Resource
win7-20240903-en
windows7-x64
18 signatures
300 seconds
Behavioral task
behavioral2
Sample
07d4b7768e13d79ac5f05f81167b29bb6fbf97828a289d8d11eec38939846834.exe
Resource
win10-20240404-en
netsupportredlinenewbundle2credential_accessdiscoveryinfostealerpersistenceprivilege_escalationratspywarestealer
windows10-1703-x64
37 signatures
300 seconds
General
-
Target
07d4b7768e13d79ac5f05f81167b29bb6fbf97828a289d8d11eec38939846834.exe
-
Size
304KB
-
MD5
58e8b2eb19704c5a59350d4ff92e5ab6
-
SHA1
171fc96dda05e7d275ec42840746258217d9caf0
-
SHA256
07d4b7768e13d79ac5f05f81167b29bb6fbf97828a289d8d11eec38939846834
-
SHA512
e7655762c5f2d10ec246d11f82d437a2717ad05be847b5e0fd055e3241caaca85430f424055b343e3a44c90d76a0ba07a6913c2208f374f59b61f8aa4477889f
-
SSDEEP
3072:Eq6EgY6iArUjOvWUJwPYT8QADFKoRJTA+tJSiK1cZqf7D34leqiOLibBOT:vqY6iULwP/xnRJTAKJ81cZqf7DIvL
Malware Config
Extracted
Family
redline
Botnet
newbundle2
C2
185.215.113.67:15206
Signatures
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/4268-1-0x00000000009C0000-0x0000000000A12000-memory.dmp family_redline -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
description ioc Process File created C:\Windows\system32\drivers\nskbfltr2.sys winst64.exe File created C:\Windows\system32\drivers\nskbfltr.sys winst64.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nskbfltr\ImagePath = "\\SystemRoot\\system32\\drivers\\nskbfltr.sys" MSIC08.tmp -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Control Panel\International\Geo\Nation 07d4b7768e13d79ac5f05f81167b29bb6fbf97828a289d8d11eec38939846834.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 14 IoCs
pid Process 1892 NetSup_Buil2d.exe 4796 Setup.exe 980 Setup.exe 4344 MSIFF7A.tmp 4032 MSIFFF8.tmp 4188 MSI659.tmp 4568 checkdvd.exe 4112 MSIC08.tmp 3288 winst64.exe 3384 MSI1235.tmp 4616 client32.exe 4420 client32.exe 1488 pcicfgui_client.exe 1296 pcicfgui_client.exe -
Loads dropped DLL 64 IoCs
pid Process 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 1696 MsiExec.exe 1696 MsiExec.exe 1696 MsiExec.exe 1696 MsiExec.exe 3288 winst64.exe 4112 MSIC08.tmp 1696 MsiExec.exe 1696 MsiExec.exe 1696 MsiExec.exe 4616 client32.exe 4616 client32.exe 4616 client32.exe 4616 client32.exe 4616 client32.exe 4616 client32.exe 4616 client32.exe 4616 client32.exe 4616 client32.exe 4616 client32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Blocklisted process makes network request 3 IoCs
flow pid Process 40 2296 msiexec.exe 42 2296 msiexec.exe 44 2296 msiexec.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: client32.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: client32.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe -
Modifies WinLogon 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "0" MSIC08.tmp -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE client32.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies client32.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 client32.exe File created C:\Windows\SysWOW64\pcimsg.dll MSIC08.tmp File opened for modification C:\Windows\system32\client32provider.dll winst64.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 client32.exe File opened for modification C:\Windows\SysWOW64\pcimsg.dll MSIC08.tmp File created C:\Windows\system32\client32provider.dll winst64.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat client32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1488 pcicfgui_client.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\NetSupport\NetSupport Manager\Inv\verified.gif msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-core-debug-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-core-errorhandling-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-core-libraryloader-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-crt-utility-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\winst64.exe msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\Inv\computer2.gif msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\Inv\network2.gif msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\nsmres_150.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\injlib.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\VolumeControlWVI.DLL msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\pscrinst64.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-core-datetime-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-core-synch-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\IPBR32.DLL msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\Nbctl32.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\PCIIMAGE.DLL msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\toastMessage.png msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\gdihook5.INF msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\PCIHOOKS.DLL msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\Inv\broken.gif msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\Inv\cpu2.gif msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\Inv\unknown.gif msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\pcicfgui_client.exe msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\toastChat.png msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\IPCTL32.DLL msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\checkdvd.exe msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\vcruntime140.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\Inv\Uoklywyh_HW_U1.bin client32.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\NBCTLA3.DLL msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\IcoViewer.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-core-handle-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\WINSTALL.EXE msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\DBI.EXE msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\Client32U.ini msiexec.exe File opened for modification C:\Program Files (x86)\NetSupport\NetSupport Manager\client32u.ini MSIC08.tmp File created C:\Program Files (x86)\NetSupport\NetSupport Manager\Client32Provider.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-core-localization-l1-2-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\Inv\Uoklywyh_HF_U1.bin client32.exe File opened for modification C:\Program Files (x86)\NetSupport\NetSupport Manager\Client32u.ini pcicfgui_client.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\Inv\disk2.gif msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\pcisys.sys msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-crt-locale-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-crt-time-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\nsmres_250.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\Client32.ini msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\NSM.LIC msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\PCIRES.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\PCIVDD.DLL msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\Inv\baseboard.gif msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\Inv\greenbar.gif msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\x64\gdihook5.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-crt-runtime-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\NSM.ini msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\NBCTLA1.DLL msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\NBCTLA5.DLL msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\pcicapi.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\clhook4.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\nspscr.sys msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-core-interlocked-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-crt-conio-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\_Shared Data.lnk MSIC08.tmp File opened for modification C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.ini pcicfgui_client.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\shfolder.dll msiexec.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSIEF74.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIEFB3.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIFE0F.tmp msiexec.exe File opened for modification C:\Windows\Installer\{9EECF9D0-6592-44A7-B5A4-DB6B074DC4ED}\StartupShortcutWin_1B4144ABB80D4AA88302BC70858E83DE.exe msiexec.exe File opened for modification C:\Windows\Installer\MSIF42D.tmp msiexec.exe File created C:\Windows\Installer\{9EECF9D0-6592-44A7-B5A4-DB6B074DC4ED}\ARPPRODUCTICON.exe msiexec.exe File opened for modification C:\Windows\Installer\{9EECF9D0-6592-44A7-B5A4-DB6B074DC4ED}\DesktopTCShortcut_F48F5A07CF5E4F29B12F7DD2C37C87AE.exe msiexec.exe File opened for modification C:\Windows\Installer\MSIF331.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI29A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1215.tmp msiexec.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdge.exe File opened for modification C:\Windows\Installer\MSIFDFD.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIFF5A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIFFF8.tmp msiexec.exe File created C:\Windows\Installer\{9EECF9D0-6592-44A7-B5A4-DB6B074DC4ED}\NewShortcut5_A626756260F34D56BD952EF56EDDA3FC.exe msiexec.exe File opened for modification C:\Windows\Installer\MSIEEF6.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIFE9C.tmp msiexec.exe File created C:\Windows\Installer\e57e03e.msi msiexec.exe File opened for modification C:\Windows\Installer\e57e03e.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIFCAF.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIFCDF.tmp msiexec.exe File opened for modification C:\Windows\Installer\{9EECF9D0-6592-44A7-B5A4-DB6B074DC4ED}\NewShortcut3_A626756260F34D56BD952EF56EDDA3FC.exe msiexec.exe File opened for modification C:\Windows\Installer\MSI16AC.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF3AF.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIFB21.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIFDEC.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIF615.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIFF7A.tmp msiexec.exe File created C:\Windows\Installer\{9EECF9D0-6592-44A7-B5A4-DB6B074DC4ED}\NewShortcut7_A626756260F34D56BD952EF56EDDA3FC.exe msiexec.exe File created C:\Windows\Installer\SourceHash{9EECF9D0-6592-44A7-B5A4-DB6B074DC4ED} msiexec.exe File opened for modification C:\Windows\Installer\{9EECF9D0-6592-44A7-B5A4-DB6B074DC4ED}\NewShortcut7_A626756260F34D56BD952EF56EDDA3FC.exe msiexec.exe File created C:\Windows\Installer\{9EECF9D0-6592-44A7-B5A4-DB6B074DC4ED}\NewShortcut10_A626756260F34D56BD952EF56EDDA3FC.exe msiexec.exe File opened for modification C:\Windows\Installer\{9EECF9D0-6592-44A7-B5A4-DB6B074DC4ED}\NewShortcut2_A626756260F34D56BD952EF56EDDA3FC.exe msiexec.exe File created C:\Windows\Installer\{9EECF9D0-6592-44A7-B5A4-DB6B074DC4ED}\NewShortcut3_A626756260F34D56BD952EF56EDDA3FC.exe msiexec.exe File opened for modification C:\Windows\Installer\MSIC08.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF929.tmp msiexec.exe File opened for modification C:\Windows\Installer\{9EECF9D0-6592-44A7-B5A4-DB6B074DC4ED}\NewShortcut12_A626756260F34D56BD952EF56EDDA3FC.exe msiexec.exe File opened for modification C:\Windows\Installer\MSI19BC.tmp msiexec.exe File opened for modification C:\Windows\Installer\{9EECF9D0-6592-44A7-B5A4-DB6B074DC4ED}\NewShortcut5_A626756260F34D56BD952EF56EDDA3FC.exe msiexec.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe File opened for modification C:\Windows\Installer\MSIF0CE.tmp msiexec.exe File opened for modification C:\Windows\Installer\{9EECF9D0-6592-44A7-B5A4-DB6B074DC4ED}\NewShortcut14_A626756260F34D56BD952EF56EDDA3FC.exe msiexec.exe File opened for modification C:\Windows\Installer\MSIFDED.tmp msiexec.exe File opened for modification C:\Windows\setuperr.log MSIC08.tmp File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File opened for modification C:\Windows\Installer\MSIEE78.tmp msiexec.exe File opened for modification C:\Windows\Installer\{9EECF9D0-6592-44A7-B5A4-DB6B074DC4ED}\VideoPlayerWin7Above_F9B6E55E3CA548F4A6C9B9C74B3083FA.exe msiexec.exe File opened for modification C:\Windows\Installer\MSIF5D6.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIFC8E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIFC9E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF4AB.tmp msiexec.exe File created C:\Windows\Installer\{9EECF9D0-6592-44A7-B5A4-DB6B074DC4ED}\DesktopTCShortcut_F48F5A07CF5E4F29B12F7DD2C37C87AE.exe msiexec.exe File opened for modification C:\Windows\Installer\MSIF6E2.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF7A0.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF81E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIFAA3.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIFC5D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIED5D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF8AB.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIFC8D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI27A.tmp msiexec.exe File created C:\Windows\Installer\{9EECF9D0-6592-44A7-B5A4-DB6B074DC4ED}\NewShortcut12_A626756260F34D56BD952EF56EDDA3FC.exe msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 17 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 07d4b7768e13d79ac5f05f81167b29bb6fbf97828a289d8d11eec38939846834.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSI1235.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NetSup_Buil2d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSIFFF8.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pcicfgui_client.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSIEXEC.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language client32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSI659.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language checkdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSIC08.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language client32.exe -
Checks SCSI registry key(s) 3 TTPs 24 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM client32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 client32.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM client32.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 client32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK client32.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK client32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM client32.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 client32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM client32.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM client32.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 client32.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK client32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI client32.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 client32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 client32.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 client32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 client32.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI client32.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM client32.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 client32.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 client32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 client32.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 client32.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI client32.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 client32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz client32.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" client32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ client32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache client32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates cscript.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1A\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host cscript.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs cscript.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 MSIC08.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root client32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs client32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" client32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs cscript.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\SysWOW64\FirewallControlPanel.dll,-12122 = "Windows Firewall" MSIC08.tmp Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-13 = "High performance" client32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-11 = "Power saver" client32.exe Key created \REGISTRY\USER\.DEFAULT\Software cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher cscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" client32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates cscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" client32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates client32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Telephony\HandoffPriorities\MediaModes svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust cscript.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 client32.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs client32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\TELEPHONY\HANDOFFPRIORITIES\MEDIAMODES svchost.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Discuz! MicrosoftEdge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C58E5039-E78C-441D-AA62-383AD6F38FC8}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\NetSupport\\NetSupport Manager\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\InprocServer32\ = "C:\\Program Files (x86)\\NetSupport\\NetSupport Manager\\IcoViewer.dll" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{106389BC-E301-4C17-AA3A-C3B31829EDD0} MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\MrtCache MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath MicrosoftEdge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\Shell\Play\Command msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\TypeLib msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0D9FCEE929567A445B4ABDB670D44CDE\PackageCode = "42B607B7DC5E83E4F81FB88724921068" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0D9FCEE929567A445B4ABDB670D44CDE\InstanceType = "0" msiexec.exe Set value (data) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CacheLimit = "1" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\CTLs MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile MSIC08.tmp Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{C58E5039-E78C-441D-AA62-383AD6F38FC8}\1.0 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{C58E5039-E78C-441D-AA62-383AD6F38FC8}\1.0\FLAGS msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\MiscStatus\1 MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Next Rating Prompt = 200dbd880a19db01 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1" MicrosoftEdge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\shell\show\command MSIC08.tmp Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\Insertable msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CTLs MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile\shell\show\command MSIC08.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\Shell\ = "Play" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C58E5039-E78C-441D-AA62-383AD6F38FC8}\1.0\0\win32\ = "C:\\PROGRA~2\\NETSUP~1\\NETSUP~1\\ICOVIE~1.DLL" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\VersionIndependentProgID MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0D9FCEE929567A445B4ABDB670D44CDE\SourceList\Media msiexec.exe Set value (data) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\ProcessingFlag = 10c6a4a7750ddb01 MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = af2a9898750ddb01 MicrosoftEdge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\InprocServer32 MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{106389BC-E301-4C17-AA3A-C3B31829EDD0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0D9FCEE929567A445B4ABDB670D44CDE\InstalledBySetup = "CommonFiles" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0D9FCEE929567A445B4ABDB670D44CDE\Language = "1033" msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Telligent MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CTLs MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings MicrosoftEdgeCP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0D9FCEE929567A445B4ABDB670D44CDE\CommonFiles = "NSM" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0D9FCEE929567A445B4ABDB670D44CDE\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\{1FF0B3D7-D8A3-461B-811D-8B7490F8E899}\\" msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\NextUpdateDate = "433835508" MicrosoftEdge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\movfile\shell MSIC08.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IcoViewer.IconViewer.1\CLSID MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\2C61D9FBB5C49E141B2D086B0653E432 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0D9FCEE929567A445B4ABDB670D44CDE\Clients = 3a0000000000 msiexec.exe Set value (data) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 860b6aad750ddb01 MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\en-US = "en-US.1" MicrosoftEdge.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 07d4b7768e13d79ac5f05f81167b29bb6fbf97828a289d8d11eec38939846834.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 07d4b7768e13d79ac5f05f81167b29bb6fbf97828a289d8d11eec38939846834.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 cscript.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e cscript.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e cscript.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4420 client32.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 4268 07d4b7768e13d79ac5f05f81167b29bb6fbf97828a289d8d11eec38939846834.exe 4268 07d4b7768e13d79ac5f05f81167b29bb6fbf97828a289d8d11eec38939846834.exe 4268 07d4b7768e13d79ac5f05f81167b29bb6fbf97828a289d8d11eec38939846834.exe 3056 MsiExec.exe 3056 MsiExec.exe 2296 msiexec.exe 2296 msiexec.exe 4112 MSIC08.tmp 4112 MSIC08.tmp 4112 MSIC08.tmp 4112 MSIC08.tmp 4616 client32.exe 4616 client32.exe 4420 client32.exe 4420 client32.exe 4420 client32.exe 4420 client32.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
pid Process 4592 MicrosoftEdgeCP.exe 4592 MicrosoftEdgeCP.exe 4592 MicrosoftEdgeCP.exe 4592 MicrosoftEdgeCP.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4268 07d4b7768e13d79ac5f05f81167b29bb6fbf97828a289d8d11eec38939846834.exe Token: SeDebugPrivilege 4340 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 4340 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 4340 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 4340 MicrosoftEdgeCP.exe Token: SeShutdownPrivilege 364 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 364 MSIEXEC.EXE Token: SeSecurityPrivilege 2296 msiexec.exe Token: SeCreateTokenPrivilege 364 MSIEXEC.EXE Token: SeAssignPrimaryTokenPrivilege 364 MSIEXEC.EXE Token: SeLockMemoryPrivilege 364 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 364 MSIEXEC.EXE Token: SeMachineAccountPrivilege 364 MSIEXEC.EXE Token: SeTcbPrivilege 364 MSIEXEC.EXE Token: SeSecurityPrivilege 364 MSIEXEC.EXE Token: SeTakeOwnershipPrivilege 364 MSIEXEC.EXE Token: SeLoadDriverPrivilege 364 MSIEXEC.EXE Token: SeSystemProfilePrivilege 364 MSIEXEC.EXE Token: SeSystemtimePrivilege 364 MSIEXEC.EXE Token: SeProfSingleProcessPrivilege 364 MSIEXEC.EXE Token: SeIncBasePriorityPrivilege 364 MSIEXEC.EXE Token: SeCreatePagefilePrivilege 364 MSIEXEC.EXE Token: SeCreatePermanentPrivilege 364 MSIEXEC.EXE Token: SeBackupPrivilege 364 MSIEXEC.EXE Token: SeRestorePrivilege 364 MSIEXEC.EXE Token: SeShutdownPrivilege 364 MSIEXEC.EXE Token: SeDebugPrivilege 364 MSIEXEC.EXE Token: SeAuditPrivilege 364 MSIEXEC.EXE Token: SeSystemEnvironmentPrivilege 364 MSIEXEC.EXE Token: SeChangeNotifyPrivilege 364 MSIEXEC.EXE Token: SeRemoteShutdownPrivilege 364 MSIEXEC.EXE Token: SeUndockPrivilege 364 MSIEXEC.EXE Token: SeSyncAgentPrivilege 364 MSIEXEC.EXE Token: SeEnableDelegationPrivilege 364 MSIEXEC.EXE Token: SeManageVolumePrivilege 364 MSIEXEC.EXE Token: SeImpersonatePrivilege 364 MSIEXEC.EXE Token: SeCreateGlobalPrivilege 364 MSIEXEC.EXE Token: SeRestorePrivilege 2296 msiexec.exe Token: SeTakeOwnershipPrivilege 2296 msiexec.exe Token: SeRestorePrivilege 2296 msiexec.exe Token: SeTakeOwnershipPrivilege 2296 msiexec.exe Token: SeRestorePrivilege 2296 msiexec.exe Token: SeTakeOwnershipPrivilege 2296 msiexec.exe Token: SeRestorePrivilege 2296 msiexec.exe Token: SeTakeOwnershipPrivilege 2296 msiexec.exe Token: SeRestorePrivilege 2296 msiexec.exe Token: SeTakeOwnershipPrivilege 2296 msiexec.exe Token: SeRestorePrivilege 2296 msiexec.exe Token: SeTakeOwnershipPrivilege 2296 msiexec.exe Token: SeRestorePrivilege 2296 msiexec.exe Token: SeTakeOwnershipPrivilege 2296 msiexec.exe Token: SeRestorePrivilege 2296 msiexec.exe Token: SeTakeOwnershipPrivilege 2296 msiexec.exe Token: SeRestorePrivilege 2296 msiexec.exe Token: SeTakeOwnershipPrivilege 2296 msiexec.exe Token: SeRestorePrivilege 2296 msiexec.exe Token: SeTakeOwnershipPrivilege 2296 msiexec.exe Token: SeRestorePrivilege 2296 msiexec.exe Token: SeTakeOwnershipPrivilege 2296 msiexec.exe Token: SeRestorePrivilege 2296 msiexec.exe Token: SeTakeOwnershipPrivilege 2296 msiexec.exe Token: SeDebugPrivilege 2472 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 2472 MicrosoftEdgeCP.exe Token: SeRestorePrivilege 2296 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4420 client32.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 5112 MicrosoftEdge.exe 4592 MicrosoftEdgeCP.exe 4340 MicrosoftEdgeCP.exe 4592 MicrosoftEdgeCP.exe 4796 Setup.exe 980 Setup.exe -
Suspicious use of WriteProcessMemory 61 IoCs
description pid Process procid_target PID 4268 wrote to memory of 1892 4268 07d4b7768e13d79ac5f05f81167b29bb6fbf97828a289d8d11eec38939846834.exe 74 PID 4268 wrote to memory of 1892 4268 07d4b7768e13d79ac5f05f81167b29bb6fbf97828a289d8d11eec38939846834.exe 74 PID 4268 wrote to memory of 1892 4268 07d4b7768e13d79ac5f05f81167b29bb6fbf97828a289d8d11eec38939846834.exe 74 PID 1892 wrote to memory of 4796 1892 NetSup_Buil2d.exe 78 PID 1892 wrote to memory of 4796 1892 NetSup_Buil2d.exe 78 PID 1892 wrote to memory of 4796 1892 NetSup_Buil2d.exe 78 PID 4796 wrote to memory of 980 4796 Setup.exe 82 PID 4796 wrote to memory of 980 4796 Setup.exe 82 PID 4796 wrote to memory of 980 4796 Setup.exe 82 PID 980 wrote to memory of 364 980 Setup.exe 83 PID 980 wrote to memory of 364 980 Setup.exe 83 PID 980 wrote to memory of 364 980 Setup.exe 83 PID 4592 wrote to memory of 4124 4592 MicrosoftEdgeCP.exe 80 PID 4592 wrote to memory of 4124 4592 MicrosoftEdgeCP.exe 80 PID 4592 wrote to memory of 4124 4592 MicrosoftEdgeCP.exe 80 PID 4592 wrote to memory of 4124 4592 MicrosoftEdgeCP.exe 80 PID 2296 wrote to memory of 3056 2296 msiexec.exe 85 PID 2296 wrote to memory of 3056 2296 msiexec.exe 85 PID 2296 wrote to memory of 3056 2296 msiexec.exe 85 PID 2296 wrote to memory of 3128 2296 msiexec.exe 88 PID 2296 wrote to memory of 3128 2296 msiexec.exe 88 PID 3128 wrote to memory of 1280 3128 cmd.exe 90 PID 3128 wrote to memory of 1280 3128 cmd.exe 90 PID 3128 wrote to memory of 1280 3128 cmd.exe 90 PID 2296 wrote to memory of 4344 2296 msiexec.exe 91 PID 2296 wrote to memory of 4344 2296 msiexec.exe 91 PID 2296 wrote to memory of 4032 2296 msiexec.exe 93 PID 2296 wrote to memory of 4032 2296 msiexec.exe 93 PID 2296 wrote to memory of 4032 2296 msiexec.exe 93 PID 2296 wrote to memory of 1696 2296 msiexec.exe 94 PID 2296 wrote to memory of 1696 2296 msiexec.exe 94 PID 2296 wrote to memory of 1696 2296 msiexec.exe 94 PID 2296 wrote to memory of 4188 2296 msiexec.exe 95 PID 2296 wrote to memory of 4188 2296 msiexec.exe 95 PID 2296 wrote to memory of 4188 2296 msiexec.exe 95 PID 2296 wrote to memory of 4568 2296 msiexec.exe 96 PID 2296 wrote to memory of 4568 2296 msiexec.exe 96 PID 2296 wrote to memory of 4568 2296 msiexec.exe 96 PID 2296 wrote to memory of 4112 2296 msiexec.exe 97 PID 2296 wrote to memory of 4112 2296 msiexec.exe 97 PID 2296 wrote to memory of 4112 2296 msiexec.exe 97 PID 4112 wrote to memory of 3288 4112 MSIC08.tmp 98 PID 4112 wrote to memory of 3288 4112 MSIC08.tmp 98 PID 2296 wrote to memory of 3384 2296 msiexec.exe 99 PID 2296 wrote to memory of 3384 2296 msiexec.exe 99 PID 2296 wrote to memory of 3384 2296 msiexec.exe 99 PID 4616 wrote to memory of 4420 4616 client32.exe 103 PID 4616 wrote to memory of 4420 4616 client32.exe 103 PID 4616 wrote to memory of 4420 4616 client32.exe 103 PID 2296 wrote to memory of 1488 2296 msiexec.exe 102 PID 2296 wrote to memory of 1488 2296 msiexec.exe 102 PID 2296 wrote to memory of 1488 2296 msiexec.exe 102 PID 1488 wrote to memory of 1296 1488 pcicfgui_client.exe 104 PID 1488 wrote to memory of 1296 1488 pcicfgui_client.exe 104 PID 1488 wrote to memory of 1296 1488 pcicfgui_client.exe 104 PID 4420 wrote to memory of 5388 4420 client32.exe 107 PID 4420 wrote to memory of 5388 4420 client32.exe 107 PID 4420 wrote to memory of 5388 4420 client32.exe 107 PID 980 wrote to memory of 5608 980 Setup.exe 109 PID 980 wrote to memory of 5608 980 Setup.exe 109 PID 980 wrote to memory of 5608 980 Setup.exe 109 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 1280 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\07d4b7768e13d79ac5f05f81167b29bb6fbf97828a289d8d11eec38939846834.exe"C:\Users\Admin\AppData\Local\Temp\07d4b7768e13d79ac5f05f81167b29bb6fbf97828a289d8d11eec38939846834.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Users\Admin\AppData\Local\Temp\NetSup_Buil2d.exe"C:\Users\Admin\AppData\Local\Temp\NetSup_Buil2d.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe" /S /v/qn3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Users\Admin\AppData\Local\Temp\{1FF0B3D7-D8A3-461B-811D-8B7490F8E899}\Setup.exeC:\Users\Admin\AppData\Local\Temp\{1FF0B3D7-D8A3-461B-811D-8B7490F8E899}\Setup.exe /q"C:\Users\Admin\AppData\Local\Temp\Setup.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{1FF0B3D7-D8A3-461B-811D-8B7490F8E899}" /S /v/qn /IS_temp4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:980 -
C:\Windows\SysWOW64\MSIEXEC.EXE"C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\Admin\AppData\Local\Temp\{1FF0B3D7-D8A3-461B-811D-8B7490F8E899}\NetSupport Manager.msi" /qn SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="Setup.exe"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:364
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\system32\explorer.exe5⤵PID:5608
-
-
-
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5112
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:4540
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4592
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4340
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4124
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A864813FFCFDACBC88E5101DBE8D14DA2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3056
-
-
C:\Windows\system32\cmd.execmd.exe /c ATTRIB -R "C:\Users\Admin\AppData\Local\Temp\{9EECF9D0-6592-44A7-B5A4-DB6B074DC4ED}\\nsm.lic"2⤵
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Windows\SysWOW64\attrib.exeATTRIB -R "C:\Users\Admin\AppData\Local\Temp\{9EECF9D0-6592-44A7-B5A4-DB6B074DC4ED}\\nsm.lic"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1280
-
-
-
C:\Windows\Installer\MSIFF7A.tmp"C:\Windows\Installer\MSIFF7A.tmp" /p "C:\Users\Admin\AppData\Local\Temp\{9EECF9D0-6592-44A7-B5A4-DB6B074DC4ED}\\Detect64LSP.txt"2⤵
- Executes dropped EXE
PID:4344
-
-
C:\Windows\Installer\MSIFFF8.tmp"C:\Windows\Installer\MSIFFF8.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport Manager\" /EU2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4032
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 31ABDC0231768BBF65E4C74D8C0E19EC E Global\MSI00002⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1696
-
-
C:\Windows\Installer\MSI659.tmp"C:\Windows\Installer\MSI659.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport Manager\" /EU2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4188
-
-
C:\Program Files (x86)\NetSupport\NetSupport Manager\checkdvd.exe"C:\Program Files (x86)\NetSupport\NetSupport Manager\checkdvd.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4568
-
-
C:\Windows\Installer\MSIC08.tmp"C:\Windows\Installer\MSIC08.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport Manager\" /EV"NetSupport School" /EF".\Log Files" /EF".\Bookmarks" /EF".\Tests" /EF".\Store" /EF".\inv" /EF".\Resources" /EF".\Help" /EF".\Image" /EF".\Sound" /EF".\Video" /EA /EX /EC /Q /V /Q /I *2⤵
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Program Files (x86)\NetSupport\NetSupport Manager\winst64.exewinst64.exe /q /q /ex /i3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3288
-
-
-
C:\Windows\Installer\MSI1235.tmp"C:\Windows\Installer\MSI1235.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport Manager\" /EI2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3384
-
-
C:\Program Files (x86)\NetSupport\NetSupport Manager\pcicfgui_client.exe"C:\Program Files (x86)\NetSupport\NetSupport Manager\pcicfgui_client.exe" /Q "C:\Program Files (x86)\NetSupport\NetSupport Manager\Client32.ini"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Program Files (x86)\NetSupport\NetSupport Manager\pcicfgui_client.exe"C:\Program Files (x86)\NetSupport\NetSupport Manager\pcicfgui_client.exe"3⤵
- Executes dropped EXE
PID:1296
-
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2472
-
C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe"C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe" /* *1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe"C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe" * /VistaUI2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Windows\SysWOW64\cscript.exe"cscript.exe" C:\Windows\system32\Printing_Admin_Scripts\en-US\prnport.vbs -a -r NSM001 -h 127.0.0.1 -o raw -n 505033⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies system certificate store
PID:5388
-
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s TapiSrv1⤵
- Modifies data under HKEY_USERS
PID:3792
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:5700
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:5788
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Component Object Model Hijacking
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
41KB
MD54ca33f17e8424b21993dff6e1e7f844e
SHA1e2ba824fa07aa91d4c96e055917fc397f7c00b04
SHA256bc207db5bb7279a73ead3517e56bda197713342410812d7422bd5981d35460c6
SHA512d1afb509289634ca9a1133de7a88cf4e75176d784bce8ddc78ae54c09ed5b538922e6765a44879dfe59a6629c68b09959682949ba74a8d1529ba6976ff95330a
-
Filesize
728KB
MD552bb559a5e62d7ec0aa7770cda62347d
SHA116fa46898ee096376d3186848da746084ebdfba6
SHA256a97f4c66a105d31994f18a797df3d6ec0feb77d7bed35a8287995d6569f95e8e
SHA512ab2cf5588f9b640089009a4e34329bf9d0fabedcf03d2adeaf4a6de3ed88c3f365515767f050dd7b859b600c3e84535bfb05a7236e6eb42c6412919586d3aed5
-
Filesize
74KB
MD5d4fc49dc14f63895d997fa4940f24378
SHA13efb1437a7c5e46034147cbbc8db017c69d02c31
SHA256853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1
SHA512cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\P3VDVJ51\suggestions[1].en-US
Filesize17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
7KB
MD5571fbb18f8af31c4e7d6ceb6ac176a5a
SHA13af2e797861b883cf3c08d2c36f9fc4f1196a537
SHA2562c1af7f12829697e3b9843d493df12742d5e9818d68a5e448f411bf36b8ea197
SHA5124284c1eaf67187f646d3a3edec772dbd23144928d218def06e65cb979e1e5676ab6faff1e568257fcc12ce55737f0e86f226f56be82d3b5a0a73f6ef98784305
-
Filesize
311B
MD5d04153af1f4c5708b03b71135fd07e10
SHA10d7fefaced7dced84307fb8d728bba7cd0a4207a
SHA256154554ad54afed0a131e32f72347b0c4da22b4f60b16d02326cfc08dbee0fad4
SHA5128cfd68f295d2be6b2b2b0d166fd3824266ff26969a000dcd105c09627ec494a8c309f8ccdde9d68bdea71f67f840094a7e6056918dd17164445714c3f1473e4b
-
Filesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
Filesize
21KB
MD5a108f0030a2cda00405281014f897241
SHA1d112325fa45664272b08ef5e8ff8c85382ebb991
SHA2568b76df0ffc9a226b532b60936765b852b89780c6e475c152f7c320e085e43948
SHA512d83894b039316c38915a789920758664257680dcb549a9b740cf5361addbee4d4a96a3ff2999b5d8acfb1d9336da055ec20012d29a9f83ee5459f103fbeec298
-
Filesize
5KB
MD5c2651fcc56744679616d55ec902580fb
SHA13bcffa2c0ae8b05d40c01ff346059d93015eb406
SHA256f5cec5b4a4b36796369d97dd3ab68006240c47cd8cb50f0f7c3b51f0c082b7e9
SHA5120ef9ed2114d79f0cd8dd449c7a8845a35890786a008c6d3baf20605d20abbafe8b9c01dbea120e7136713e0f7713511ea5819246fdc8bf7994c68b8f611a22a4
-
Filesize
592B
MD5b0b64871f01eb4061c4f3042812c4453
SHA127089b1aa87dd5b2dba4b31bccc6d120996cbd13
SHA256a0f5f0312aa0466021a0623d5053ca1a047e96f668b903a9ee4584cf79dfe813
SHA512c1efbe667060b26d283081b89aa840670bdb070a928cf75ab287e47d5c4a6ded141fe3e91fb315de6b8aeba75efbc79e026d63592c1e2ca87b7a1f18889c7426
-
Filesize
1024B
MD51ba9d1264b08f63650d1d14bbe4e1380
SHA184cc4b79cb540bf4c02df3e0538b714e3afc8901
SHA25629583f973ada1982f5958fafcda5e875d8b14a16d8b5387f236d286ae0366306
SHA512911c597bef6f14cce33ddb22cfca99a63bdde464d432aeab0b9cd0db7e37b4fc02da205fe8cef2c4baf9a3944e42bfe510a20934a5d6b56684c3763a7d227ada
-
Filesize
20B
MD5db9af7503f195df96593ac42d5519075
SHA11b487531bad10f77750b8a50aca48593379e5f56
SHA2560a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13
SHA5126839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b
-
Filesize
253B
MD5d2c2217861f5535686409d80a0867f6f
SHA1f4d90bebfcf8f501e5b9f0427028f696c3a191c7
SHA256af9c79cf3af6a7e969208da78dfcfac54d6f956545b46f434d0e447cff94807b
SHA512656deac03f9d81792e3d78108fb7d6754ca4a21a30f0e8da72e71f64b0b015dfc299d5478a8cc27acb05a0ec7e01c2c1cfcc9eb40041e4fe0a790414e42b4a37
-
Filesize
506B
MD5ff7c0d2dbb9195083bbabaff482d5ed6
SHA15c2efbf855c376ce1b93e681c54a367a407495dc
SHA256065d817596d710d5a06060241acc207b82b844530cc56ff842ff53d8ff92a075
SHA512ea226b3a55fc59175136f104df497ebf5055624fb1c1c8073b249dfc5e1ed5818a6feee995aa82cf9ed050f1adc7a62994c90b1af03569dfe0d4551ee2bc70c9
-
Filesize
244KB
MD5c4ca339bc85aae8999e4b101556239dd
SHA1d090fc385e0002e35db276960a360c67c4fc85cd
SHA2564ab23609cdc64d10b97c9ccb285ed7100f55d54d983cd50762da25ecac4357f9
SHA5129185ec32545fc838d7fef6c9e4dd222dd02114c661b0b344f16287d55e6571bfe7a4233a852acc579d07bcdbab18c5c034c465b1f4bb78535ed51c3499087fe0
-
Filesize
169KB
MD50e6fda2b8425c9513c774cf29a1bc72d
SHA1a79ffa24cb5956398ded44da24793a2067b85dd0
SHA256e946b2fae0b36c43064463a8c16a2774adac30c4188c5af90e9338b903c501c9
SHA512285bb7759a1214abed36162ac8be2d48df17a05278c4de97562448e20fd43b635563a6819f37e23d92a5f5ed0205a68bffe43dac0d3a67513bd0303b4e7f89aa
-
Filesize
511KB
MD5d524b639a3a088155981b9b4efa55631
SHA139d8eea673c02c1522b110829b93d61310555b98
SHA25603d91c8cd20b846625a092a3dae6a12369930c65d6216a455a00449ebb0dc289
SHA51284f8ab54122f93a40da08fd83bca767ab49eb0f73c4ab274d9bda11dd09224134df011fa02e5a3abbafcc6fbef6a60673dd48feabdf829a1e22c85a2a759b7ac
-
Filesize
457KB
MD565e2024604a03dd86eabe1689058ab40
SHA17b81c696843e08d518de485ec69564332426dc0c
SHA2568b928d5dca0bf8ad1e7fec4d1b2047083eb63a6c9a0ea9a0d7f8d22041499465
SHA5122d94cfdb01cff1fb6563b2ea4ee5076f843f25dc52bdb7dc3303bbc35b0dc4bec8119fa7b4cdd65dcceb6aedce7314a487e9a114dcbd5428f4168a9ecc035dd2
-
Filesize
153KB
MD5a1b7850763af9593b66ee459a081bddf
SHA16e45955fae2b2494902a1b55a3873e542f0f5ce4
SHA25641b8e92deba5206c78817236ed7f44df95636ca748d95fab05f032f5aec186af
SHA512a87a302a9a0d19d7ce293b42f5e7bc09664b21307a5321f226157fcc57eb2df2b59c6651878cb23969a182c82b55e8671ff00f8462194b81a907974a49cb25b1