Analysis
-
max time kernel
83s -
max time network
84s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
01/10/2024, 22:17
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://fxsound.com
Resource
win11-20240802-en
windows11-21h2-x64
29 signatures
150 seconds
General
-
Target
http://fxsound.com
Score
8/10
Malware Config
Signatures
-
Downloads MZ/PE file
-
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\fxvad.sys DrvInst.exe File opened for modification C:\Windows\System32\drivers\drmk.sys DrvInst.exe File opened for modification C:\Windows\System32\drivers\portcls.sys DrvInst.exe -
Executes dropped EXE 8 IoCs
pid Process 2572 fxsound_setup.exe 4632 fxdevcon64.exe 2264 DfxSetupDrv.exe 4156 fxdevcon64.exe 4024 DfxSetupDrv.exe 4388 DfxSetupDrv.exe 4672 DfxSetupDrv.exe 1572 FxSound.exe -
Loads dropped DLL 15 IoCs
pid Process 1672 MsiExec.exe 1672 MsiExec.exe 1672 MsiExec.exe 1672 MsiExec.exe 4988 MsiExec.exe 4988 MsiExec.exe 4988 MsiExec.exe 4988 MsiExec.exe 4988 MsiExec.exe 4988 MsiExec.exe 4988 MsiExec.exe 4988 MsiExec.exe 4988 MsiExec.exe 4988 MsiExec.exe 4988 MsiExec.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: fxsound_setup.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\M: fxsound_setup.exe File opened (read-only) \??\P: fxsound_setup.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\S: fxsound_setup.exe File opened (read-only) \??\H: fxsound_setup.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\R: fxsound_setup.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: fxsound_setup.exe File opened (read-only) \??\U: fxsound_setup.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: fxsound_setup.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: fxsound_setup.exe File opened (read-only) \??\Z: fxsound_setup.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\G: fxsound_setup.exe File opened (read-only) \??\K: fxsound_setup.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\E: fxsound_setup.exe File opened (read-only) \??\W: fxsound_setup.exe File opened (read-only) \??\X: fxsound_setup.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\N: fxsound_setup.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: fxsound_setup.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: fxsound_setup.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: fxsound_setup.exe File opened (read-only) \??\V: fxsound_setup.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: fxsound_setup.exe File opened (read-only) \??\Q: fxsound_setup.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 3 raw.githubusercontent.com 44 raw.githubusercontent.com -
Power Settings 1 TTPs 1 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 4600 powercfg.exe -
Drops file in System32 directory 19 IoCs
description ioc Process File opened for modification C:\Windows\System32\DriverStore\FileRepository\fxvad.inf_amd64_a75d87b3871a94a9\fxvad.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{01db5ab6-f997-f84a-ba5e-9fe9bfaf53ab} DrvInst.exe File created C:\Windows\SysWOW64\dfx11.ico msiexec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{01db5ab6-f997-f84a-ba5e-9fe9bfaf53ab}\SET4198.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{01db5ab6-f997-f84a-ba5e-9fe9bfaf53ab}\SET41A9.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{01db5ab6-f997-f84a-ba5e-9fe9bfaf53ab}\fxvad.inf DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{01db5ab6-f997-f84a-ba5e-9fe9bfaf53ab}\SET4198.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{01db5ab6-f997-f84a-ba5e-9fe9bfaf53ab}\SET41AA.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{01db5ab6-f997-f84a-ba5e-9fe9bfaf53ab}\SET41AA.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\fxvad.inf_amd64_a75d87b3871a94a9\fxvad.sys DrvInst.exe File created C:\Windows\SysWOW64\fxsound.ico msiexec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{01db5ab6-f997-f84a-ba5e-9fe9bfaf53ab}\fxvad.sys DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\fxvad.inf_amd64_a75d87b3871a94a9\fxvadNTAMD64.cat DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\fxvad.inf_amd64_a75d87b3871a94a9\fxvad.PNF fxdevcon64.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{01db5ab6-f997-f84a-ba5e-9fe9bfaf53ab}\fxvadNTAMD64.cat DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{01db5ab6-f997-f84a-ba5e-9fe9bfaf53ab}\SET41A9.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\fxvad.inf_amd64_a75d87b3871a94a9\fxvad.inf DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe -
Drops file in Program Files directory 56 IoCs
description ioc Process File created C:\Program Files\FxSound LLC\FxSound\Drivers\win7\x64\fxvadntamd64.cat msiexec.exe File created C:\Program Files\FxSound LLC\FxSound\Drivers\win7\x86\fxvadntx86.cat msiexec.exe File created C:\Program Files\FxSound LLC\FxSound\Factsoft\8.fac msiexec.exe File created C:\Program Files\FxSound LLC\FxSound\NotoSansJP-Regular.ttf msiexec.exe File created C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x86\fxvad.sys msiexec.exe File created C:\Program Files\FxSound LLC\FxSound\Factsoft\12.fac msiexec.exe File created C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxvad.inf msiexec.exe File created C:\Program Files\FxSound LLC\FxSound\Factsoft\11.fac msiexec.exe File created C:\Program Files\FxSound LLC\FxSound\NotoSansKR-Bold.otf msiexec.exe File created C:\Program Files\FxSound LLC\FxSound\NotoSansTC-Medium.ttf msiexec.exe File created C:\Program Files\FxSound LLC\FxSound\Drivers\win7\x64\fxdevcon64.exe msiexec.exe File created C:\Program Files\FxSound LLC\FxSound\Factsoft\4.fac msiexec.exe File created C:\Program Files\FxSound LLC\FxSound\Drivers\win7\x86\fxvad.inf msiexec.exe File created C:\Program Files\FxSound LLC\FxSound\MontserratAlternates-Regular.ttf msiexec.exe File created C:\Program Files\FxSound LLC\FxSound\NotoSansKR-Medium.otf msiexec.exe File created C:\Program Files\FxSound LLC\FxSound\NotoSansTC-Bold.ttf msiexec.exe File created C:\Program Files\FxSound LLC\FxSound\Apps\DfxInstall.dll msiexec.exe File created C:\Program Files\FxSound LLC\FxSound\Drivers\win7\x64\fxvad.sys msiexec.exe File created C:\Program Files\FxSound LLC\FxSound\Factsoft\7.fac msiexec.exe File created C:\Program Files\FxSound LLC\FxSound\NotoSansThai-Regular.ttf msiexec.exe File created C:\Program Files\FxSound LLC\FxSound\Factsoft\Default.fac msiexec.exe File created C:\Program Files\FxSound LLC\FxSound\NotoSansJP-Medium.ttf msiexec.exe File opened for modification C:\Program Files\FxSound LLC\FxSound\updater.ini msiexec.exe File created C:\Program Files\FxSound LLC\FxSound\Drivers\ptdevcon64.exe msiexec.exe File created C:\Program Files\FxSound LLC\FxSound\updater.exe msiexec.exe File created C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x86\fxvadntx86.cat msiexec.exe File created C:\Program Files\FxSound LLC\FxSound\Factsoft\9.fac msiexec.exe File created C:\Program Files\FxSound LLC\FxSound\NotoSansSC-Bold.otf msiexec.exe File created C:\Program Files\FxSound LLC\FxSound\NotoSansThai-Medium.ttf msiexec.exe File created C:\Program Files\FxSound LLC\FxSound\FxSound.exe msiexec.exe File created C:\Program Files\FxSound LLC\FxSound\NotoSansSC-Regular.otf msiexec.exe File created C:\Program Files\FxSound LLC\FxSound\Factsoft\2.fac msiexec.exe File created C:\Program Files\FxSound LLC\FxSound\MontserratAlternates-Medium.ttf msiexec.exe File created C:\Program Files\FxSound LLC\FxSound\IBMPlexSansArabic-Regular.ttf msiexec.exe File created C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x86\fxvad.inf msiexec.exe File created C:\Program Files\FxSound LLC\FxSound\Drivers\ptdevcon32.exe msiexec.exe File created C:\Program Files\FxSound LLC\FxSound\Factsoft\1.fac msiexec.exe File created C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe msiexec.exe File created C:\Program Files\FxSound LLC\FxSound\IBMPlexSansArabic-Bold.ttf msiexec.exe File created C:\Program Files\FxSound LLC\FxSound\Factsoft\3.fac msiexec.exe File created C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxvadntamd64.cat msiexec.exe File created C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x86\fxdevcon32.exe msiexec.exe File created C:\Program Files\FxSound LLC\FxSound\Drivers\win7\x86\fxdevcon32.exe msiexec.exe File created C:\Program Files\FxSound LLC\FxSound\Factsoft\6.fac msiexec.exe File created C:\Program Files\FxSound LLC\FxSound\MontserratAlternates-Bold.ttf msiexec.exe File created C:\Program Files\FxSound LLC\FxSound\NotoSansTC-Regular.ttf msiexec.exe File created C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxvad.sys msiexec.exe File created C:\Program Files\FxSound LLC\FxSound\NotoSansJP-Bold.ttf msiexec.exe File created C:\Program Files\FxSound LLC\FxSound\Apps\DfxSetupDrv.exe msiexec.exe File created C:\Program Files\FxSound LLC\FxSound\IBMPlexSansArabic-Medium.ttf msiexec.exe File created C:\Program Files\FxSound LLC\FxSound\Drivers\win7\x86\fxvad.sys msiexec.exe File created C:\Program Files\FxSound LLC\FxSound\Factsoft\10.fac msiexec.exe File created C:\Program Files\FxSound LLC\FxSound\Factsoft\5.fac msiexec.exe File created C:\Program Files\FxSound LLC\FxSound\NotoSansKR-Regular.otf msiexec.exe File created C:\Program Files\FxSound LLC\FxSound\NotoSansSC-Medium.otf msiexec.exe File created C:\Program Files\FxSound LLC\FxSound\Drivers\win7\x64\fxvad.inf msiexec.exe -
Drops file in Windows directory 29 IoCs
description ioc Process File created C:\Windows\Installer\e582e8d.msi msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\MSI3009.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File created C:\Windows\inf\oem3.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\SystemTemp\~DFB0BDEECC2908D29A.TMP msiexec.exe File opened for modification C:\Windows\Installer\{B78F934D-616A-4FFD-9D5A-B870EF9423C2}\fxsound.exe msiexec.exe File created C:\Windows\Installer\e582e91.msi msiexec.exe File created C:\Windows\SystemTemp\~DFBB87519FA3AD236F.TMP msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI2F48.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI301A.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI2F99.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{B78F934D-616A-4FFD-9D5A-B870EF9423C2} msiexec.exe File opened for modification C:\Windows\Installer\MSI34A0.tmp msiexec.exe File created C:\Windows\INF\c_media.PNF fxdevcon64.exe File opened for modification C:\Windows\Installer\MSI2FC9.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF99581340256EC35A.TMP msiexec.exe File opened for modification C:\Windows\inf\oem3.inf DrvInst.exe File opened for modification C:\Windows\Installer\e582e8d.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI2F88.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\SystemTemp\~DFE83D4A5B3E0B12E3.TMP msiexec.exe File created C:\Windows\Installer\{B78F934D-616A-4FFD-9D5A-B870EF9423C2}\fxsound.exe msiexec.exe File opened for modification C:\Windows\Installer\MSI2FB9.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI302A.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log fxdevcon64.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File opened for modification C:\Users\Admin\Downloads\fxsound_setup.exe:Zone.Identifier msedge.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DfxSetupDrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxsound_setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom fxdevcon64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags fxdevcon64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs fxdevcon64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom fxdevcon64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Filters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters DrvInst.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 fxdevcon64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 fxdevcon64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs fxdevcon64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 fxdevcon64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID fxdevcon64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 fxdevcon64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs fxdevcon64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 fxdevcon64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 DrvInst.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID fxdevcon64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID fxdevcon64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID fxdevcon64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags fxdevcon64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 DrvInst.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 fxdevcon64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags fxdevcon64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom fxdevcon64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom fxdevcon64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000009a5c3185e018bce80000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800009a5c31850000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809009a5c3185000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d9a5c3185000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000009a5c318500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags fxdevcon64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID fxdevcon64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID fxdevcon64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID fxdevcon64.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies data under HKEY_USERS 53 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E msiexec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption" DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe -
Modifies registry class 26 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D439F87BA616DFF4D9A58B07FE49322C\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D439F87BA616DFF4D9A58B07FE49322C\AI64BitFiles msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D439F87BA616DFF4D9A58B07FE49322C\AIOtherFiles msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D439F87BA616DFF4D9A58B07FE49322C msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D439F87BA616DFF4D9A58B07FE49322C\ProductIcon = "C:\\Windows\\Installer\\{B78F934D-616A-4FFD-9D5A-B870EF9423C2}\\fxsound.exe" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D439F87BA616DFF4D9A58B07FE49322C\DeploymentFlags = "3" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D439F87BA616DFF4D9A58B07FE49322C\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D439F87BA616DFF4D9A58B07FE49322C\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\FxSound LLC\\FxSound 1.1.27.0\\install\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D439F87BA616DFF4D9A58B07FE49322C\MainFeature msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D439F87BA616DFF4D9A58B07FE49322C\Version = "16842779" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D439F87BA616DFF4D9A58B07FE49322C\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D439F87BA616DFF4D9A58B07FE49322C\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\FxSound LLC\\FxSound 1.1.27.0\\install\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D439F87BA616DFF4D9A58B07FE49322C\SourceList\Media\1 = "Disk1;Disk1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D439F87BA616DFF4D9A58B07FE49322C\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D439F87BA616DFF4D9A58B07FE49322C\PackageCode = "2409988FC97593B438E96F77D255D95C" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D439F87BA616DFF4D9A58B07FE49322C\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D439F87BA616DFF4D9A58B07FE49322C\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D439F87BA616DFF4D9A58B07FE49322C\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\B1802AC1A5D0FD14688E728802C43E04 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D439F87BA616DFF4D9A58B07FE49322C\SourceList\PackageName = "fxsound.x64.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D439F87BA616DFF4D9A58B07FE49322C\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D439F87BA616DFF4D9A58B07FE49322C msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D439F87BA616DFF4D9A58B07FE49322C\ProductName = "FxSound" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D439F87BA616DFF4D9A58B07FE49322C\Assignment = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\B1802AC1A5D0FD14688E728802C43E04\D439F87BA616DFF4D9A58B07FE49322C msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D439F87BA616DFF4D9A58B07FE49322C\SourceList msiexec.exe -
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 600748.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\fxsound_setup.exe:Zone.Identifier msedge.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1336 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1340 msedge.exe 1340 msedge.exe 4948 msedge.exe 4948 msedge.exe 4716 msedge.exe 4716 msedge.exe 1540 identity_helper.exe 1540 identity_helper.exe 1444 msedge.exe 1444 msedge.exe 4988 MsiExec.exe 4988 MsiExec.exe 1700 msiexec.exe 1700 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1572 FxSound.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
pid Process 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeSecurityPrivilege 1700 msiexec.exe Token: SeCreateTokenPrivilege 2572 fxsound_setup.exe Token: SeAssignPrimaryTokenPrivilege 2572 fxsound_setup.exe Token: SeLockMemoryPrivilege 2572 fxsound_setup.exe Token: SeIncreaseQuotaPrivilege 2572 fxsound_setup.exe Token: SeMachineAccountPrivilege 2572 fxsound_setup.exe Token: SeTcbPrivilege 2572 fxsound_setup.exe Token: SeSecurityPrivilege 2572 fxsound_setup.exe Token: SeTakeOwnershipPrivilege 2572 fxsound_setup.exe Token: SeLoadDriverPrivilege 2572 fxsound_setup.exe Token: SeSystemProfilePrivilege 2572 fxsound_setup.exe Token: SeSystemtimePrivilege 2572 fxsound_setup.exe Token: SeProfSingleProcessPrivilege 2572 fxsound_setup.exe Token: SeIncBasePriorityPrivilege 2572 fxsound_setup.exe Token: SeCreatePagefilePrivilege 2572 fxsound_setup.exe Token: SeCreatePermanentPrivilege 2572 fxsound_setup.exe Token: SeBackupPrivilege 2572 fxsound_setup.exe Token: SeRestorePrivilege 2572 fxsound_setup.exe Token: SeShutdownPrivilege 2572 fxsound_setup.exe Token: SeDebugPrivilege 2572 fxsound_setup.exe Token: SeAuditPrivilege 2572 fxsound_setup.exe Token: SeSystemEnvironmentPrivilege 2572 fxsound_setup.exe Token: SeChangeNotifyPrivilege 2572 fxsound_setup.exe Token: SeRemoteShutdownPrivilege 2572 fxsound_setup.exe Token: SeUndockPrivilege 2572 fxsound_setup.exe Token: SeSyncAgentPrivilege 2572 fxsound_setup.exe Token: SeEnableDelegationPrivilege 2572 fxsound_setup.exe Token: SeManageVolumePrivilege 2572 fxsound_setup.exe Token: SeImpersonatePrivilege 2572 fxsound_setup.exe Token: SeCreateGlobalPrivilege 2572 fxsound_setup.exe Token: SeCreateTokenPrivilege 2572 fxsound_setup.exe Token: SeAssignPrimaryTokenPrivilege 2572 fxsound_setup.exe Token: SeLockMemoryPrivilege 2572 fxsound_setup.exe Token: SeIncreaseQuotaPrivilege 2572 fxsound_setup.exe Token: SeMachineAccountPrivilege 2572 fxsound_setup.exe Token: SeTcbPrivilege 2572 fxsound_setup.exe Token: SeSecurityPrivilege 2572 fxsound_setup.exe Token: SeTakeOwnershipPrivilege 2572 fxsound_setup.exe Token: SeLoadDriverPrivilege 2572 fxsound_setup.exe Token: SeSystemProfilePrivilege 2572 fxsound_setup.exe Token: SeSystemtimePrivilege 2572 fxsound_setup.exe Token: SeProfSingleProcessPrivilege 2572 fxsound_setup.exe Token: SeIncBasePriorityPrivilege 2572 fxsound_setup.exe Token: SeCreatePagefilePrivilege 2572 fxsound_setup.exe Token: SeCreatePermanentPrivilege 2572 fxsound_setup.exe Token: SeBackupPrivilege 2572 fxsound_setup.exe Token: SeRestorePrivilege 2572 fxsound_setup.exe Token: SeShutdownPrivilege 2572 fxsound_setup.exe Token: SeDebugPrivilege 2572 fxsound_setup.exe Token: SeAuditPrivilege 2572 fxsound_setup.exe Token: SeSystemEnvironmentPrivilege 2572 fxsound_setup.exe Token: SeChangeNotifyPrivilege 2572 fxsound_setup.exe Token: SeRemoteShutdownPrivilege 2572 fxsound_setup.exe Token: SeUndockPrivilege 2572 fxsound_setup.exe Token: SeSyncAgentPrivilege 2572 fxsound_setup.exe Token: SeEnableDelegationPrivilege 2572 fxsound_setup.exe Token: SeManageVolumePrivilege 2572 fxsound_setup.exe Token: SeImpersonatePrivilege 2572 fxsound_setup.exe Token: SeCreateGlobalPrivilege 2572 fxsound_setup.exe Token: SeCreateTokenPrivilege 2572 fxsound_setup.exe Token: SeAssignPrimaryTokenPrivilege 2572 fxsound_setup.exe Token: SeLockMemoryPrivilege 2572 fxsound_setup.exe Token: SeIncreaseQuotaPrivilege 2572 fxsound_setup.exe Token: SeMachineAccountPrivilege 2572 fxsound_setup.exe -
Suspicious use of FindShellTrayWindow 59 IoCs
pid Process 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 2572 fxsound_setup.exe 1536 msiexec.exe 1572 FxSound.exe 1536 msiexec.exe 1572 FxSound.exe 1572 FxSound.exe 1572 FxSound.exe 1572 FxSound.exe 1572 FxSound.exe 1572 FxSound.exe -
Suspicious use of SendNotifyMessage 20 IoCs
pid Process 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 1572 FxSound.exe 1572 FxSound.exe 1572 FxSound.exe 1572 FxSound.exe 1572 FxSound.exe 1572 FxSound.exe 1572 FxSound.exe 1572 FxSound.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1572 FxSound.exe 1572 FxSound.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4948 wrote to memory of 2144 4948 msedge.exe 79 PID 4948 wrote to memory of 2144 4948 msedge.exe 79 PID 4948 wrote to memory of 1852 4948 msedge.exe 80 PID 4948 wrote to memory of 1852 4948 msedge.exe 80 PID 4948 wrote to memory of 1852 4948 msedge.exe 80 PID 4948 wrote to memory of 1852 4948 msedge.exe 80 PID 4948 wrote to memory of 1852 4948 msedge.exe 80 PID 4948 wrote to memory of 1852 4948 msedge.exe 80 PID 4948 wrote to memory of 1852 4948 msedge.exe 80 PID 4948 wrote to memory of 1852 4948 msedge.exe 80 PID 4948 wrote to memory of 1852 4948 msedge.exe 80 PID 4948 wrote to memory of 1852 4948 msedge.exe 80 PID 4948 wrote to memory of 1852 4948 msedge.exe 80 PID 4948 wrote to memory of 1852 4948 msedge.exe 80 PID 4948 wrote to memory of 1852 4948 msedge.exe 80 PID 4948 wrote to memory of 1852 4948 msedge.exe 80 PID 4948 wrote to memory of 1852 4948 msedge.exe 80 PID 4948 wrote to memory of 1852 4948 msedge.exe 80 PID 4948 wrote to memory of 1852 4948 msedge.exe 80 PID 4948 wrote to memory of 1852 4948 msedge.exe 80 PID 4948 wrote to memory of 1852 4948 msedge.exe 80 PID 4948 wrote to memory of 1852 4948 msedge.exe 80 PID 4948 wrote to memory of 1852 4948 msedge.exe 80 PID 4948 wrote to memory of 1852 4948 msedge.exe 80 PID 4948 wrote to memory of 1852 4948 msedge.exe 80 PID 4948 wrote to memory of 1852 4948 msedge.exe 80 PID 4948 wrote to memory of 1852 4948 msedge.exe 80 PID 4948 wrote to memory of 1852 4948 msedge.exe 80 PID 4948 wrote to memory of 1852 4948 msedge.exe 80 PID 4948 wrote to memory of 1852 4948 msedge.exe 80 PID 4948 wrote to memory of 1852 4948 msedge.exe 80 PID 4948 wrote to memory of 1852 4948 msedge.exe 80 PID 4948 wrote to memory of 1852 4948 msedge.exe 80 PID 4948 wrote to memory of 1852 4948 msedge.exe 80 PID 4948 wrote to memory of 1852 4948 msedge.exe 80 PID 4948 wrote to memory of 1852 4948 msedge.exe 80 PID 4948 wrote to memory of 1852 4948 msedge.exe 80 PID 4948 wrote to memory of 1852 4948 msedge.exe 80 PID 4948 wrote to memory of 1852 4948 msedge.exe 80 PID 4948 wrote to memory of 1852 4948 msedge.exe 80 PID 4948 wrote to memory of 1852 4948 msedge.exe 80 PID 4948 wrote to memory of 1852 4948 msedge.exe 80 PID 4948 wrote to memory of 1340 4948 msedge.exe 81 PID 4948 wrote to memory of 1340 4948 msedge.exe 81 PID 4948 wrote to memory of 1892 4948 msedge.exe 82 PID 4948 wrote to memory of 1892 4948 msedge.exe 82 PID 4948 wrote to memory of 1892 4948 msedge.exe 82 PID 4948 wrote to memory of 1892 4948 msedge.exe 82 PID 4948 wrote to memory of 1892 4948 msedge.exe 82 PID 4948 wrote to memory of 1892 4948 msedge.exe 82 PID 4948 wrote to memory of 1892 4948 msedge.exe 82 PID 4948 wrote to memory of 1892 4948 msedge.exe 82 PID 4948 wrote to memory of 1892 4948 msedge.exe 82 PID 4948 wrote to memory of 1892 4948 msedge.exe 82 PID 4948 wrote to memory of 1892 4948 msedge.exe 82 PID 4948 wrote to memory of 1892 4948 msedge.exe 82 PID 4948 wrote to memory of 1892 4948 msedge.exe 82 PID 4948 wrote to memory of 1892 4948 msedge.exe 82 PID 4948 wrote to memory of 1892 4948 msedge.exe 82 PID 4948 wrote to memory of 1892 4948 msedge.exe 82 PID 4948 wrote to memory of 1892 4948 msedge.exe 82 PID 4948 wrote to memory of 1892 4948 msedge.exe 82 PID 4948 wrote to memory of 1892 4948 msedge.exe 82 PID 4948 wrote to memory of 1892 4948 msedge.exe 82 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://fxsound.com1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff10df3cb8,0x7fff10df3cc8,0x7fff10df3cd82⤵PID:2144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,4797877574425062221,6506345355056276908,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:22⤵PID:1852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,4797877574425062221,6506345355056276908,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,4797877574425062221,6506345355056276908,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2536 /prefetch:82⤵PID:1892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4797877574425062221,6506345355056276908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3124 /prefetch:12⤵PID:3368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4797877574425062221,6506345355056276908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:12⤵PID:3032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4797877574425062221,6506345355056276908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4568 /prefetch:12⤵PID:2444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4797877574425062221,6506345355056276908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:12⤵PID:2572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4797877574425062221,6506345355056276908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:12⤵PID:2720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4797877574425062221,6506345355056276908,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:12⤵PID:1700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4797877574425062221,6506345355056276908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:12⤵PID:3548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1876,4797877574425062221,6506345355056276908,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5800 /prefetch:82⤵PID:1388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4797877574425062221,6506345355056276908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:12⤵PID:4232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4797877574425062221,6506345355056276908,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:12⤵PID:2904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1876,4797877574425062221,6506345355056276908,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,4797877574425062221,6506345355056276908,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5644 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1876,4797877574425062221,6506345355056276908,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:1444
-
-
C:\Users\Admin\Downloads\fxsound_setup.exe"C:\Users\Admin\Downloads\fxsound_setup.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2572 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\FxSound LLC\FxSound 1.1.27.0\install\fxsound.x64.msi" AI_SETUPEXEPATH=C:\Users\Admin\Downloads\fxsound_setup.exe SETUPEXEDIR=C:\Users\Admin\Downloads\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1727580431 " AI_EUIMSI=""3⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:1536
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4792
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1988
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1700 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C2EF286F8ED75F8AEBCA2DBB833D89C9 C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1672
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:2972
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding CEAD558B8463933651B0C849FAC2081C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4988 -
C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe"C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe" remove *DFX123⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4632
-
-
C:\Program Files\FxSound LLC\FxSound\Apps\DfxSetupDrv.exe"C:\Program Files\FxSound LLC\FxSound\Apps\DfxSetupDrv.exe" check3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2264
-
-
C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe"C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe" install "C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxvad.inf"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:4156
-
-
C:\Program Files\FxSound LLC\FxSound\Apps\DfxSetupDrv.exe"C:\Program Files\FxSound LLC\FxSound\Apps\DfxSetupDrv.exe" getguid3⤵
- Executes dropped EXE
PID:4024
-
-
C:\Program Files\FxSound LLC\FxSound\Apps\DfxSetupDrv.exe"C:\Program Files\FxSound LLC\FxSound\Apps\DfxSetupDrv.exe" setname3⤵
- Executes dropped EXE
PID:4388
-
-
C:\Program Files\FxSound LLC\FxSound\Apps\DfxSetupDrv.exe"C:\Program Files\FxSound LLC\FxSound\Apps\DfxSetupDrv.exe" defaultbuffersize3⤵
- Executes dropped EXE
PID:4672
-
-
C:\Windows\SysWOW64\powercfg.exepowercfg -REQUESTSOVERRIDE DRIVER "FxSound Audio Enhancer" SYSTEM3⤵
- Power Settings
PID:4600
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc daily /tn FxSound\Update /tr "'C:\Program Files\FxSound LLC\FxSound\updater.exe' /silent" /st 10:00 /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1336
-
-
-
C:\Program Files\FxSound LLC\FxSound\FxSound.exe"C:\Program Files\FxSound LLC\FxSound\\FxSound.exe" @2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1572
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:3000
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:5032 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{fdce8925-9933-2c48-986e-6a61a3ac090d}\fxvad.inf" "9" "4143399a7" "0000000000000140" "WinSta0\Default" "0000000000000160" "208" "c:\program files\fxsound llc\fxsound\drivers\win10\x64"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:1996
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\MEDIA\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:ed86ca115cc2c934:DFX_Device:14.1.0.0:root\fxvad," "4143399a7" "0000000000000140" "c092"2⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:4344
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004D4 0x00000000000004D81⤵PID:5036
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
18KB
MD5c3526aa3a0929d68fb937437150c8e40
SHA1f503410e905f3406e65ba6d1d3341f25d4e22dd6
SHA256653a11ea75e36fa4476a785b44b42d211a6b3d32ec7306cc7307976fc5b894cf
SHA51254f01448917fbf553a4d8c47815d7f6411af761aba2cc36bd7bffe44e5758b15134fa203977ea491d1111319f0a4322f40a2739f9a6c5f27ce6f3e9b77af849b
-
Filesize
125KB
MD5adec0dfb1782e399a2e0e21bb2a52dc3
SHA1c7067be7b766ee137f7a622728ee895bf74533ce
SHA2566371f096e3e9324f3c559cdf504168490ae049ba30e790471f9904e97bb5847c
SHA5127895d1e6c05b9214a336a4656fa455071f2a0bfbde35c755b095156601a56965752d3643a8e7521bb1cd9962fb211a9ea14719ef06a1afa584ebccae08658ab8
-
Filesize
65KB
MD56cc7fd49bee71a54aa659e30dea8903d
SHA11ef81f57626e6516a46ea8e69f1ae83fce6c5cfe
SHA256ebc764a3b96c31a34f1cd9ba94dee8cd107aa7a8b45030fcdbbceee0eafb4e25
SHA5128d0f8f1b2bda0e734f6a3d85551ff94dfe0c466c57e973057851ebac1d9eb559fdcdcac2f82c53b40fe808caa31c5b3bce84802242ff4dcfc4e722faff60056f
-
Filesize
263KB
MD5173973c091a72ebbe73c9578ef5d00b1
SHA1d92045a9daf39606b71bcfc75c4e8e0830845d78
SHA256f15415185611c7fb5ac97e00ea3452bc7efb0c32953defe27c5c5d5987f3e256
SHA51250af7169071840f366a7594bf72b2fc5273821ac54800955be6b290b703d192a12caec60388ed7000061e74b916fceb2c87a2bc1e39019955a570c65c4b5f839
-
Filesize
5KB
MD5328087caf99b50d988a304beeea3fce8
SHA123ffef913679537bb049008f5e6f8e517bb24192
SHA256ba175cfddd91b87bdda3f1df2a70249e1742e846b843381eb0438b70f91a110a
SHA512d006e8de0f9258a3ee75723e458d635586040702c1357630f199cf5740c7e29d87fefd4b869a897bdd26b67fad134e6bf35a2c01c3a00acc8bf20181d7da1aa3
-
Filesize
4.5MB
MD52ee68bb73020ae85bbfd2ccac511d97b
SHA16e05149e11cee654d8a41154d7e0a0eb19a19fcb
SHA25623bcfb48d1f2033ebb1f8c31dda7b4889c2f617d0f7fb964c17664bc173c7bc4
SHA512674fdce2f10b5f2e275b9908014f9a9cf240459f557cafcbe43dba99b98271f143ecc58fd6e10d6cd3cbb0d77b3038e3a3b9aed85e5dc1d2a5742eaf82a3f467
-
Filesize
485B
MD5a8f411fe6956a38f637de9416d1c50af
SHA1d2b7608c37b371e5d82edae5facdf993dec79ac2
SHA256f622914127718c138b2c5519fc0756d81e2923fb980e72891bb8515111e7ab7e
SHA512cdfecb1d04efb7f6a19ace90efe3f8ca2205d99f036dbf153c8644f63900b303f458818ffaeeb2a06fb24a82201926e3e96c80795a806327070111c736a9398a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize471B
MD5b1d56d9d3aed80f5113f562f31ca90ff
SHA12e57fc8c4f1e35de1e1499be0bbf32779e7b6392
SHA25676cc1a85f10c73e0ed1ba413d33bec515d6ddd4865fdcc38322030b0f7f92242
SHA512da298e42e6b9bfc733835efbffddb007a7453f24f113861ccc9d1423bed1131c775c36804afb3d9b3126fbe3372c044e3fabb2abe2f3482b958e2b08840a28b6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DE69B2F316EE9B8299F3F764ADA8DCC1
Filesize727B
MD57d6a66d44e6d9c85f24b03a5327c67c5
SHA1075ead726419d799faf6a4137ae624d809532ec3
SHA25614456c2f8659274907c693d6cd375089a54846b9f023d7a09f9c3e35612deecb
SHA512a319763907c5bfc9b955763d6b03f91ef078e87909b1a4056b908229d849071e2e2c003561d066c95f1bd1d2fa69e814987b62012f8f5b8e1c84f1b02710a352
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize727B
MD5d3e1e6c22706565d07c5b9cf083e39f6
SHA112d3bc9406e47a98818a8e21deeed08daf79b029
SHA256aa5381f9a094b86dee378100ba11af301fa9b2e0b5e508d6023e06ccd3a2a60b
SHA512bca97221a6320f9c29a237d2f6fd824713072549f2eb879c963d2c8326493fcd03ceb3b94e737ade4a312cb8331b14865f2f208a73f566a6e08786577fe3b273
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize400B
MD524c8a2e14d0659d069f1d6906da3e917
SHA1dbcc4a2ddf49e75b7c62b07ed126930cf488ef33
SHA256a6648ca24758bb6889188dba199bd8e0f5df4743cb521b7dcbd2152daf19a2d7
SHA512e70989050a884a11655da96a1d3e175ef396106e08b67800bfab68774e7065d6803f7ca5156d53d55795489b2edf1b06e04ddc04b3ff14be8489c5c37a588292
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DE69B2F316EE9B8299F3F764ADA8DCC1
Filesize404B
MD543d2b4a4f90f9ffa79a9d35a3a0e8c75
SHA1254b19edb757139900b0782dcb780b16eb967ce1
SHA256099bf27f538aa4ecaa954813dcbdd10f6d9231cf39f11fd3a2f1e0a9c7d746e3
SHA512485aa4b685c38135d06799acc98f8166d38a66ed6f05ff319400f2cc6172b06e9c105e0ee2cd72722839f971708bb952894d608356f0978b8c76eb7b28e389e0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize412B
MD5af348d1223d91e53fda9c9b9e70479c2
SHA16366aaed239fc4ae16615306b5ae5021be21ef0f
SHA25646dd3d2fdd364880483590dced89f3f8b9ac72e1c48cad42f50d2a6db40fffc8
SHA512f0da816ae960dce02b6d32c0b8896d76de4fd0e8fac97266be0f71c1adff0aba00a4059a399294add78a294af8ee221a597ae9200eaa60ed2a4df9c6d15b0e0b
-
Filesize
152B
MD54c3889d3f0d2246f800c495aec7c3f7c
SHA1dd38e6bf74617bfcf9d6cceff2f746a094114220
SHA2560a4781bca132edf11500537cbf95ff840c2b6fd33cd94809ca9929f00044bea4
SHA5122d6cb23e2977c0890f69751a96daeb71e0f12089625f32b34b032615435408f21047b90c19de09f83ef99957681440fdc0c985e079bb196371881b5fdca68a37
-
Filesize
152B
MD5c4a10f6df4922438ca68ada540730100
SHA14c7bfbe3e2358a28bf5b024c4be485fa6773629e
SHA256f286c908fea67163f02532503b5555a939f894c6f2e683d80679b7e5726a7c02
SHA512b4d407341989e0bbbe0cdd64f7757bea17f0141a89104301dd7ffe45e7511d3ea27c53306381a29c24df68bdb9677eb8c07d4d88874d86aba41bb6f0ce7a942c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize360B
MD5ac3ded427fd20301fd63747351f3c0f3
SHA16488ca04ece80dc917a1c97d20d36890c7f21c31
SHA25661af292797909bcb2e796a4c97c7b0358e95f5412c741d0a05849bd2f79a6fec
SHA512bead993ecfc7909160781bb2b7020caf238f39262a6cad500a5e93c0cc547595d90c27ca040af6089bc8425ccf806b669d7ce73bc04c2193840d8713d21c0ed0
-
Filesize
1KB
MD5536f6863bc2d48259c07efa49d906bb3
SHA104378689764fef7826167ceb0705bbc304a6de55
SHA256c1586f8d77b1dd607861caf025a52a30357189c08a72917100942dcf4baed85a
SHA512f6843d6008ca9d51d3e7c2e0bdcc88eddcb4bee7f44befac8405b7ca753451c97bc8dbc2b646dda25d2dcf2d83969c51028bb8eaaa3548e81bcbdedf04d68d66
-
Filesize
5KB
MD5334af549927c3ed19fae373e1ffc1b32
SHA10b95a6a5e5f23e709dde34986d90956fefba2391
SHA256e5b41e6c2b6339bda4fe1ffdf7798ece4c48239a84801b89dd2824233e9ddd73
SHA512cce7d0bd2ce88a4fb8737cb4dbbb9e7c9d7e81f0e4a509483a4b6a5b2f00d738fc09cc8ca77e33d0e2de1cf6a6296b06e9c03b36e7724d0ce7c6fb2284a7e073
-
Filesize
6KB
MD5ed819be21ef26f20092565a84fa3430e
SHA10048d40db6c5cd39c2c19532b42d3f163703fb32
SHA2564014dc3528493c3f09b61bac6a01e3769dd7ca5c0845afdfd403833fc4a13cab
SHA5120cb715384eb997e92c467d922716b09bd840fc3354f3a3c6b467dd3239df2cc6253ecdf2fa5906973b1d506d6ece4d9da46d667e7a5d1ac078a45473c8825f73
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD5b02fe9bc96cc2f59ce274b3a536a163e
SHA1d90112c57be6cc3ae01341f50a99fb7795bf703c
SHA25682a8be5a1fc8599ee7c3c0c388a5e74bafb9d81c8faed2ccd8014de06e57bbd6
SHA512468a8136f87c0d8b661476439344be198dac96fb77bf666e53ee5f7220e2acc7f513a4fbb8ab940bbc2ee5141e56032c190cd89e7ce599300e4e832ab2bb6add
-
Filesize
10KB
MD565d3e8ca2e1c9229da707078effffdd9
SHA1ae6b93481728ba8aa0a5ea4f06a2bf6beb7ebe9f
SHA25665f8564792330b574d70327c2b2a52f94095aac7fc8a4df622567c22901eb4d9
SHA512c726ab73f2177f03fe13aa80f272769f8abedc49ff09417e927fb53a6c44548174d0d18f05e56c6a4bef547347154df125dac4e7744d61faa73d6be54d7d82b2
-
Filesize
10KB
MD51f2daf9f48d8092d6f2bcdeefce578dd
SHA1912c9209ed830c65744ee0a774b479441458f3a7
SHA25658f29948da69ff2a85ef4a1da5541d8e761dd4896bc44dbb8c126775fa2f2f14
SHA51202d01431783fef68a185ef14fc8b2d247ca71d988949a2363c05658c0c829a7862dbf38088fc1521c4f5bcc3e84709ff8ec3e8057e1e916c785852c4a30e629c
-
Filesize
904KB
MD5421643ee7bb89e6df092bc4b18a40ff8
SHA1e801582a6dd358060a699c9c5cde31cd07ee49ab
SHA256d6b89fd5a95071e7b144d8bedcb09b694e9cd14bfbfafb782b17cf8413eac6da
SHA512d59c4ec7690e535da84f94bef2be7f94d6bfd0b2908fa9a67d0897abe8a2825fd52354c495ea1a7f133f727c2ee356869cc80bacf5557864d535a72d8c396023
-
Filesize
877KB
MD5a67acb81551a030e01cda17fa4732580
SHA19f6b54919ee967fddf20e74714049b8c13640083
SHA256107fd7ee1eaf17c27b4ed25990acace2cb51f8d39f4dfc8ef5a3df03d02e1d34
SHA51230cc0870797220e23af40d5f50a9ce823c1120fba821ff15e057587c2a91c7247058e9a8479088047b9dc908c5176793e6f3ccd066da30bd80e1179649b2f346
-
Filesize
23KB
MD5795fa180cb30d41ada77a9d51b617440
SHA1f8c34e05325ba7e166c372f7d02ada77c3bbb849
SHA256df95b0dcf906f2cf68cd3e74c7a108eae46c7f574f33c63c34c7c0141dd39c69
SHA5125bb8ddac5ed92a7de096257173d2c9a427a852c8a25dc4ddc738966054584a0068568606393eb8987f26e0bae3349d10321cfaa3e51c7c0d3b2168c093d9eb87
-
Filesize
2.7MB
MD55190b141f86d93919fb271398ea3bda8
SHA1121b1d6ac6a73a3dc6a4b96a774911c54d5bc1e8
SHA25656f77e41fd6cc44b7c4c2c37b085882b449ae50f11409c44d1016225771d9077
SHA512392a4be1d7d212c5c194f829fde86c8ddd7ade3e584b4756749340e67561061424f3d531c526a16bf7ef030f6b8b41b7dd5c6cbd61438ec670a3ca98357c70be
-
Filesize
510B
MD59a1d21a1a572516f037e2610dc4cdadd
SHA145a42d885f21e958ac412c70b1ee7a2bf84c1deb
SHA2560fa4296bb366fb26766147c976467ba4c07f5a485a156e2799f46d90211eee3d
SHA512b3f2c49d582d01a2872931bae4eb298c7be777787d0fea87a2c86507668e2521d9cc86e0788e68d9df3a5c69475e5a9f14792ba944b1d37ac5767a66d657eea4
-
Filesize
461B
MD5c36daf72b2ff1711f60c9e9db4f1a9df
SHA19a6c08af9cc30b2c7a153aaf1e45fc6b588d1cb7
SHA256cc9f21bea0b6c9c565ccb8624e3fbc06dc7e98cc971922aada5fb265bf79d9ed
SHA5126b1a789014f31be8a8c89e51c172ba7a0cd553fe6ef3ec9b47fb376f991d684f24c78c8e693e36a221c184b3ebe644d8a6f8490f2f95bf7ea74bce8209bce7df
-
Filesize
550B
MD54e2b6c4150870bcafa7bb35c2c03f966
SHA1e82c054157a518170abfde5f4547393f628567bf
SHA25670354eb3aa67ad62e5d1f8f9ef49f236ad96f3e89b1b73af043f85046a553ae6
SHA5127b01e3c78ddbe2f02ad1bf8c108c2e5c5d715e5dc461ebff741d8de6ad6e52b206345a80b9696870576b5f6b9c16e9394cbdc93c4fb2bd8c0e32b345abb8eb1e
-
Filesize
596B
MD566b86033f5739ad3e3b3ddf489dfa3ae
SHA1d4ba0fbc2344daf4ed9c45f5eb87aee685521f24
SHA2568df7d31142af26651603c918d15751bf8b9658e23c96e26d1d9bd59038742e51
SHA51244945b9d0f524c35b3f4fee9a117a5f7ad4da088caa162eaecda94e67c51eaf3177fe372c5bdf11ead9a76de9504356a88ae05aa4c6a6332b6088ac1af772a0b
-
Filesize
420B
MD5ceae9e7eeaac6f1993e47864a48705e6
SHA1a7ba1e26d9a28877dff6228d27cbdd328e2a03be
SHA256a10f0bbe9b3fd1abf8ecaa4e3a474d68168b13368a7fdb34924bbb3ef64a9fb3
SHA512484b83cd822a622f072b32f58b4bd2720ae6ed8d008d9da5288d2d1c092ac86aa35cca277be37ace7b139e20607ae30ff8b09d9b102704d78153c6d2d991b842
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
12.8MB
MD59539fe153dfe6eb3045868b1f6dcaa0c
SHA12c483419fc56e18d615219110a39b0091d1dbdf4
SHA2562f607cc4f9a3772a9a2d2b27a67f32300474377524c7b260cc304606463ca011
SHA51240355f2c0d462f337ee7f7291a8b6bdd09549cabd06420865ade786bf437626570137c3c2853aa79b0d70ff9a74a47c955312b4f9fdc345aee5b2e519392d6fc
-
\??\Volume{85315c9a-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{d93f772f-8dab-4131-b26c-ada23a4f9e7b}_OnDiskSnapshotProp
Filesize6KB
MD59d6dd7cd16141a97edb70d36736f6c03
SHA1a115010df7ac305e06198d8c2541339356846a98
SHA256c105b0bbd9c6c481f7094b237b2371832ad5f83a5fc3271221be2f18846a5c94
SHA512da0b9d8db7fa6dca66c44f076ab9a1e918ed14a918ee6e8b17666eb1b30cf0d65b49861d0947b28bd1275b60348010bc10b87a6870afbb6b315774e55364b896
-
Filesize
319KB
MD5eaf913c1de47c2421669b662edaa5a6a
SHA153524526e1898a90fa98ae02e662b9c0e6dc2848
SHA256425629b6309000013e8cd1a9b827bee365d21c9f743873aadd0c3bc96a999d2a
SHA512bb674feb73751172a1ace65aab89c5ebf952a07f7af0f3ec1dadf357ff693230cf08910ae273e8335eec35e5827da6405272d05c161987df679199935af21a76
-
Filesize
10KB
MD5acdaae5d1219e7703285c42f774be54d
SHA147df82d8c843bf1adc098a26e9e3e27217b3104d
SHA25625c8dae186155d20f74feedefb4f84161e4215925b8fd0c898f68f3e50ebcd7d
SHA51283b663222fb22b1760ea8551d19557f3f2905bfac205b380b23dd7f2a65a37b851a3c3c345e4a768b76700bb891b97c96a0dbbb58d81358993293ad1eb3e300a