hxxps://github[.]com/NetheriteTree/Malware-Database

Analysis

max time kernel
690s
max time network
629s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
13-11-2024 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/NetheriteTree/Malware-Database

Score

10^/10

adware defense_evasion discovery evasion persistence privilege_escalation ransomware stealer trojan upx

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebCheck = "E\x17÷\x0fÞ>;¤½DS\x0e¿z‘âîZ·^m¶&jèÀ³g"	cmd.exe

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "é³'©F\x1eœŒ/\\s^!ðžt–ÞP+YƒäÑç¡åq"	cmd.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 64 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\ = "¿lø.\x19µ\x1a<ã+xÂÜK¯ãCG'q\x1cá@#\x01\x01–Ë"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\StubPath = "À[§\x17z’™,;DiL™\x7f\x1dÁÉÈ…'~\x14ñ$Ä\x04š±"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3853CC31-559E-32A7-B749-89E04145A139}\Version = "y®ð¿O¶ª—k»ç\b0E\u0090\x03;\x16U\u00a0>\x13œÏ·ŒùH"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE4BC71D-A88B-4943-BB3D-AF9C0E7D4387}\Locale = "º,û”Èlý˜ëY\u00a05\x05ïÉÙ0ƒÈÁ*„™Ä2(`Æ"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\Locale = "eÔ&Ìþ—ÃòL\u009dÅ‰\"žØÓ¡Á‹áÅ‘¨\rbyR©"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Version = "11,348,22000,0"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\Version = "10,0,22000,0"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\ComponentID = "ëðC·²G /åo\|“{\x0f¹\x0eÆ‘Ð\x1c\x7fjJ‚\x1dÈŠ+"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23A20C3C-2ADD-4A80-AFB4-C146F8847D79}\ComponentID = "À¦†‹*\x19´ˆÊ/\a+\n”YâI\by\x06 ‡c”\"6•E"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\LocalizedName = "g‰J’Íøð0ð~Ó§íW\x17ã½.?WÜ¿9û#\x14%\x03"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000}\StubPath = "ŠÀ‡T¡ß’\x12S\aÿå~k\x04ç·`Ÿ ý \\y¥€˜\u008d"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6BAF60B-6E91-453F-BFF9-D3789CFEFCDD}\ComponentID = "\x14ŽõÉ\x18—~\aÑ`åA\u008f©TM¿\x04-1…\\!\x14\x06 \u00adÜ"	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089}\Locale = "Î’êI¸0^ oý\fPX\x0eªÝËj™\x19ð\|Z\fv\r'Ÿ"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}\ = "<0Ì9-'K1\x13ý¯^1I!·”D{"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\Version = "=êE\\ì\|`\x12U\x18#ÖÎ¤Â\x7fŠ´v\x0fÎ¤Ÿ\u00a0˜r™\x1f"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089}\ = "\u0081bÛ”É^°Ÿ3$).K~AÜmÎ\tJZÀœtVd\x17z"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}\Locale = "Ù:Ì.Ï:Ë\\¿§\x16\x16T¦kñ$Üàû×xœ\x1eòê\x12î"	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Locale = "ƒÎ\|\x1c¤‹6ð{ï‘¯ú\x1fÞ\x16iåc?!\bGÃ£«ªa"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}\Version = "ïIl\x193\x18Òk°Òß÷nJ\x047·íô³¨ÊÚÅþ†mÄ"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\Version = "óÐ\x0f™æ\x12\x7fÐKxsO\"jãîjó[˜Îê¹ÿvïÍÎ"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "43,0,0,0"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}\Version = "Óð\b]ÜXüQÍ\u0081¯r³Ü\x11é[4n\x0fÑ¬Ž\x18£\u008dŽw"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE4BC71D-A88B-4943-BB3D-AF9C0E7D4387}\Version = "\x06\x16;éHIÖÙ)Ï“Çw×vûhÀˆd\x17é\nÑ\x06ŒB\x11"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}\Locale = "8Ò\x1f\x10Ðïµ¬îqÚ\u00a0£@JÆOÃoè\|iÿ¾EzÚ’"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}\ = "—e;úÁx\x1fú:üý5w#û\x19¡n‚B,\t,„v/$k"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\Locale = "õ×üƒõ×\x0e¹xV×\u008fVl[al¹Å\x05\x1c€Ü6†ä\x19i"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3853CC31-559E-32A7-B749-89E04145A139}\ComponentID = "`ú®ûÎ¥2}Þ/\x11Ø\x01Å™û~°\u008d»a,ät“©Ý\x13"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}\ = "Þé\x17»Fà×:¡¾¶#Þh¥¢Å÷D9ëJËkôˆ\x14\x11"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\ComponentID = "0¬Ù·ä\x1c]\x1a=–,ãV/yemÍ}Ù»Å\b\v\x11áe‰"	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3853CC31-559E-32A7-B749-89E04145A139}\ = "å¥•ZÛsÇ‘•Ä«BÖ*¡>-™¸ÎØ?›)X\x17ƒ§"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3853CC31-559E-32A7-B749-89E04145A139}\Locale = "¢\x11O0\x1cÐ¼NÇeð5Xs®§¤‚e³Z]Ò"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}\Locale = "–lD\"\b\u008f\a\x1b¼•îus½\x17¨\x01Œƒí9\x19»r¯\n\x12\x10"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Version = "\x1c™\u0081Øõ¸ón¦Õ‘\n—\x10•ñFòæ.,ìÐ£²\x19ðn"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Version = "12,0,10011,16384"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Locale = "eáÕ}3"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}\ = "òC¦[uÇ¬HPÉ\u00a0Ž¦\x18\x16·YyêÚÕÐ\x15"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}\Version = "P™.\x13\|‰g\u0090dž}Îëœ¯}¸ºvÝDv4¦-\x17\x17µ"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A604D2C-E968-429B-8327-62B5CE52126D}\Version = "\x18\x1d¾-“îCé‚6âIÃË’{$“\x03ñ\v'IãþeoÁ"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\ = "\f\nhß\x02\x10\níG¼9Â=\x1b_~ˆèz¬Ö=¹[\x16ä\x1c6"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6BAF60B-6E91-453F-BFF9-D3789CFEFCDD}\Version = "Ü\x10C\u00a0«Ì\x03×á\x0f 7†&Æ¾xjÔìê÷}Âw}®‹"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}\ComponentID = "ž]\x01¿øÚtÞ†ç\t¾\x11ŽÀ\|O(\u008fÎ\fM\x1fÈÈ‰0â"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Locale = "‡±Tûf=Û‘’õråCB«ÕÒrºº\u009d±Ëÿíë,í"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25FFAAD0-F4A3-4164-95FF-4461E9F35D51}\Version = "\nô)œø\x1a\x16q\u00adñ‚Æ'V¤ëÂ3\u00a0èÊ¶\x0fä\f\x7ff€"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3853CC31-559E-32A7-B749-89E04145A139}	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}\ComponentID = "’'¢2tçìrd¥ò èÜ\x05 j\x06LâCâ†~Þ\x14¢K"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6BAF60B-6E91-453F-BFF9-D3789CFEFCDD}	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "â¤á\bÆÌú€!nîæõzaè\x040Å;©Á¾ú\u00a00¶¶"	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "43,0,0,0"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\ = "GÊiÁ)¹\x02\x02´Œ9õx/¾°£ËY\x19#Ø¬4ÊAå¨"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25FFAAD0-F4A3-4164-95FF-4461E9F35D51}\ComponentID = "#Xl\\òB˜ä*æïÇ(\x01Â‹4mH'\x1dÁÅN&„{“"	cmd.exe

Boot or Logon Autostart Execution: Port Monitors 1 TTPs 12 IoCs

Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation.

persistence

Port Monitors

T1547.010

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Appmon	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Appmon\Ports	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Microsoft Shared Fax Monitor	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\IPP	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\WSPrint	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Local Port	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port\Ports	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\USB Monitor	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Ports	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\WSPrint\OfflinePorts	spoolsv.exe

Downloads MZ/PE file
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 9 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\1\AppExecutionAliasRedirectPackages = "¿'ÇðÀÃ\x12KÔ\u009d"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\1\FilterFullPath = "‰'›àB±Ž*a†´#Sø9¡Ù§g\v÷\x06PÝýå\x10¡"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\2	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\2\FilterFullPath = "\u0081Ö\tÖ}\x1f»)&¾ò\x056äìÌ¬»\b£™\x12Ñ£ç\x1fƒ\u008d"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\0	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\0\AppExecutionAliasRedirectPackages = "Ç;\x19ÌXýž¥µ\x19™Ÿ¡š]³\x1aÄ\|K¥œ\x04¼vãRû"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\0\FilterFullPath = "sú>¦:Lë\x14$f\u00adEV‡\u0090…\u0090Ø‘ì\x7f\n\u00a0]ò®\f\x17"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\1	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\2\AppExecutionAliasRedirectPackages = "4Õ×ñÕ$\x02Ï§éËlmªû¹}c\x1eßr¿\x14{•z\u0081!"	cmd.exe

Manipulates Digital Signatures 1 TTPs 64 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}\FuncName = "”késâl\x042\x01Ð‘¢Ãn]Úˆ\x14\x15Bá@\x01ö\x01(nJ"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1}\Dll = "\x19$a&\x15Mê%ªèÊq‰\x1bÖÞ\t\x0e\r0—Â:Ã½3A_"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}\Dll = ">\x17ÑY…(þ\x0e£M\|ó\x04\x1czæ³b°.8\"€KÏIÐ-"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2130\FuncName = "ç”>Vt›–klÚ®í´G<¶—APWñ\u008d\n<Ô¬pl"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.4.4\Dll = "¥š@oÈzrQÀè£jöóÄ½‹0\x04wmY¨\u0081}éR¹"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.2\CallbackFreeFunction = "N-\x14çðÏ\x0fY.%‹Š#jÌ¿\x18¼„ƒmx³T\x13¯Ž\t"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{6078065b-8f22-4b13-bd9b-5b762776f386}\$DLL = "Õ\x7fGFO‰;G]ß\x1b,¯Jú’x·À75™4ÜRÌ\x1a€"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1}\Dll = "`©Í£+*ÂF æ9\x1c”[ˆèÕ\x12¢B\x0e¬\x1a˜eàHì"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{1A610570-38CE-11D4-A2A3-00104BD35090}\Dll = "‚šXsýfê\x1dÝ"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\Dll = "lrsä¯‡_¿\"Ç\x18\x12\x1d\x1c°‡Ô³\b½ñ\x1a»Ê2<TÓ"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.1\FuncName = "rû\x1bq¿d‰*Á¦1±9”õ\u008dßã,›\x13]\x14>\x17C¹š"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.12\FuncName = "`$\n¥Ž=C\x03\x1dJ.\n\x12íÆžŒ\u009d\x160r†a‡åM\u009d\x15"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2000\Dll = "’ST¯©ü\|ÕâL\x12mÝU¼N4¼T²ú›Î\|äÊ–Z"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1}\Dll = "(¤ü\x14ý\n][¾\u0081Äü\u00a09P†×4-ØÇj¦ºä<ª·"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.11\Dll = "Ðq½\x17.¾ú7>”'ž\v¥Ã,þÉªì}ûØ7æšgj"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "\x1bL?ÃžÁ]‚sjà\x02?Ò\|¥L\nÆÆg\\±\x1fDÖß?"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2223\FuncName = "í„\|òh\n\u008d-)\rVÆe7\v{ƒeØù:À¬)«^mU"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.28\Dll = "U:ÔOØÇÒ\x7f*º¶B\x12\x1a\u0081›D\b—×ŒµZú%yÁ¾"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.4.4\FuncName = "\x17¢2Þ?.Ð\f¢À%Äü^ÔCËsÜ`xÎ\\Ü‰0lÙ"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{D41E4F1D-A407-11D1-8BC9-00C04FA30A41}\$Function = "Yï\"k•Gr¾2h<}û¬´¤\x17Â{´‹W×”Ó¹xí"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "âc\| Œø2\x0eB"	cmd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllProtectedRootMessageBox\DEFAULT\Dll = 1f00e700c200ae000400d30015003e00d100b9006300c0006800e9003a2059007900cd00e9004500fa002900b000b90030000600bf00b80000000000	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{000C10F1-0000-0000-C000-000000000046}\Dll = "™œ™MÊš9þ]êÑO"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{000C10F1-0000-0000-C000-000000000046}\FuncName = "U-m\x04\\Kæx\u0090\u00a0±Fß\x13Ä©.\a¿\roÝ€‡A9Rö"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2002\Dll = "ÑH·Ùm\x16°ìõèÊ•ÎÏ×©™ëE¬ñÑÖ\x02\vrª³"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllFormatObject\2.5.29.32\Dll = "\x12¬¦¨ÎÒb}—vÛ7ë\u0090v®ºl]\x18:~Ê{µq{G"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "çH®¹“üèŽîÆ\u00a0;\nd!Á\x0f´‰Q®€%Ýf\x1fjÑ"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "f26ßA³É\x1eÒ^âÜ‹Å&\x7f£n¢ac–Å7Í\v×\x15"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\DefaultId = "”tájÂÍqóX\u00adª‘uÌÑ\x04yÙâÞóñ×O”»¯v"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSealedDigest\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}\Dll = "=¨Ê‡+\x10ÄÛ\x06Ã\u008f¯;¾mŠ6Ff'u&ÌÈ¤M(X"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2222\FuncName = "à¤;~Ó\x02¦o\rXê%»#Ït„ì÷d\r\b˜vØ¢_ï"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.4.3\FuncName = "ét6•\u008f†Mi×¨‘\x05YŠäÏC$Á¬D!èØÏ\u008fÒù"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "\x0eüqšÖ$èNTÜäÿ«5ÎT*ÃM“öl¼¦.å±…"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6}\Dll = "\x11ov¡\fÏ\"œìäÐ;e˜¤éØ$”eý\"Å\x03\x03ÇtT"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C}\Dll = " \x04›‘<´\x1a4ŠZ)TjM9e\býÖÓ¨ÃüH°b‹\|"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.4\FuncName = "°KGñŠôÜ:_\x01°”12“2\x12\x0f\x7f0V}\x13ÒÇ\x19Ž5"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.15\Dll = "ª«\aˆé‡\tæÎ²5É2–Œ~ùŒiXuï\x0e\x1d•ÞUe"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "ž\\}\x17\x1eœó/W]‡<\x11^Tj1+\x1b?\x0e…x™äç˜§"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "‘›\x16¦×F>T´ÿ\|œw\x04uŒ6×Ü\u0090ó†\x11\x1dˆØ\x0f\v"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2221\Dll = "\x01û\x01>öƒ\x1d8oPCK\x11úG\x06\u00ad\\;Ø!\v–4m†ä¹"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.16.1.1\FuncName = "ãO¤{\u00a0uÞJ\x7fàýµÛmÂí™%m7·a.PñÆìô"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{6078065b-8f22-4b13-bd9b-5b762776f386}\$Function = "æ ƒ`.‚«\x1dfêTÓ×X’ÇQ0UªZ\rhhw&+ô"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}\Dll = "]UqÄ»Â§Ah¶½\aïë½w\x11ú"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{1A610570-38CE-11D4-A2A3-00104BD35090}\FuncName = "umm\x1f\x1e0Õw\x0fA\x16¿\x0f!¤f>\tƒU\n\\Ü^RÏä²"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}\FuncName = "å´ÉûJƒ\u0081Ó&\x18ÑÝ\x17§SpÇjãw¼n0ép\n¡{"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "\x16ÕM„ís\u0090\u00ad#\x13E‹H\x0f$\x06€f×\fKØ\x1cÒ‡#E”"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.3\Dll = "ynœ\x1b™!\r†m\vÜ¢m\x1a2WpéæòQQ§!ÿv\x1eF"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.4\FuncName = "õ~ \x1b=™7§U‡A:W\x19\f<\x1dŠäðW—)Ÿ\x1a—¹]"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "óå\u008dÐ°:Û¨\u009dQœ›·D1ínL\x14³±\x04Õ<Ñ\x1fnU"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\$DLL = "k¦\x1fvØDøe\x14\x1c\x17Ûâ\n¬’ŽH§™9s™\x7fø\u008d\|H"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{D41E4F1F-A407-11D1-8BC9-00C04FA30A41}\$DLL = "¾K@u¥ßÅ‡_¡hPLJóÓ+\x1e\fßÊÏ6Ó£Ç±V"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\CallbackFreeFunction = "ËM\x01¯â‰‚M¡~sœå\u00ad†u}3¯d\u00a0/ˆ2øj\x06ä"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}\FuncName = "\x1e\téké!ô•\x19@™£ÞÞ´\u0081:œð¥ðëAôÒË<\x1f"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2010\FuncName = "\x17"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = ",”Ãƒ°wö+Ô ü\b›»1Îêò;PVUÇ“òÝ”9"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$DLL = "\rÀ\vÿjæ¦w‘d\x0eœïÎ\x12O3\vO\u0090ªÞ\x12\x7f8ì Þ"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.2\CallbackAllocFunction = "<_f¤å\u0090Îê ,¿Å\x02RYï¯M\x06’\x7fK0…\x17¯ö˜"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{000C10F1-0000-0000-C000-000000000046}\Dll = "<\x1aâ1\x1e9\x1c\x1c\u008fMÚ\x1fÅ·˜ÔD\v\x16\x1aÂîš\x05cÓ>þ"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "^\|‹)ª\x1a^ã–À\x11^\x18Ÿª\x1c,Á€"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "Õ\u009dÎc\v\x16ôµ\x10\x14\u008fÝ¢¤ƒöóì\x1calÂ¯\x03ë4\x18\x1c"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C}\FuncName = "GU\x1b=ó0\u0090w™‹\x02?\x1bvÙ*Ÿ\aoôM!6\u008dTÒ«¬"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2012\Dll = "\x0f„´¤P ma.\x11\x7f½Gò5‰\x0e\x17\x1du£hÃ6\u008d\u0081èï"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2004\Dll = "þ ´i:´’ay°ÿ&ÄfyZ\x05\b¦¨¹i#\b^\x1b³Ü"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.16.4\FuncName = "¯'9èg&È„\u00ad\\NÇˆŽ¼>Vc\x04˜èì-‹+"	cmd.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\International\Geo\Nation	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\International\Geo\Nation = "\x117·j’4;OrM ò¦Cµ9\x02ò\f\x01¶4É~PŒŠ_"	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2772	VeryFun.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe

Enumerates connected drives 3 TTPs 3 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\z:	explorer.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\ = "dõÓfÚM`\x18,å\x14\u0081S\x15\"K÷M\x02\x10\x1fP\a¼åölO"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\NoExplorer = "!+•¼DŒ,¡H!œ‹Jü\u008f„‹(\x053ÿ¨8o\x067\x19j"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	raw.githubusercontent.com
29	raw.githubusercontent.com

Maps connected drives based on registry 3 TTPs 1 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	cmd.exe

Modifies WinLogon 2 TTPs 64 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{1A6364EB-776B-4120-ADE1-B63A406A76B5}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}\DisplayName = "S$\x1e&u\u00ad\x02\u00a0ØI\x13\x16c\x06_\u008d\x05hCË#“ÄÚòåð˜"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\ExtensionEventSource = "VY2Ô¬áOfÇàVt"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{91FBB303-0CD5-4055-BF42-E512A681B325}	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E47248BA-94CC-49c4-BBB5-9EB7F05183D0}	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{F9C77450-3A41-477E-9310-9ACD617BD9E3}	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}\ProcessGroupPolicy = "²þ\x10\x12}æ\u0081Ž\fj’°”\u00a0\f\x13šÊ5¢Ø"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}\ = "Ia†Âç)º©dl•\x19¸\x0eÒ¥\x7f›½Ëü,<×¼Ž¶Q"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7150F9BF-48AD-4da4-A49C-29EF4A8369BA}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93}\ = "_îœû1\\åäAp»\x15"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName = "\x1d'\u0081\u008d\x1b½÷‚²BßÜó\x13,’Wa\"'û÷J\x1bÑzÉä"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}\ = "ßº'@\x15¼é\x7f\x11\x19£\x0eù®µm¶4Ñ&¢½šòÞ€Å¿"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}\DllName = "Àmÿ®<áÀÀ Ô Äâ\x03ðµ-j\t¥\\‘¼\x15Y±g."	cmd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}\EventSources = 6b0053001e001c2078003a2022212d00df00e60068004600c200aa00f500b3005f007700c5005d0071009d00f400350065001500e700e00000000000	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}\DllName = "ß\x06'~^\aN\x06›t¸Ð¬P-/\x1a0›²·#ÌX—»¢Â"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}\ = "]ÍÆ_‚´©S\x1eöÚÕ"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{17D89FEC-5C44-4972-B12D-241CAEF74509}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}\DisplayName = "\n‰º\x18<6—Ã\x0fú\u008dÆ4”\u00a0§Œ…\x1c´Pª÷ÉŠ½Ê\x10"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E62688F0-25FD-4c90-BFF5-F508B9D2E31F}	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C}\ = "\x17{§\x01ˆá\x05lÈà¼<”Æ¢);é\u008d\x01©X&‘²\x13äß"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName = "½,³®\x1a\x0eì\u009d\u00ad¢ÏI„`À,±äKº0º§öÚ~ç\x05"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}\ProcessGroupPolicy = "&×JjºÖ\x02\x0eœ\x1b”‡ìiˆ‹æyÒŠÎøBr¦Á\\e"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{5794DAFD-BE60-433f-88A2-1A31939AC01F}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\PreCreateKnownFolders = "øË'µE\x0eQ`Œ‹]5-5Y\x04]Â\x13µ \x1b%£PóLL"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0E28E245-9368-4853-AD84-6DA3BA35BB75}	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}\DllName = "“¿œ\x17à\x03&›òÉ•\x16$4'^ÝÀ”ÿ~é†ÿÑìwV"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}\DisplayName = "Èd\fn\x04“éîV'\u00a0?+\nc2‘’9P\u0081J6o\rÆfk"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{6232C319-91AC-4931-9385-E70C2B099F0E}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\ProcessGroupPolicyEx = "ß½!ˆ×©’A\x7f¶šg]Ç2ƒEÒÙ\x15\x15(›&üÞ\x1fF"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\GenerateGroupPolicy = "ç…\x12w°Ð¬C&‹'+\x1d:l€055e“AFÒ“K.d"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}\ProcessGroupPolicyEx = ".ÓZøu7gyüÿÑ\x1cÕõ™§\\+”!îÏÎ)7ß“\x1b"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7909AD9E-09EE-4247-BAB9-7029D5F0A278}	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A3F3E39B-5D83-4940-B954-28315B82F0A8}	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa}\DisplayName = "ŒUãÃI"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa}\ProcessGroupPolicy = "¿< ª˜\x16•ÉŒ’¨€W„Ï\x17"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f}\ProcessGroupPolicy = "c\x13ÓÄ®\u00ad\x1bè4ö½òêO\x16=øÕ\u009d1<÷\x05\x18¢ÊÁj"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\ = "+³\u0090øŽ‹Y\n%+þbÆ:xHÜÙïéÚ€jã»2S="	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{728EE579-943C-4519-9EF7-AB56765798ED}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\ProcessGroupPolicy = "—¿»:‹\x7f+`G\f.+\fƒbÁß\nfµ‰rÍQQ£ž2"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{BC75B1ED-5833-4858-9BB8-CBF0B166DF9D}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C}\DllName = "ŒÏpþ\u00adÛž\x05\x11,PcM9ú˜e€f\rß\x1cÎ©A:…–"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\ProcessGroupPolicyEx = "Sv‹žž/vÉzˆXôm'êù\x01bcx;r”¯[}Ín"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E4F48E54-F38D-4884-BFB9-D4D2E5729C18}	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f}	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa}\DllName = "\x1a›Æ˜éIçÃ5Œ…ø&[€E\x1eF³\x1dŸX¨ñ=\x03©û"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}\GenerateGroupPolicy = "*ö'è›\t„V÷4O\x1dèŸù~;\x1b‚,Ì¸”4¼¢S1"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{2A8FDC61-2347-4C87-92F6-B05EB91A201A}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93}\DllName = "/\x05Y\x0e°¤³Ž\|OÔ\x1bm\x0f\\æÆ\x01`ÓJ¸lƒOb\tÛ"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\DisplayName = "]næ\v_^Ò\x0eÀ’)ÎÞJÛ\t¶G\u0090ÍD®"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\DllName = "\x13D÷\x05\u00906¡\x05¯á‚Ÿ¾m)öò.\"ŒH\x04\u008d¢Œ\x05ZÛ"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{AADCED64-746C-4633-A97C-D61349046527}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C}\ProcessGroupPolicy = "2åsôÅq±–7í\x1b‰„NpÑÏÉdæÄúó‘hS^\u008d"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f}\ = "—,Ÿ\"\u008dk\rzItO¹¼xÊsŽŽì¸iŒœ2{\x01xÖ"	cmd.exe

AutoIT Executable 9 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/3844-252-0x0000000001300000-0x000000000149C000-memory.dmp	autoit_exe
behavioral1/memory/3548-257-0x0000000000A20000-0x0000000000B14000-memory.dmp	autoit_exe
behavioral1/memory/4868-287-0x0000000001100000-0x000000000120C000-memory.dmp	autoit_exe
behavioral1/memory/2772-297-0x0000000000370000-0x00000000009AD000-memory.dmp	autoit_exe
behavioral1/memory/2772-298-0x0000000000370000-0x00000000009AD000-memory.dmp	autoit_exe
behavioral1/memory/3144-301-0x0000000000D00000-0x0000000000E0C000-memory.dmp	autoit_exe
behavioral1/memory/4636-313-0x0000000000F00000-0x000000000100C000-memory.dmp	autoit_exe
behavioral1/memory/2772-323-0x0000000000370000-0x00000000009AD000-memory.dmp	autoit_exe
behavioral1/memory/4344-326-0x0000000000500000-0x000000000060C000-memory.dmp	autoit_exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\spool\DRIVERS\W32X86\{4AF9DD7A-81F5-4F72-8057-2C3BA7675AC9}\MXDWDRV.DLL	spoolsv.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_ceeb330db4f96bf3\Amd64\unishare.gpd	spoolsv.exe
File opened for modification	C:\Windows\system32\spool\DRIVERS\W32X86\{4AF9DD7A-81F5-4F72-8057-2C3BA7675AC9}\unishare.gpd	spoolsv.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_x86_69e8e0efb212ba16\I386\MXDWDRV.DLL	spoolsv.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_69e8e0efb212ba16\Amd64\MXDWDRV.DLL	spoolsv.exe
File opened for modification	C:\Windows\system32\spool\DRIVERS\W32X86\{4AF9DD7A-81F5-4F72-8057-2C3BA7675AC9}\unishare-pipelineconfig.xml	spoolsv.exe
File opened for modification	C:\Windows\system32\spool\DRIVERS\W32X86\{4AF9DD7A-81F5-4F72-8057-2C3BA7675AC9}\PrintConfig.dll	spoolsv.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_x86_4540e16c07f9c1ad\I386\PrintConfig.dll	spoolsv.exe
File opened for modification	C:\Windows\system32\spool\DRIVERS\x64\{10208437-8613-4FF6-8F1E-0C2D395B6D7C}\unishare-pipelineconfig.xml	spoolsv.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_ceeb330db4f96bf3\Amd64\unishare-pipelineconfig.xml	spoolsv.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_ceeb330db4f96bf3\Amd64\PrintConfig.dll	spoolsv.exe
File opened for modification	C:\Windows\system32\spool\DRIVERS\x64\{10208437-8613-4FF6-8F1E-0C2D395B6D7C}\MXDWDRV.DLL	spoolsv.exe
File opened for modification	C:\Windows\System32\}½[\æS'2m\åèßQO1ŠOž7ûlûó#´\desktop.ini	explorer.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_x86_4540e16c07f9c1ad\I386\unishare-pipelineconfig.xml	spoolsv.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_x86_4540e16c07f9c1ad\I386\unishare.gpd	spoolsv.exe
File opened for modification	C:\Windows\system32\spool\DRIVERS\x64\{10208437-8613-4FF6-8F1E-0C2D395B6D7C}\unishare.gpd	spoolsv.exe
File opened for modification	C:\Windows\system32\spool\DRIVERS\x64\{10208437-8613-4FF6-8F1E-0C2D395B6D7C}\PrintConfig.dll	spoolsv.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Desktop\Wallpaper = "àM\x1c‚§ílÕa½õ.êÆ\u00adSÑ\x1eO\fçe#Òjd÷T"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Desktop\WallPaper = "àM\x1c‚§ílÕa½õ.êÆ\u00adSÑ\x1eO\fçe#Òjd÷T"	cmd.exe

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 2772 set thread context of 3844	2772	VeryFun.exe	98
PID 2772 set thread context of 3548	2772	VeryFun.exe	99
PID 2772 set thread context of 4868	2772	VeryFun.exe	105
PID 2772 set thread context of 3144	2772	VeryFun.exe	106
PID 2772 set thread context of 4636	2772	VeryFun.exe	107
PID 2772 set thread context of 4344	2772	VeryFun.exe	108
PID 2772 set thread context of 3188	2772	VeryFun.exe	121

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001900000002ab8b-205.dat	upx
behavioral1/memory/2772-249-0x0000000000370000-0x00000000009AD000-memory.dmp	upx
behavioral1/memory/3844-251-0x0000000001300000-0x000000000149C000-memory.dmp	upx
behavioral1/memory/3844-250-0x0000000001300000-0x000000000149C000-memory.dmp	upx
behavioral1/memory/3844-252-0x0000000001300000-0x000000000149C000-memory.dmp	upx
behavioral1/memory/3548-253-0x0000000000A20000-0x0000000000B14000-memory.dmp	upx
behavioral1/memory/3548-257-0x0000000000A20000-0x0000000000B14000-memory.dmp	upx
behavioral1/memory/3548-256-0x0000000000A20000-0x0000000000B14000-memory.dmp	upx
behavioral1/memory/4868-287-0x0000000001100000-0x000000000120C000-memory.dmp	upx
behavioral1/memory/4868-285-0x0000000001100000-0x000000000120C000-memory.dmp	upx
behavioral1/memory/4868-286-0x0000000001100000-0x000000000120C000-memory.dmp	upx
behavioral1/memory/2772-297-0x0000000000370000-0x00000000009AD000-memory.dmp	upx
behavioral1/memory/2772-298-0x0000000000370000-0x00000000009AD000-memory.dmp	upx
behavioral1/memory/3144-299-0x0000000000D00000-0x0000000000E0C000-memory.dmp	upx
behavioral1/memory/3144-300-0x0000000000D00000-0x0000000000E0C000-memory.dmp	upx
behavioral1/memory/3144-301-0x0000000000D00000-0x0000000000E0C000-memory.dmp	upx
behavioral1/memory/4636-311-0x0000000000F00000-0x000000000100C000-memory.dmp	upx
behavioral1/memory/4636-312-0x0000000000F00000-0x000000000100C000-memory.dmp	upx
behavioral1/memory/4636-313-0x0000000000F00000-0x000000000100C000-memory.dmp	upx
behavioral1/memory/2772-323-0x0000000000370000-0x00000000009AD000-memory.dmp	upx
behavioral1/memory/4344-324-0x0000000000500000-0x000000000060C000-memory.dmp	upx
behavioral1/memory/4344-326-0x0000000000500000-0x000000000060C000-memory.dmp	upx
behavioral1/memory/4344-325-0x0000000000500000-0x000000000060C000-memory.dmp	upx

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	ie4uinit.exe
File created	C:\Program Files (x86)\Internet Explorer\Signup\TMP4352$.TMP	ie4uinit.exe
File opened for modification	C:\Program Files\Uninstall Information\IE UserData NT\IE UserData NT.DAT	ie4uinit.exe
File opened for modification	C:\Program Files\Uninstall Information\IE UserData NT\IE UserData NT.INI	ie4uinit.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	ie4uinit.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	ie4uinit.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	ie4uinit.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	chrmstp.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	chrmstp.exe
File opened for modification	C:\Windows\System.ini	VeryFun.exe
File created	C:\Windows\brndlog.txt	ie4uinit.exe
File opened for modification	C:\Windows\SystemTemp	chrmstp.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	chrmstp.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	chrmstp.exe
File opened for modification	C:\Windows\SystemTemp	chrmstp.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\VeryFun.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 4 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	cmd.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	cmd.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VeryFun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Storport	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties	cmd.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM	cmd.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	cmd.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies Control Panel 64 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Colors\ButtonLight = "ö\x11[Y!Kš\\\x02sš(·Ññ¾_\u00a0ôpG%\\žS\aiI"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Desktop\Colors\ButtonDkShadow = "A'™+TØ\aË,0‹æ-Â¿nKS\x15óôekŸ\x1fð=k"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Desktop\Colors\HilightText = "\x12y—2ä)°ö"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Desktop\WheelScrollChars = ";^\tI\x04±ûŸ*sì·\x16ç–]ÕG\x17a±¶\x1ft‹º=)"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Cursors\Help = "1\vÌQK;B3”A\x15ö$¦\r*\x05GLX:oîÐõ€Oó"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Colors\Scrollbar = "ë°“éd¿µ_¨§d\x7fñÜñ´Ø÷5ŽâÏ\x1dD=õ™]"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Colors\AppWorkspace = "ÍõÜ\u0090\f PPµ¥Wr\tO0\x10¢ùhk\r\x1b#9tËã\|"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Accessibility\Keyboard Response\BounceTime = "°_Ý`œ¨W–?³f‘zb E›&ó\têFòdàBÀë"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Colors\GrayText = "&\x16\x11\x121\bš:\x13ï‡ð&Ó¸BGƒMÖûîžk\x1f \x1f\x1b"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Desktop\FontSmoothing = "“Ù\\J\x1b\tl¦ç)Æ~Œ\x7f’S½HB¤ö#<j\x15Std"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\International\sYearMonth = "'ÏIhBj4!€„ôZ3E—b³›¹÷}8vw³èó)"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Accessibility\MouseKeys\Flags = "õ\|¹§7t-)wŒ¡\u00a0hÌs'CÅµ˜‚ä\x01áâ°¥v"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Desktop\WindowMetrics\PaddedBorderWidth = "ÚjõT°\fñ›D\x19œ¸BM\x15HK;Ï7Ïô#¦yË_ú"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\International\sCurrency = "Î¯\x1d\r\x04s\x0eX€Ÿ!Hš-\x05ÅÝ-ƒCLjí„\nø«_"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Desktop\WindowMetrics\CaptionHeight = "/¥†\x13ûÛ\u00a0×Î5Rµ3Eüý*Ø\"Î\x1bù9Q\v)Fp"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Input Method\Show Status = "V‡\x05\u00a0\u009dAL\x10ÔKkLØC\t\x1dü-+\x1eDÏ¿Õ©6;¤"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\International\Locale = "\x01BHy\x0eµ d}HÖš¤ðß’ìÅt`›ð0u’\x0eöÔ"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Desktop\DragWidth = "{?Ÿ3\x10\u0081÷.öÛžÅþR„Žu‡Ç):Í=äàgèò"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\International\sTime = "‡‰18›0û\x13”ÉG›–mZtÚ{¦rYa~ Ÿd`·"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Desktop\TileWallpaper = ")ßtÌ\"“1¾œ»c\x19\u00adež\x18«¹4T)âÄì¨\x14œ&"	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Accessibility\Keyboard Response	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Accessibility\Keyboard Response\DelayBeforeAcceptance = "ÿ½¼!&µü'Æ\f(Õé4}®M‘õóìŸ9o\x1a\\\x0f”"	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Accessibility\SlateLaunch	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Colors\ActiveTitle = "C8\x0f\x03ò7úrÙfSç\u008fÅ¬=(YvöX~Ô\u00a0Mè†y"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Cursors\AppStarting = "\x7fˆRL{l\x1fhc\x11©÷ŒhxA©@4"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Sound\ExtendedSounds = "FÄZ1ÞÏ3#Æ\bÓHÇï‰âç¡"	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Accessibility\HighContrast	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Cursors	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Desktop\Colors\ButtonFace = "\u00a0r\x0e¾ú\x14>ÏGÃ\x15oU¶Ÿ(\x115œÙ“»²´)urw"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Accessibility\HighContrast\High Contrast Scheme = "ºE\x1d\x10 \x0f(×Â:z‡hd¯À@r.q^½u,²ÜT«"	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Accessibility\MouseKeys	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Desktop\WindowMetrics\SmCaptionHeight = "»\u008dº¾\x15‡Â‚÷ƒ@B\x12ü6®ó.—á….ò\u008d«\b„s"	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Accessibility\Keyboard Preference	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Desktop\Colors\ButtonAlternateFace = "'(3µÍ«\u00818ù–œ!EµŽû²š‹\u00ad*F7\x1fðí‹:"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Accessibility\Keyboard Response\AutoRepeatDelay = "R±\n\x1eÀSI»¢‰ãX\x11:\x13\x16ZH>v8x(V™*:²"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\PowerCfg\PowerPolicies\3\Name = "Ô\x1b`9ßôå\x04jl\x1c:jƒÌNÙÁíÌkœñðòÜ\x1d?"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Desktop\WindowMetrics\MenuHeight = "väð÷ª^\x17ÃÝË,´kz\x1a`J+\"±]3þ¬îXØ6"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Colors\MenuHilight = "rô3€\x1d\v˜Ì›_\x1c[ž„½ÿ¤“;µöÿ©\x12¸ä\x12,"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\International\sShortDate = "®Ú¥Lé"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\International\iPaperSize = "-äB~Ë–\x03\x7fá\x0e\v/\u008d—Ã\x11È-¼5\x17\vacæXí "	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Accessibility\AudioDescription\On = "Ío¿\x13_\u009d[\x06Š\\ÿ(u…–…ó\x05™,2¶C\u00a0"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Desktop\Colors\ButtonHiLight = "WÆÐûSMŽ€eÇ`ð\x01ê¬ÒqÇlž\x1e[†LÁ†ß\x16"	cmd.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\International\User Profile\Languages = 1b002600c800b50030207100280000003a006500c400120035005a001920e300cb00fe003f00b700a400c1006300fb007900af000800d00000000000	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Keyboard\KeyboardSpeed = "–aºÂ>ÐÙÇß@¾\x1c‘~¥8\\‚?(¼\x0e\x02<Ý•¦´"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Accessibility\StickyKeys\Flags = "6¸R‰`ËÒ›*h©ÄCm~°<¾îH9àNÜ}‹\x05a"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\International\sLanguage = "óX"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\International\sList = "îœ{Ê\|áUò6¶k›\x03Úâ&ªþø„Þ\x12qÙO³ïE"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\International\sMonGrouping = "1¡ó\x1dn¹ç=\x10XË&kÕá@\x1e*æ1iÿï\x0eõÜïò"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Desktop\Colors\GradientActiveTitle = "¸\fŠ,ÿÙ£È\\×\x13‰¡¡\x12èÜÝÉ©T\fß\u009dÊÚ•î"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Cursors\SizeWE = "äöÊþ¾-Ê\x19â\x1d-[´ØÀ‰‰K\x15¥#ç,s\aŠÕƒ"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Desktop\DragFromMaximize = "AgÚU\x1e8c•õûK)\aÆDiÅ´\råVÐ\x18b\x0e+Š]"	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Accessibility\SoundSentry	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\International\User Profile System Backup	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Mouse\MouseSensitivity = "t\x14<»\vÂÞµq\x14hƒ`Ýh\u00a0Ê¶\x1a¥j1„\u0090\x10¥Ž’"	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Colors	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Colors\InfoWindow = "þQ\x19,1Ÿ\tŸÈpç\u009d!ŠËääŸ\x19\x10]Î-¡Sq\ná"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Cursors\SizeAll = "\x01p&ïÑ•òEÀ¯3UZÁK_¦žMJ\n\x19^,O•vÅ"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Desktop\RightOverlapChars = "\x01Í÷<d±\x7fôÉ#½8¥\"ì9ÙPƒîÂâ0\v\u0090\x1f¯#"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Desktop\WheelScrollLines = "Ø\x1bÙ¡9ï]…q\x11žÎ¸~1º–Ãà–úk\x02R\x1d3 µ"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Desktop\Colors\Menu = "\b\x1e\x13¨fqP+;\x0fÁcÅp\x03\x11üf®ÓµäqÕ\u0090\bú†"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\International\sTimeFormat = "CBÖ“¸ä\bN\x1e$‰\x135öÑ,×Þýn–¹\x18\x05ž\u00a0‡ù"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\International\sShortTime = "o(cy6 ‘G\|ûG3rä“ý#¸üÊ\f\x0f™$ær_¡"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Accessibility\ShowSounds\On = "M¹?\x03Ö>sã¹”ˆÝƒœ\a¸Ï+n„†4\x7f73¼\x1d="	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\International\iFirstDayOfWeek = "s¯Ì\x13utñžÝO˜¸‰+Kvò\tñP\x1ftF)¶Ã\x14Å"	cmd.exe

Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	ie4uinit.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{000D51DD-18E2-4D85-919A-10E3746C3F1B}\DllName = "7q(\x1a@å\x1dáÛ¥M™ã¡\x10&\x10\x1f\x1bÊ¨‡\x18\u009dç×ˆ\x01"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{21347690-EC41-4F9A-8887-1F4AEE672439}\CompatibilityFlags = "úºlN*Îˆé+\|a´¥ËUò›[©¯7\bK?}âk®"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{5A074B21-F830-49DE-A31B-5BB9D7F6B407}\BlockType = "\v\u0081¹z\x12\x1a\tqz½ù3w´v~\v@bhXò\u0081=+úão"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{7778AA60-698A-41D9-9BF0-7AB41045AA7F}\Version = "œMÆŽfU,—'ðfÄhG´âág\\È˜™Î€/×wˆ"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6bf52a52-394a-11d3-b153-00c04f79faa6}-32\AppName = "\x14_…\x13ysx\u0081Ób\x11\\\x1cGÌF1¼åiI˜ÌXÓ\u0090xŸ"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SYNC_SETTINGS\HelpID = "Ü§÷h.öQÃ2!'Ò\bì\x1dá\u008f3×Ö\x11(ÙÓe \x14w"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\HTTP\GENABLE\ValueName = "P‰fÁ×²Ï¢\u008d$Ô?Q¾›•É—§\x1a›\x04QTjÙÿt"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{000D51DD-18E2-4D85-919A-10E3746C3F1C}\FWLink = "4\x12ÇÜºÐÕ•>ßWzºÄ„¯Öà*e–RÔÓóÄ}¸"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{8B4F961F-0B84-4201-BBB1-34E45368F39E}\DllName = "çUÉ¹)o\u008dqÐ9Á1t3ˆ\x05\"\x15;LÆC2Î£ìÄÂ"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\svcVersion = "Ù2ÍÕþ\x19UÂá@%\\J‰a ’NÍm0\x16\x7fB%¯tÏ"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\ACCESSIBILITY\ZOOMLEVEL\HelpID = "\u00a0ØêÇ\rŒ¥c³Æª\x15\x15w=ÜÌˆëß\x1a\aœ"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\ACCELERATED_GRAPHICS\Bitmap = "‹Ð\u008f¸‡\tpY²9\t-Ý2Þ˜\x1d8Sæõ&\u008dks\fv\x13"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{5A074B29-F830-49DE-A31B-5BB9D7F6B407}	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Internet Explorer\International\Scripts\7	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{E97B5F2E-CA8E-4D34-BDA3-44EEC4ED2B12}\FWLink = "ÿ$çÞé\x01MŠ\x1bçÑÏÛ"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AED-AECE-4E27-9BCB-5358B13F9FF9}\AppPath = "€cƒ\x10$}ÙX*ª\x14¯m¯é¢öÊTë€a0j¿”i‰"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\CONSOLEBUFFERALWAYS\Text = "\x11áNz/î\f2¸Öà„òÙ‰’¾Y<ÿüºÐî6Pˆ,"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{48FFE35F-36D9-44bd-A6CC-1D34414EAC0D}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\NOTIFYDOWNLOADCOMPLETE\Text = "PCJ¢t>Û êIó¢ªä\x11>öOå\b<Â±Ré\u0081‰õ"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\LegacyTLSAppcompat	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\ULINKS\ALWAYS\CheckedValue = "\a¶\x13¦R‰QÀÂµý´á\"’À°öà\x16\\\x11\x0f–ëI\u008fæ"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{F5BEA1B9-FEF6-4093-846D-753C42A1B00A}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\ACR\RegPath = "—”<\x1et\|¾0\x038H´à\x14Ùc\x10ÐMr-Ë4Z®‰\|œ"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\ULINKS\ALWAYS	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{A17B153F-2267-4161-A165-73DCD6C31BEF}\BlockType = "mš×`\x17¼×œÀ`\x0eÒöØÍ;V†&U ÝÝúh\u00a0(±"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\UTF8URLQUERY_ALWAYS\RegPath = "™\x16\u00adwcüÈ#hzÉ\byÿ-R>:¶rzò\u0090XÆ¶_f"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{9030D464-4C02-4ABF-8ECC-5164760863C6}\Version = "«†/U\beÖxÐ¬ÒÀD\b9A³8\nÁÖ¥<\x1fÁìO\x1a"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FLIP_AHEAD\Type = "å¦\x1e•\x15ï\x0e»îøÁ^·\x1aìI“4ÏéH§Iƒ\x16\f:s"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{a4fbcbc6-4be5-4c3d-8ab5-8b873357a23e}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{E38FD381-6404-4041-B5E9-B2739258941F}\AlternateCLSID = "ô•Ÿ\a{>"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\ACCESSIBILITY\PLAYSOUNDS\Type = "ÄO\x1cà‹\x18\x19H•Ìµ ’¾»\x1a\x10O\x17ûÉëÜµÍÌ\x19%"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\IDN_SHOWPUNY\RegPath = "\x11\|yƒ[Ðõâ§ôUëv?\x1fË\u00adƒmAZnWØ»\b\x178"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\UTF8_URL	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{000D51DD-18E2-4D85-919A-10E3746C3F1B}\CompatibilityFlags = ":0\x0eU¹.$™Öª3¯Žý.\x17\x10RYÓ’³¸ß\x05‰"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{21347690-EC41-4F9A-8887-1F4AEE672439}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{E3286BF1-E654-42FF-B4A6-5E111731DF6B}\Version = "Ø»¢\x0eÃ…Ñ®ÅÈþå©K\u00a0ÂG}¿¡œ\t¡Óž·È9"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Internet Explorer\GPU\AdapterInfo = "\rfHh.Ù\f\x05-×{%ê\x01XkË—·—ÅÍÝ\u009d\a\x10U["	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\NOTIFYDOWNLOADCOMPLETE\RegPath = "ÆÈ\x0f\x02™½\x15G\n^û#Ú³£º\u008f“Íð7$È\x1eŒòëD"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\HTTP\HelpID = "\x7f\|Rßé\x1f„>†ì\u008d”Óø¦®hüµ=ÙÅy0h>ó¹"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Internet Explorer\International\Scripts\19\IEFixedFontName = "]w)Aþ&\x19üN\x19L¶?XöÀ_A*\x05åêÃ”\r:Ö-"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6bf52a52-394a-11d3-b153-00c04f79faa6}-32\AppPath = "•j\x16\x03bäRÒ\u00a0\u00a0\b<ÁÜ\x1eòk\x13K\x12í\u008f\x03ú*tsž"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}\CompatibilityFlags = "Ä\x05\"@\x16ÙØ„TàŠÚ\x1e{òfrþßYî²óvö{¯Ñ"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{A3BC75A2-1F87-4686-AA43-5347D756017C}\CompatibilityFlags = "\x10†â‚žÃ;‹ï\u0090‹èrŸ¡©{?ýÛ\x1b«GlÚ§å,"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{3785D0AD-BFFF-47F6-BF5B-A587C162FED9}\Version = "\x1eIÀ\x16\x0fréád`NÛ=¶aßž¬æÊÃ¹öt\x1e\x11"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{D2CE3E00-F94A-4740-988E-03DC2F38C34F}\Version = "z\x0f´æÌ>:»jÇ¬\"Ý\x19œ\x12\x0eœßIÁßá‘·Ð\x17?"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\ClsidExtension = "•\fw¢“SÖ¤´\x14\a”NóÓNO=ôÍ›î@p@üj+"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{BF09613A-4564-4936-B6BB-B23B1D3D4FD7}\BlockType = "¡ÕUò<Ùa²Œë¹‡$½xeÚ\|//jÈ¨°Àê\x018"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{CC7E636D-39AA-49B6-B511-65413DA137A1}\CompatibilityFlags = "<\x13ùH1¤Kò•\u00ad\u00a0Ô‡‹H\x17ô³\x01çp57E½î•A"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\ACCESSIBILITY\Text = "ƒÎW¨mrú!;Ú›ÐB\u008d»K1TV\u00adgœs\x14Äo‰Ê"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{4E7BD74F-2B8D-469E-99FF-FD60BB9AAE2D}\DllName = "îûˆS¢ð\vŽŸƒ‰Ö3œ”dz×ŸdeaùŒà\x12\x03™"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\USEBHO\Type = "–\a\\¦%Š<T\x1fÁ>–ŸÒCŠ\x0f!Ë––‘PŠ@Cáì"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\FileAssociations\.xhtml = "`¦ƒ\\jºÂ\x7fÏ\x17I3Â;ëŸÇØ½\bB„Ùø\x0f\x0e‘>"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{4A5BE5EE-CFAD-11D9-8FAD-0007E9AA247E}\BlockType = "žò‡®å%K\\fäçÒµ\u009dt\x1alòQaŸzÅ,÷\\ã\t"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\CLSID = "JÿBL\u0090w¶ñÐMµ¦ô*ò¢J8ÞØM\aWZ:LxÉ"	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Internet Explorer\International\Scripts\9	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\ACCESSIBILITY\ALTTEXT\RegPath = "\aæ§Ê\x14"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\ACCESSIBILITY\TEXTSIZE\Text = "ñŽ\u0090Bà´]¯ïôÜA€"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{C1D79200-7718-4656-A7B2-F23046E264E7}\DllName = "±™ó:lìbØ~Ë\x18ŒŠR¢\x13M–È\u0090"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\Roaming\ThirdPartyCookies\RegistryRoot = "8\x05¬mÅ¾\x7f\x13\f\x17‡¹Ï¢o<íX'²NRß\x0eÓ!®Q"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{A411D7F4-8D11-43EF-BDE4-AA921666388A}\Version = "@\x14@ºÊU6‰& ¸olÞ¬ï8¨Ó¤Ê\x04‹E"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AboutURLs\NoAdd-ons = "4p)I9å¼L\x032…¥f\u009dˆ\n%tå¬ü7\u0090˜E\x14Àª"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\ACCESSIBILITY\ALTTEXT\HelpID = "\x06¢•í€ÅÇýi7î³µ§‘Ö\x12{I_ÊÐ†©fL/¬"	cmd.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "š‰§,i™\x031B5Ô\vþþ\x7f\v*ÓÅbvÊ®\x18÷È¹5"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "2H¦\x01Ý\x13²Í\x7f‚\x10 Òáê{Xìó8–HMÉ¹\x12[¦"	cmd.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts	spoolsv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Devices	spoolsv.exe

Modifies registry class 22 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133727754256483455"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\PastIconsStream = 1400000005000000010001000300000014000000494c200603000400480010001000ffffffff2110ffffffffffffffff424d3600000000000000360000002800000010000000400000000100200000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000097928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928ffffffffffffffffffffefefefffcfcfcfffafafafff8f8f8fff5f5f5fff3f3f3fff1f1f1ffeeeeeeffecececffe9e9e9ffe8e8e8ffe6e6e6ff97928fff97928ffffffffffffffffffffefefefffcfcfcfffafafafff8f8f8fff5f5f5fff5f5f5fff3f3f3fff0f0f0ffeeeeeeffebebebffe9e9e9ffe7e7e7ff97928fff97928fffffffffff879d55ff82a259ff7da85dff77ad61ff73b165fff7f7f7ffcdcccaffcdcccaffcdcccaffcdcccaffedededffebebebffe8e8e8ff97928fff97928fffffffffff8d944fff899a53ff84a057ff7fa55bff7aaa5ffff9f9f9fff6f6f6fff4f4f4fff4f4f4fff1f1f1ffefefefffecececffeaeaeaff97928fff97928fffffffffff93894aff8f904dff8b9751ff879d55ff82a259fffbfbfbffcdcccaffcdcccaffcdcccaffcdcccafff1f1f1ff7ba95effecececff97928fff97928fffffffffff987c44ff958448ff918c4bff8d944fff899a53fffcfcfcfffafafafff8f8f8fff8f8f8fff5f5f5fff3f3f3ff8b9751ffeeeeeeff97928fff97928fffffffffff9d723fff9a7942ff968046ff93894aff8f904dfffdfdfdffcdcccaffcdcccaffcdcccaffcdcccafff5f5f5ff977e45ffefefefff97928fff97928fffffffffffa06a3cff9e6f3eff9b7541ff987c44ff958448fffefefefffefefefffdfdfdfffbfbfbfff9f9f9fff6f6f6ffa06a3cfff1f1f1ff97928fff97928ffffffffffffffffffffffffffffffffffffffffffffffffffffefefefffefefefffdfdfdfffbfbfbfff9f9f9fff6f6f6fff4f4f4fff1f1f1ff97928fff97928fffcdcccaffcdcccaffcdcccaffcdcccaffcdcccaffcdcccaffcdcccaffcdcccaffcdcccaffcdcccaffcdcccaffcdcccaffcdcccaffcdcccaff97928fff97928fffe0d9d3ffe0d9d3ffe0d9d3ffe0d9d3ffe0d9d3ffe0d9d3ffe0d9d3ffe0d9d3ffe0d9d3ff917968ffe0d9d3ff917968ffe0d9d3ff917968ff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000ff00000060000000000000000000000020000000b0000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff00000060000000200000000000000020000000f00d0d0df09d9d9dffc8c8c8ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff000000603f3f3f66000000ff00000060000000900a0a0af0c0c0c0ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660e2e2e2ff474747eb000000d0000000e04c4c4cee999999ff939393eeb1b1b1f0e0e0e0ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660c8c8c8f7adadadf6858585ff000000ff000000ff737373ff999999ff999999ff999999ff999999ffa0a0a0e8868686ff000000ff000000606d6d6d88aaaaaaebb2b2b2ffb2b2b2ff7a7a7aff000000ff000000ff696969ff999999ff999999ff999999ff999999ff5f5f5fff000000ff0000006045454571b2b2b2ffb2b2b2ffb2b2b2ffa7a7a7ff1b1b1be8000000c0000000b0080808f08f8f8fff999999ff999999ff5f5f5fff000000ff00000060303030607f7f7fff7b7b7bf67e7e7ee2525252e20a0a0af0000000f00000003000000020000000f0101010eb5a5a5af6505050ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff676767ff000000ff000000b000000020000000000000000000000020000000b0000000ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff777777ff080808f0000000d0000000000000000000000000000000000000000000000060000000ff00000060000000602c2c2ceb5f5f5fff5f5f5fff3f3f3fee080808f0000000f0000000300000000000000000000000000000000000000000000000a0000000600000000000000050000000b0000000f0000000ff000000f0000000a000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000ff00000060000000000000000000000020000000b0000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff00000060000000200000000000000020000000f00d0d0df09d9d9dffc8c8c8ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff000000603f3f3f66000000ff00000060000000900a0a0af0c0c0c0ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660e2e2e2ff474747eb000000d0000000e04c4c4cee999999ff939393eeb1b1b1f0e0e0e0ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660c8c8c8f7adadadf6858585ff000000ff000000ff737373ff999999ff999999ff999999ff999999ffa0a0a0e8868686ff000000ff000000606d6d6d88aaaaaaebb2b2b2ffb2b2b2ff7a7a7aff000000ff000000ff696969ff999999ff999999ff999999ff999999ff5f5f5fff000000ff0000006045454571b2b2b2ffb2b2b2ffb2b2b2ffa7a7a7ff1b1b1be8000000c0000000b0080808f08f8f8fff999999ff999999ff5f5f5fff000000ff00000060303030607f7f7fff7b7b7bf67e7e7ee2525252e20a0a0af0000000f00000003000000020000000f0101010eb5a5a5af6505050ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff676767ff000000ff000000b000000020000000000000000000000020000000b0000000ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff777777ff080808f0000000d0000000000000000000000000000000000000000000000060000000ff00000060000000602c2c2ceb5f5f5fff5f5f5fff3f3f3fee080808f0000000f0000000300000000000000000000000000000000000000000000000a0000000600000000000000050000000b0000000f0000000ff000000f0000000a000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000424d3e000000000000003e0000002800000010000000400000000100010000000000000100000000000000000000000000000000000000000000ffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffff0000ffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffff0000ffff0000fff90000fff10000800100000000000000000000000000000000000000000000000000000001000080070000c0070000c80f0000ffff0000ffff0000ffff0000fff90000fff10000800100000000000000000000000000000000000000000000000000000001000080070000c0070000c80f0000ffff0000ffff00000000000000000000000000000000000000000000000001000000080000000400000004000000340000000100000000000000010000000000000001000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010006000000140000007b005100360035003200330031004f0030002d004f003200530031002d0034003800350037002d004e003400500052002d004e003800520037005000360052004e0037005100320037007d005c0070007a0071002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000000000000e8070b0070007a0071002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000000000000000000000000000000000000000000000000000000000000012f5ea3a6b35db01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000050003a005c00480066007200650066005c004e0071007a00760061005c004e006300630051006e0067006e005c005900620070006e0079005c005a00760070006500620066006200730067005c00420061007200510065007600690072005c00420061007200510065007600690072002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f50100000000000000000000e8070a00420061007200510065007600690072000a004100620067002000660076007400610072007100200076006100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000bfe5616faf18db0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff82ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff83ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3973800497-2716210218-310192997-1000\{FE87EF6E-3C89-4619-9A67-1760D3D522BF}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010006000000140000007b005100360035003200330031004f0030002d004f003200530031002d0034003800350037002d004e003400500052002d004e003800520037005000360052004e0037005100320037007d005c0070007a0071002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000000000000e8070b0070007a0071002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000002000000000000000000000000000000000000000000000000000000000000006b91ac156b35db01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000300000050003a005c00480066007200650066005c004e0071007a00760061005c004e006300630051006e0067006e005c005900620070006e0079005c005a00760070006500620066006200730067005c00420061007200510065007600690072005c00420061007200510065007600690072002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f50100000000000000000000e8070a00420061007200510065007600690072000a004100620067002000660076007400610072007100200076006100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000bfe5616faf18db0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff82ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff83ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133727754256483455"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\PastIconsStream = 1400000005000000010001000300000014000000494c200603000400440010001000ffffffff2110ffffffffffffffff424d3600000000000000360000002800000010000000400000000100200000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000097928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928ffffffffffffffffffffefefefffcfcfcfffafafafff8f8f8fff5f5f5fff3f3f3fff1f1f1ffeeeeeeffecececffe9e9e9ffe8e8e8ffe6e6e6ff97928fff97928ffffffffffffffffffffefefefffcfcfcfffafafafff8f8f8fff5f5f5fff5f5f5fff3f3f3fff0f0f0ffeeeeeeffebebebffe9e9e9ffe7e7e7ff97928fff97928fffffffffff879d55ff82a259ff7da85dff77ad61ff73b165fff7f7f7ffcdcccaffcdcccaffcdcccaffcdcccaffedededffebebebffe8e8e8ff97928fff97928fffffffffff8d944fff899a53ff84a057ff7fa55bff7aaa5ffff9f9f9fff6f6f6fff4f4f4fff4f4f4fff1f1f1ffefefefffecececffeaeaeaff97928fff97928fffffffffff93894aff8f904dff8b9751ff879d55ff82a259fffbfbfbffcdcccaffcdcccaffcdcccaffcdcccafff1f1f1ff7ba95effecececff97928fff97928fffffffffff987c44ff958448ff918c4bff8d944fff899a53fffcfcfcfffafafafff8f8f8fff8f8f8fff5f5f5fff3f3f3ff8b9751ffeeeeeeff97928fff97928fffffffffff9d723fff9a7942ff968046ff93894aff8f904dfffdfdfdffcdcccaffcdcccaffcdcccaffcdcccafff5f5f5ff977e45ffefefefff97928fff97928fffffffffffa06a3cff9e6f3eff9b7541ff987c44ff958448fffefefefffefefefffdfdfdfffbfbfbfff9f9f9fff6f6f6ffa06a3cfff1f1f1ff97928fff97928ffffffffffffffffffffffffffffffffffffffffffffffffffffefefefffefefefffdfdfdfffbfbfbfff9f9f9fff6f6f6fff4f4f4fff1f1f1ff97928fff97928fffcdcccaffcdcccaffcdcccaffcdcccaffcdcccaffcdcccaffcdcccaffcdcccaffcdcccaffcdcccaffcdcccaffcdcccaffcdcccaffcdcccaff97928fff97928fffe0d9d3ffe0d9d3ffe0d9d3ffe0d9d3ffe0d9d3ffe0d9d3ffe0d9d3ffe0d9d3ffe0d9d3ff917968ffe0d9d3ff917968ffe0d9d3ff917968ff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff97928fff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000ff00000060000000000000000000000020000000b0000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff00000060000000200000000000000020000000f00d0d0df09d9d9dffc8c8c8ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff000000603f3f3f66000000ff00000060000000900a0a0af0c0c0c0ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660e2e2e2ff474747eb000000d0000000e04c4c4cee999999ff939393eeb1b1b1f0e0e0e0ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660c8c8c8f7adadadf6858585ff000000ff000000ff737373ff999999ff999999ff999999ff999999ffa0a0a0e8868686ff000000ff000000606d6d6d88aaaaaaebb2b2b2ffb2b2b2ff7a7a7aff000000ff000000ff696969ff999999ff999999ff999999ff999999ff5f5f5fff000000ff0000006045454571b2b2b2ffb2b2b2ffb2b2b2ffa7a7a7ff1b1b1be8000000c0000000b0080808f08f8f8fff999999ff999999ff5f5f5fff000000ff00000060303030607f7f7fff7b7b7bf67e7e7ee2525252e20a0a0af0000000f00000003000000020000000f0101010eb5a5a5af6505050ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff676767ff000000ff000000b000000020000000000000000000000020000000b0000000ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff777777ff080808f0000000d0000000000000000000000000000000000000000000000060000000ff00000060000000602c2c2ceb5f5f5fff5f5f5fff3f3f3fee080808f0000000f0000000300000000000000000000000000000000000000000000000a0000000600000000000000050000000b0000000f0000000ff000000f0000000a000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000ff00000060000000000000000000000020000000b0000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff00000060000000200000000000000020000000f00d0d0df09d9d9dffc8c8c8ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff000000603f3f3f66000000ff00000060000000900a0a0af0c0c0c0ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660e2e2e2ff474747eb000000d0000000e04c4c4cee999999ff939393eeb1b1b1f0e0e0e0ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660c8c8c8f7adadadf6858585ff000000ff000000ff737373ff999999ff999999ff999999ff999999ffa0a0a0e8868686ff000000ff000000606d6d6d88aaaaaaebb2b2b2ffb2b2b2ff7a7a7aff000000ff000000ff696969ff999999ff999999ff999999ff999999ff5f5f5fff000000ff0000006045454571b2b2b2ffb2b2b2ffb2b2b2ffa7a7a7ff1b1b1be8000000c0000000b0080808f08f8f8fff999999ff999999ff5f5f5fff000000ff00000060303030607f7f7fff7b7b7bf67e7e7ee2525252e20a0a0af0000000f00000003000000020000000f0101010eb5a5a5af6505050ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff676767ff000000ff000000b000000020000000000000000000000020000000b0000000ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff777777ff080808f0000000d0000000000000000000000000000000000000000000000060000000ff00000060000000602c2c2ceb5f5f5fff5f5f5fff3f3f3fee080808f0000000f0000000300000000000000000000000000000000000000000000000a0000000600000000000000050000000b0000000f0000000ff000000f0000000a000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000424d3e000000000000003e0000002800000010000000400000000100010000000000000100000000000000000000000000000000000000000000ffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffff0000ffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffff0000ffff0000fff90000fff10000800100000000000000000000000000000000000000000000000000000001000080070000c0070000c80f0000ffff0000ffff0000ffff0000fff90000fff10000800100000000000000000000000000000000000000000000000000000001000080070000c0070000c80f0000ffff0000ffff000000000000000000000000000000000000000000000000010000000800000003000000040000002c000000010000000000000001000000000000000100000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 990982.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\VeryFun.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1060	msedge.exe
1060	msedge.exe
3788	msedge.exe
3788	msedge.exe
4192	msedge.exe
4192	msedge.exe
1988	identity_helper.exe
1988	identity_helper.exe
4652	msedge.exe
4652	msedge.exe
2772	VeryFun.exe
2772	VeryFun.exe
2772	VeryFun.exe
2772	VeryFun.exe
2772	VeryFun.exe
2772	VeryFun.exe
2772	VeryFun.exe
2772	VeryFun.exe
2772	VeryFun.exe
2772	VeryFun.exe
2772	VeryFun.exe
2772	VeryFun.exe
2772	VeryFun.exe
2772	VeryFun.exe
2772	VeryFun.exe
2772	VeryFun.exe
2772	VeryFun.exe
2772	VeryFun.exe
2772	VeryFun.exe
2772	VeryFun.exe
2772	VeryFun.exe
2772	VeryFun.exe
2772	VeryFun.exe
2772	VeryFun.exe
2772	VeryFun.exe
2772	VeryFun.exe
2772	VeryFun.exe
2772	VeryFun.exe
2772	VeryFun.exe
2772	VeryFun.exe
2772	VeryFun.exe
2772	VeryFun.exe
2772	VeryFun.exe
2772	VeryFun.exe
2772	VeryFun.exe
2772	VeryFun.exe
2772	VeryFun.exe
2772	VeryFun.exe
2772	VeryFun.exe
2772	VeryFun.exe
2772	VeryFun.exe
2772	VeryFun.exe
2772	VeryFun.exe
2772	VeryFun.exe
2772	VeryFun.exe
2772	VeryFun.exe
2772	VeryFun.exe
2772	VeryFun.exe
2772	VeryFun.exe
2772	VeryFun.exe
2772	VeryFun.exe
2772	VeryFun.exe
2772	VeryFun.exe
2772	VeryFun.exe

Suspicious behavior: GetForegroundWindowSpam 6 IoCs

pid	Process
4868	cmd.exe
3144	cmd.exe
4636	cmd.exe
4344	cmd.exe
424	explorer.exe
3188	cmd.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2772	VeryFun.exe
Token: 33	4200	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4200	AUDIODG.EXE
Token: SeShutdownPrivilege	424	explorer.exe
Token: SeCreatePagefilePrivilege	424	explorer.exe
Token: SeShutdownPrivilege	424	explorer.exe
Token: SeCreatePagefilePrivilege	424	explorer.exe
Token: SeShutdownPrivilege	424	explorer.exe
Token: SeCreatePagefilePrivilege	424	explorer.exe
Token: SeShutdownPrivilege	424	explorer.exe
Token: SeCreatePagefilePrivilege	424	explorer.exe
Token: SeShutdownPrivilege	424	explorer.exe
Token: SeCreatePagefilePrivilege	424	explorer.exe
Token: SeShutdownPrivilege	424	explorer.exe
Token: SeCreatePagefilePrivilege	424	explorer.exe
Token: SeShutdownPrivilege	424	explorer.exe
Token: SeCreatePagefilePrivilege	424	explorer.exe
Token: SeShutdownPrivilege	424	explorer.exe
Token: SeCreatePagefilePrivilege	424	explorer.exe
Token: SeShutdownPrivilege	424	explorer.exe
Token: SeCreatePagefilePrivilege	424	explorer.exe
Token: SeShutdownPrivilege	424	explorer.exe
Token: SeCreatePagefilePrivilege	424	explorer.exe
Token: SeTakeOwnershipPrivilege	4860	SearchHost.exe
Token: SeRestorePrivilege	4860	SearchHost.exe
Token: SeTakeOwnershipPrivilege	4860	SearchHost.exe
Token: SeRestorePrivilege	4860	SearchHost.exe
Token: SeTakeOwnershipPrivilege	4860	SearchHost.exe
Token: SeRestorePrivilege	4860	SearchHost.exe
Token: SeShutdownPrivilege	424	explorer.exe
Token: SeCreatePagefilePrivilege	424	explorer.exe
Token: SeShutdownPrivilege	424	explorer.exe
Token: SeCreatePagefilePrivilege	424	explorer.exe
Token: SeShutdownPrivilege	424	explorer.exe
Token: SeCreatePagefilePrivilege	424	explorer.exe
Token: SeShutdownPrivilege	424	explorer.exe
Token: SeCreatePagefilePrivilege	424	explorer.exe
Token: SeShutdownPrivilege	424	explorer.exe
Token: SeCreatePagefilePrivilege	424	explorer.exe
Token: SeShutdownPrivilege	424	explorer.exe
Token: SeCreatePagefilePrivilege	424	explorer.exe
Token: SeShutdownPrivilege	424	explorer.exe
Token: SeCreatePagefilePrivilege	424	explorer.exe
Token: SeShutdownPrivilege	424	explorer.exe
Token: SeCreatePagefilePrivilege	424	explorer.exe
Token: SeTakeOwnershipPrivilege	4704	SearchHost.exe
Token: SeRestorePrivilege	4704	SearchHost.exe
Token: SeShutdownPrivilege	424	explorer.exe
Token: SeCreatePagefilePrivilege	424	explorer.exe
Token: SeShutdownPrivilege	424	explorer.exe
Token: SeCreatePagefilePrivilege	424	explorer.exe
Token: SeShutdownPrivilege	424	explorer.exe
Token: SeCreatePagefilePrivilege	424	explorer.exe
Token: SeShutdownPrivilege	424	explorer.exe
Token: SeCreatePagefilePrivilege	424	explorer.exe
Token: SeShutdownPrivilege	424	explorer.exe
Token: SeCreatePagefilePrivilege	424	explorer.exe
Token: SeShutdownPrivilege	424	explorer.exe
Token: SeCreatePagefilePrivilege	424	explorer.exe
Token: SeShutdownPrivilege	424	explorer.exe
Token: SeCreatePagefilePrivilege	424	explorer.exe
Token: SeManageVolumePrivilege	660	svchost.exe
Token: SeShutdownPrivilege	424	explorer.exe
Token: SeCreatePagefilePrivilege	424	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3548	cmd.exe
3548	cmd.exe
3548	cmd.exe
3548	cmd.exe
3548	cmd.exe
3548	cmd.exe
3548	cmd.exe
3548	cmd.exe
3548	cmd.exe
3548	cmd.exe
3548	cmd.exe
3548	cmd.exe
3548	cmd.exe
3548	cmd.exe
3548	cmd.exe
3548	cmd.exe
3548	cmd.exe
3548	cmd.exe
3548	cmd.exe
3548	cmd.exe
3548	cmd.exe
3548	cmd.exe
3548	cmd.exe
3548	cmd.exe
3548	cmd.exe
3548	cmd.exe
3548	cmd.exe
3548	cmd.exe
3548	cmd.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3548	cmd.exe
3548	cmd.exe
3548	cmd.exe
3548	cmd.exe
3548	cmd.exe
3548	cmd.exe
3548	cmd.exe
3548	cmd.exe
3548	cmd.exe
3548	cmd.exe
3548	cmd.exe
3548	cmd.exe
3548	cmd.exe
3548	cmd.exe
3548	cmd.exe
3548	cmd.exe
3548	cmd.exe
3548	cmd.exe
3548	cmd.exe
3548	cmd.exe
3548	cmd.exe
3548	cmd.exe
3548	cmd.exe
3548	cmd.exe
3548	cmd.exe
3548	cmd.exe
3548	cmd.exe
3548	cmd.exe
3548	cmd.exe
424	explorer.exe
424	explorer.exe
424	explorer.exe
424	explorer.exe
424	explorer.exe
424	explorer.exe
424	explorer.exe
424	explorer.exe
424	explorer.exe
3548	cmd.exe
424	explorer.exe
424	explorer.exe
424	explorer.exe
424	explorer.exe
424	explorer.exe
424	explorer.exe
424	explorer.exe
424	explorer.exe
424	explorer.exe
424	explorer.exe
424	explorer.exe
424	explorer.exe
424	explorer.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2772	VeryFun.exe
3844	cmd.exe
3548	cmd.exe
4868	cmd.exe
3144	cmd.exe
4636	cmd.exe
4344	cmd.exe
424	explorer.exe
3304	StartMenuExperienceHost.exe
424	explorer.exe
3188	cmd.exe
4276	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3788 wrote to memory of 1196	3788	msedge.exe	79
PID 3788 wrote to memory of 1196	3788	msedge.exe	79
PID 3788 wrote to memory of 3276	3788	msedge.exe	80
PID 3788 wrote to memory of 3276	3788	msedge.exe	80
PID 3788 wrote to memory of 3276	3788	msedge.exe	80
PID 3788 wrote to memory of 3276	3788	msedge.exe	80
PID 3788 wrote to memory of 3276	3788	msedge.exe	80
PID 3788 wrote to memory of 3276	3788	msedge.exe	80
PID 3788 wrote to memory of 3276	3788	msedge.exe	80
PID 3788 wrote to memory of 3276	3788	msedge.exe	80
PID 3788 wrote to memory of 3276	3788	msedge.exe	80
PID 3788 wrote to memory of 3276	3788	msedge.exe	80
PID 3788 wrote to memory of 3276	3788	msedge.exe	80
PID 3788 wrote to memory of 3276	3788	msedge.exe	80
PID 3788 wrote to memory of 3276	3788	msedge.exe	80
PID 3788 wrote to memory of 3276	3788	msedge.exe	80
PID 3788 wrote to memory of 3276	3788	msedge.exe	80
PID 3788 wrote to memory of 3276	3788	msedge.exe	80
PID 3788 wrote to memory of 3276	3788	msedge.exe	80
PID 3788 wrote to memory of 3276	3788	msedge.exe	80
PID 3788 wrote to memory of 3276	3788	msedge.exe	80
PID 3788 wrote to memory of 3276	3788	msedge.exe	80
PID 3788 wrote to memory of 3276	3788	msedge.exe	80
PID 3788 wrote to memory of 3276	3788	msedge.exe	80
PID 3788 wrote to memory of 3276	3788	msedge.exe	80
PID 3788 wrote to memory of 3276	3788	msedge.exe	80
PID 3788 wrote to memory of 3276	3788	msedge.exe	80
PID 3788 wrote to memory of 3276	3788	msedge.exe	80
PID 3788 wrote to memory of 3276	3788	msedge.exe	80
PID 3788 wrote to memory of 3276	3788	msedge.exe	80
PID 3788 wrote to memory of 3276	3788	msedge.exe	80
PID 3788 wrote to memory of 3276	3788	msedge.exe	80
PID 3788 wrote to memory of 3276	3788	msedge.exe	80
PID 3788 wrote to memory of 3276	3788	msedge.exe	80
PID 3788 wrote to memory of 3276	3788	msedge.exe	80
PID 3788 wrote to memory of 3276	3788	msedge.exe	80
PID 3788 wrote to memory of 3276	3788	msedge.exe	80
PID 3788 wrote to memory of 3276	3788	msedge.exe	80
PID 3788 wrote to memory of 3276	3788	msedge.exe	80
PID 3788 wrote to memory of 3276	3788	msedge.exe	80
PID 3788 wrote to memory of 3276	3788	msedge.exe	80
PID 3788 wrote to memory of 3276	3788	msedge.exe	80
PID 3788 wrote to memory of 1060	3788	msedge.exe	81
PID 3788 wrote to memory of 1060	3788	msedge.exe	81
PID 3788 wrote to memory of 3400	3788	msedge.exe	82
PID 3788 wrote to memory of 3400	3788	msedge.exe	82
PID 3788 wrote to memory of 3400	3788	msedge.exe	82
PID 3788 wrote to memory of 3400	3788	msedge.exe	82
PID 3788 wrote to memory of 3400	3788	msedge.exe	82
PID 3788 wrote to memory of 3400	3788	msedge.exe	82
PID 3788 wrote to memory of 3400	3788	msedge.exe	82
PID 3788 wrote to memory of 3400	3788	msedge.exe	82
PID 3788 wrote to memory of 3400	3788	msedge.exe	82
PID 3788 wrote to memory of 3400	3788	msedge.exe	82
PID 3788 wrote to memory of 3400	3788	msedge.exe	82
PID 3788 wrote to memory of 3400	3788	msedge.exe	82
PID 3788 wrote to memory of 3400	3788	msedge.exe	82
PID 3788 wrote to memory of 3400	3788	msedge.exe	82
PID 3788 wrote to memory of 3400	3788	msedge.exe	82
PID 3788 wrote to memory of 3400	3788	msedge.exe	82
PID 3788 wrote to memory of 3400	3788	msedge.exe	82
PID 3788 wrote to memory of 3400	3788	msedge.exe	82
PID 3788 wrote to memory of 3400	3788	msedge.exe	82
PID 3788 wrote to memory of 3400	3788	msedge.exe	82

System policy modification 1 TTPs 7 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "¥Ó¦Ý›—Q\u00a0•WOtb{Nw\x17–»/W½†¥†6b\u00ad"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "°î¤\n%þç\|ÑíÚU\x15ùÎ©g‚AÅÄ^®ðÓ\\½d"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI\ = "öÎ\x1c-£X(¢ÕK^¹ß#‡kIÒ}ˆ«úî¸¢\|®l"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Servicing	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Servicing\CountryCode = ":\|¢Äí*¤ú±‘ªo+\x1bã$CÀÉMïc2\x19Á‘\x16s"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2172

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/NetheriteTree/Malware-Database
  2⤵
  - Enumerates system info in registry
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3788
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff1e013cb8,0x7fff1e013cc8,0x7fff1e013cd8
    3⤵
    PID:1196
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,9236858062323969680,5848097070228129388,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
    3⤵
    PID:3276
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,9236858062323969680,5848097070228129388,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1060
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,9236858062323969680,5848097070228129388,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8
    3⤵
    PID:3400
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,9236858062323969680,5848097070228129388,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
    3⤵
    PID:3816
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,9236858062323969680,5848097070228129388,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
    3⤵
    PID:4196
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1876,9236858062323969680,5848097070228129388,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4104 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4192
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,9236858062323969680,5848097070228129388,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5532 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1988
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,9236858062323969680,5848097070228129388,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
    3⤵
    PID:4056
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1876,9236858062323969680,5848097070228129388,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5900 /prefetch:8
    3⤵
    PID:3544
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1876,9236858062323969680,5848097070228129388,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6028 /prefetch:8
    3⤵
    - Subvert Trust Controls: Mark-of-the-Web Bypass
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    PID:4652
- - C:\Users\Admin\Downloads\VeryFun.exe
    "C:\Users\Admin\Downloads\VeryFun.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2772
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3844
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Modifies WinLogon for persistence
      Boot or Logon Autostart Execution: Active Setup
      Event Triggered Execution: Image File Execution Options Injection
      Manipulates Digital Signatures
      Checks computer location settings
      Checks whether UAC is enabled
      Installs/modifies Browser Helper Object
      Maps connected drives based on registry
      Modifies WinLogon
      Sets desktop wallpaper using registry
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      Checks SCSI registry key(s)
      Modifies Control Panel
      Modifies Internet Explorer settings
      Modifies Internet Explorer start page
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:3548
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:4868
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:3144
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:4636
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:4344
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:3188
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,9236858062323969680,5848097070228129388,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
    3⤵
    PID:2404
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,9236858062323969680,5848097070228129388,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
    3⤵
    PID:2268
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,9236858062323969680,5848097070228129388,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:1
    3⤵
    PID:4004
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,9236858062323969680,5848097070228129388,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
    3⤵
    PID:4896
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,9236858062323969680,5848097070228129388,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5992 /prefetch:2
    3⤵
    PID:5108

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:840

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3096

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x0000000000000478 0x00000000000004E8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4200

C:\Windows\explorer.exe
explorer.exe
1⤵
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:424

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4860
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4860 -s 1196
  2⤵
  PID:3904

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3304

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4276

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4704

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:660

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 MicrosoftWindows.Client.CBS_cw5n1h2txyewy
1⤵
PID:4764

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Checks SCSI registry key(s)
- Modifies registry class
PID:2384
- C:\Windows\System32\ie4uinit.exe
  "C:\Windows\System32\ie4uinit.exe" -UserConfig
  2⤵
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies Internet Explorer Protected Mode
  PID:260
- - C:\Windows\System32\ie4uinit.exe
    C:\Windows\System32\ie4uinit.exe -ClearIconCache
    3⤵
    PID:1440
- C:\Windows\System32\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /FirstLogon
  2⤵
  PID:1288
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level
  2⤵
  - Drops file in Windows directory
  PID:2448
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff7412c4698,0x7ff7412c46a4,0x7ff7412c46b0
    3⤵
    - Drops file in Windows directory
    PID:4828
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\initial_preferences" --create-shortcuts=2 --install-level=0
    3⤵
    - Drops file in Windows directory
    PID:2744
  - - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x248,0x24c,0x250,0x80,0x254,0x7ff7412c4698,0x7ff7412c46a4,0x7ff7412c46b0
      4⤵
      Drops file in Windows directory
      PID:1948
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level
  2⤵
  PID:1492
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x240,0x244,0x248,0x21c,0x24c,0x7ff7e47ceb10,0x7ff7e47ceb20,0x7ff7e47ceb30
    3⤵
    PID:3508
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --migrate-edgeuwp-taskbar-shortcut
    3⤵
    PID:2400
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7fff1e013cb8,0x7fff1e013cc8,0x7fff1e013cd8
      4⤵
      Checks processor information in registry
      Enumerates system info in registry
      PID:4628

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
- Boot or Logon Autostart Execution: Port Monitors
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Port Monitors

T1547.010

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Browser Extensions

T1176

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Port Monitors

T1547.010

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\SetupMetrics\8617899d-a479-4236-8267-1a0839bde056.tmp

Filesize
520B

MD5
d7bdecbddac6262e516e22a4d6f24f0b

SHA1
1a633ee43641fa78fbe959d13fa18654fd4a90be

SHA256
db3be7c6d81b2387c39b32d15c096173022cccee1015571dd3e09f2a69b508a9

SHA512
1e72db18de776fe264db3052ce9a842c9766a720a9119fc6605f795c36d4c7bf8f77680c5564f36e591368ccd354104a7412f267c4157f04c4926bce51aeeaa1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
150B

MD5
08f91db41321f9dd678c9962d9432d6a

SHA1
3c658c3aa83f6bf384b5f8d4c06ba0c7d278b5a5

SHA256
ce1d96c3832b805f4e56539949126e4197b4d09745964ef2fec5dccba2159b46

SHA512
98188575cde25c590791bf1dcb71dbbefff13bef5cd3ea9bcc4c5d1e128bb7eea6d654b771a39a9a0dcffcb0b37fac51b8720c962c0a1df652cd906baf57bed9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\e05f8379-c3c2-4466-9b68-f6f3855934cd.dmp

Filesize
4.8MB

MD5
f737245b6523f2515ff50894ee4aaf6f

SHA1
5527e5dc12f46946d06970d67e3ce343ddadda2a

SHA256
f0d9a253b2a01abb458fa41cc397552ca4509bade32184deb13d41170c23cf61

SHA512
8556232a760c6234988fb286d3dd04f869afc18192ba9cc13d28887772274978c7efe302d99883cae18a8940c48aa5d06f87ff192b6174a379f32d1afd0b1f60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c0a1774f8079fe496e694f35dfdcf8bc

SHA1
da3b4b9fca9a3f81b6be5b0cd6dd700603d448d3

SHA256
c041da0b90a5343ede7364ccf0428852103832c4efa8065a0cd1e8ce1ff181cb

SHA512
60d9e87f8383fe3afa2c8935f0e5a842624bb24b03b2d8057e0da342b08df18cf70bf55e41fa3ae54f73bc40a274cf6393d79ae01f6a1784273a25fa2761728b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e11c77d0fa99af6b1b282a22dcb1cf4a

SHA1
2593a41a6a63143d837700d01aa27b1817d17a4d

SHA256
d96f9bfcc81ba66db49a3385266a631899a919ed802835e6fb6b9f7759476ea0

SHA512
c8f69f503ab070a758e8e3ae57945c0172ead1894fdbfa2d853e5bb976ed3817ecc8f188eefd5092481effd4ef650788c8ff9a8d9a5ee4526f090952d7c859f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1f1320913e5599ff13990c090ee9fdb3

SHA1
e78e63ce8d4d403fd5e74d4fd3d4d6a4795c3c73

SHA256
f7e138b3d28da4c5b85115027417b784bfdd58cb8feaa1461fce35255dbbe8b9

SHA512
5e42e8402ecfef5ac6928797160741bf99b3a2ce3ff01082cba6cb1223e1fa2032e51277b283c1985eb9576f7f7efa3da4e8c081b5c9c60e55825845c6023857

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
cb9ec50751f12ccd38067e12b88d730d

SHA1
7b020da7d2ea3fa997d565a0f6674efb87c4fe4e

SHA256
2c3c2356804d7a3b385ea519a04f0ca54c20018d5345a9237b7295217d19b4cb

SHA512
d776243c511d57c0e431a0816233fe3ce80bcec2a12f315c8bedbc9669989e2699e22e88cab22f1a557c11e39f9f69ff750799a18301c92586c38a64628988a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
ed5f4213c17629776cd75510648fc019

SHA1
ebfa685dca9b7c920cd5ad521c03e4ad0ce435b9

SHA256
e969795f0e63ec8a35cdf34d5bc43867ca0825bebfed9734943e69b34ed2ad87

SHA512
71bcc166ae5a48f7a79aa5de7ecc7e10dce22c39240ca9ffe9d0f9340f40fc2a2429529cfee8b2b5d7082efe94921fa7df3454852d5313ff4093bfdffc189627

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
35b049736e59b2c3636a4e5a1cf6b9fb

SHA1
413c2bb114cb2cf87f334537c96a70cd5534855a

SHA256
9ea8e3e466176976880c23aa10825c05159d79fd9f229040cdbce724ed982977

SHA512
39f203b0ff16c72ef7a3914b3be3ad8fc6ff1133d1cc9e5b799c8f8e851097a068784c7285f6b81fd151f3affc480352f158f73ecaacccf27c3ac33c8e1c0969

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fd5b0bda344b24a6c274c31cdc528460

SHA1
e957ce775bcb4effa70da9f2e55fc6ba0c6042ef

SHA256
453da77a8b1850a1219e144b855a2d37d7daab1e9ca5dd24c585910777e8472c

SHA512
d4c2b836d9cb7505edf94437b1412d492b0885feae866646176369acec4a5fd7673f934623b0e1c5e623d6f0b4654416cda3a697da4071fd86f3584b1e10ca17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7697e9ff795a2048d5df18e8470f2014

SHA1
4f9dc3a486a338e2b19aa129bbf02bb164a9e068

SHA256
e3c994b19066a05f347af8fbc270d25d28e040cb8b6856bbb0a25079773fe176

SHA512
1d26ff8146a4786fcce4cc257680ff777d54887dd202422a28e8238865f3178696c4e52ffdbdaa0cdbe8c3f4597f26f01cc122e3699109925b762a60895d7d37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9fe434bf71edbb1ad897954f3c3634ba

SHA1
1afeac9261202c7674e1c939b795a73babd9816c

SHA256
6129d4980f173221d6104de95e78c1c3090b0ef89403650ff5ac9e3dc29809cc

SHA512
791123eb19285143b93534a531fe3a9cbee516472f8679699e05df2cb7c2ddb39ff78dd2c511c9ed42733cb66d21e7ed50584cc1fcf771662dc910ad49f4d3e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
87f9a80542ef163ace4fcfa23877d40d

SHA1
67fe372410844a00bef1950b2d98b47f4aec5782

SHA256
539dfb8f23df223b3f9b5ea8a15acded7e56357431b9545cabeef398cd7b816c

SHA512
a221a3a9b82b9c42368d0f3d09e2fa387fa3b4f89db9df7e2b9e230e5a3d3f9bd6d68f54653bde739d331e63604b2a631440a8635abfa5a3b8b7f40a21106eb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5800a7.TMP

Filesize
874B

MD5
7f7d8e814ee48d3c52c7653d81038ea8

SHA1
d6eb8fda47fb4086a832701b9fbdfe4e6e7f6e9b

SHA256
3b46aab595ff0f2bf5fbfbeafa81a7d7ed0b8b3e0f76eea284f0b7b0f6d61a92

SHA512
c37988f33f4dd48015970d559dc8d7e8b777f311ca605a2cce8e746c279f546537468900fff89d3ee8db2f2b21d9823cb4b5198f26a04d5946290c2c5ebab7b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
446add48d432e65f715a2058b14acec1

SHA1
a513a3e5b37f5dc0cddb71ae67bab0dc35567297

SHA256
952093f5ee18ece0a1f6dba5d2e3da695848b752ec243d1966eb9703bed4c023

SHA512
1f89f768b83ad82c19faf9b81e99dc09eb66eec784ff6f7954eb5e6129dd615895e0f86324fbaa1ce2d2e49aa8517923bfd87dd4e24351a3a79a546ef432fe9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f70d6acb22b246a7469047841f55a128

SHA1
962864cfc5988d0bc02c93f96293dcdbb3feb5a8

SHA256
9047f412e3c95ddc7f3a87cb6f81a2d256de0146aa6d0dfd7c357c0dbab92cb8

SHA512
ba2860757cb0227f6308b5ea7510e5628c048e68881cd7589eb2e211f79a116f9341e40129506857e3b8878e2337a8ab7740d99ec605970c6705242e99d368af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4fab4d8b6050aae57fc3ee4e84f97908

SHA1
510849ebd979c9e51da24abb9810fc5e0d37b00f

SHA256
b4dbdae727c361978593a347f88f18f03b930c0d956b5c2c3058ae7ecc4d0514

SHA512
a5076966cc5f06894130cccb5fe8c37ade7f79be11812fc2139cbab3aa9dd90e007c3aada17e5d675c0bbe1b57bb0a5a2b30d6efcd6327198658086b4bdbb497

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5febf11061b104b47edbcddc5cf7a8f9

SHA1
b5feb5cd7b4cbd7b2de923cebb121c9cbbfe0626

SHA256
e66bbf6b1aef49fcde650a17986768b3f01d909ed6202be993404d7e1a05ea6e

SHA512
319965dd87259314151dca5434be91cc6230ed88ae9289a984350ff3a55430c2d956e4ab385a6187562c6c5a02e88f8411079f438d700fc518195676fd04d202

Download Submit
C:\Users\Admin\AppData\Local\Temp\RGI67D8.tmp

Filesize
24KB

MD5
dd4f5026aa316d4aec4a9d789e63e67b

SHA1
fe41b70acbcba7aa0b8a606fe82bcfde9a7bf153

SHA256
8d7e6cee70d6035c066b93143461d5f636e144373f5c46bc10a8935d306e0737

SHA512
3f18e86d8d5119df6df0d914ebf43c1a6dadb3fdeff8002940a02d0a3d763e779068a682ee6bafe650b6c371d4be2e51e01759ec5b950eef99db5499e3a6c568

Download Submit
C:\Users\Admin\AppData\Local\Temp\RGI67FB.tmp

Filesize
3KB

MD5
a828b8c496779bdb61fce06ba0d57c39

SHA1
2c0c1f9bc98e29bf7df8117be2acaf9fd6640eda

SHA256
c952f470a428d5d61ed52fb05c0143258687081e1ad13cfe6ff58037b375364d

SHA512
effc846e66548bd914ad530e9074afbd104fea885237e9b0f0f566bd535996041ec49fb97f4c326d12d9c896390b0e76c019b3ace5ffeb29d71d1b48e83cbaea

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
f03191fa5af81f76c48bd686e4aca2f1

SHA1
901a1344fc96b972ec0b1db0176f06ad7001f18e

SHA256
179403a3a5c6a4b89aa5d8f9a0d98dfac86b83a5c427ae99886180461a32fb78

SHA512
eab37e61255821e197bb56d8cfc0f4f0ab8eaf934a4c8259be5ea947feff2b5b13ea52b0940fde5534c4e47e2352a20fa0475d44e8599bdd54551def7ee93563

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 990982.crdownload

Filesize
3.0MB

MD5
ef7b3c31bc127e64627edd8b89b2ae54

SHA1
310d606ec2f130013cc9d2f38a9cc13a2a34794a

SHA256
8b04fda4bee1806587657da6c6147d3e949aa7d11be1eefb8cd6ef0dba76d387

SHA512
a11eadf40024faeb2cc111b8feee1b855701b3b3f3c828d2da0ae93880897c70c15a0ee3aeb91874e5829b1100e0abafec020e0bf1e82f2b8235e9cc3d289be5

Download Submit
C:\Users\Admin\Downloads\VeryFun.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Windows\SystemTemp\Crashpad\settings.dat

Filesize
40B

MD5
5ea0af3df0a58bf83db24d7521c3144d

SHA1
aafb9d67aa452da608434ec3da86f564d4297d77

SHA256
bc1bd356997ebb74c1f7a4a6516aa179c4c03d9cbf1ff6759ca4aca6e74f31d7

SHA512
e543f28992ee947278fbed6e2c2f5844403595d3aa1f17fd0652f3a9a4d5823398342811dfec958a5946261f44564323bb802b0c4598d4384212a15974a467b2

Download Submit
memory/660-374-0x000001C02B7F0000-0x000001C02B7F1000-memory.dmp

Filesize
4KB

Download
memory/660-373-0x000001C02B7F0000-0x000001C02B7F1000-memory.dmp

Filesize
4KB

Download
memory/660-375-0x000001C02B7F0000-0x000001C02B7F1000-memory.dmp

Filesize
4KB

Download
memory/660-370-0x000001C02B7D0000-0x000001C02B7D1000-memory.dmp

Filesize
4KB

Download
memory/660-352-0x000001C023240000-0x000001C023250000-memory.dmp

Filesize
64KB

Download
memory/660-372-0x000001C02B7F0000-0x000001C02B7F1000-memory.dmp

Filesize
4KB

Download
memory/660-371-0x000001C02B7D0000-0x000001C02B7D1000-memory.dmp

Filesize
4KB

Download
memory/660-369-0x000001C02B7D0000-0x000001C02B7D1000-memory.dmp

Filesize
4KB

Download
memory/660-368-0x000001C02B7D0000-0x000001C02B7D1000-memory.dmp

Filesize
4KB

Download
memory/660-336-0x000001C023140000-0x000001C023150000-memory.dmp

Filesize
64KB

Download
memory/2772-298-0x0000000000370000-0x00000000009AD000-memory.dmp

Filesize
6.2MB

Download
memory/2772-249-0x0000000000370000-0x00000000009AD000-memory.dmp

Filesize
6.2MB

Download
memory/2772-297-0x0000000000370000-0x00000000009AD000-memory.dmp

Filesize
6.2MB

Download
memory/2772-323-0x0000000000370000-0x00000000009AD000-memory.dmp

Filesize
6.2MB

Download
memory/3144-300-0x0000000000D00000-0x0000000000E0C000-memory.dmp

Filesize
1.0MB

Download
memory/3144-301-0x0000000000D00000-0x0000000000E0C000-memory.dmp

Filesize
1.0MB

Download
memory/3144-299-0x0000000000D00000-0x0000000000E0C000-memory.dmp

Filesize
1.0MB

Download
memory/3548-253-0x0000000000A20000-0x0000000000B14000-memory.dmp

Filesize
976KB

Download
memory/3548-257-0x0000000000A20000-0x0000000000B14000-memory.dmp

Filesize
976KB

Download
memory/3548-256-0x0000000000A20000-0x0000000000B14000-memory.dmp

Filesize
976KB

Download
memory/3844-251-0x0000000001300000-0x000000000149C000-memory.dmp

Filesize
1.6MB

Download
memory/3844-250-0x0000000001300000-0x000000000149C000-memory.dmp

Filesize
1.6MB

Download
memory/3844-252-0x0000000001300000-0x000000000149C000-memory.dmp

Filesize
1.6MB

Download
memory/3844-258-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/3844-260-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/3844-261-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/4344-326-0x0000000000500000-0x000000000060C000-memory.dmp

Filesize
1.0MB

Download
memory/4344-324-0x0000000000500000-0x000000000060C000-memory.dmp

Filesize
1.0MB

Download
memory/4344-325-0x0000000000500000-0x000000000060C000-memory.dmp

Filesize
1.0MB

Download
memory/4636-311-0x0000000000F00000-0x000000000100C000-memory.dmp

Filesize
1.0MB

Download
memory/4636-312-0x0000000000F00000-0x000000000100C000-memory.dmp

Filesize
1.0MB

Download
memory/4636-313-0x0000000000F00000-0x000000000100C000-memory.dmp

Filesize
1.0MB

Download
memory/4868-287-0x0000000001100000-0x000000000120C000-memory.dmp

Filesize
1.0MB

Download
memory/4868-285-0x0000000001100000-0x000000000120C000-memory.dmp

Filesize
1.0MB

Download
memory/4868-286-0x0000000001100000-0x000000000120C000-memory.dmp

Filesize
1.0MB

Download