Analysis
-
max time kernel
360s -
max time network
319s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
07/03/2025, 14:59
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Pyran1/MalwareDatabaseUnsorted/blob/master/Samples/000a5351b371aded2fb7194910ee210cb029199eb65a4f755f23a4f904117607.exe
Resource
win10v2004-20250217-en
raccoonredline8d179b9e611eee525425544ee8c6d77360ab7cd9adwaredefense_evasiondiscoveryinfostealerpersistenceprivilege_escalationstealertrojan
windows10-2004-x64
49 signatures
300 seconds
General
-
Target
https://github.com/Pyran1/MalwareDatabaseUnsorted/blob/master/Samples/000a5351b371aded2fb7194910ee210cb029199eb65a4f755f23a4f904117607.exe
Malware Config
Extracted
Family
raccoon
Version
1.8.2
Botnet
8d179b9e611eee525425544ee8c6d77360ab7cd9
Attributes
-
url4cnc
http://teletop.top/agrybirdsgamerept
http://teleta.top/agrybirdsgamerept
https://t.me/agrybirdsgamerept
rc4.plain
rc4.plain
Extracted
Family
redline
C2
95.181.152.12:44159
Attributes
-
auth_value
c452e27d40203938502cf6d858f9be17
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fagot.a.exe -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit32.exe" Fagot.a.exe -
Modifies firewall policy service 3 TTPs 16 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedInterfaces\IfIso Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedInterfaces Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\Mdm Fagot.a.exe -
Modifies security service 2 TTPs 11 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\SERVICES\MPSSVC\PARAMETERS\ACSERVICE Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Security Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Parameters\PortKeywords Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Parameters Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security Fagot.a.exe -
Raccoon Stealer V1 payload 2 IoCs
resource yara_rule behavioral1/memory/5036-258-0x0000000000400000-0x0000000000491000-memory.dmp family_raccoon_v1 behavioral1/memory/3368-291-0x0000000000400000-0x0000000000491000-memory.dmp family_raccoon_v1 -
Raccoon family
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Redline family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 001aa198dd220207cd3e53c7e8b081dd093beb969f099d0ce61cb0cd452c14b3.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 001aa198dd220207cd3e53c7e8b081dd093beb969f099d0ce61cb0cd452c14b3.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 001aa198dd220207cd3e53c7e8b081dd093beb969f099d0ce61cb0cd452c14b3.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 001aa198dd220207cd3e53c7e8b081dd093beb969f099d0ce61cb0cd452c14b3.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 001aa198dd220207cd3e53c7e8b081dd093beb969f099d0ce61cb0cd452c14b3.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 26 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A604D2C-E968-429B-8327-62B5CE52126D} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23A20C3C-2ADD-4A80-AFB4-C146F8847D79} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE4BC71D-A88B-4943-BB3D-AF9C0E7D4387} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{990CB269-A600-38D0-B7D1-FBD392495F13} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6BAF60B-6E91-453F-BFF9-D3789CFEFCDD} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25FFAAD0-F4A3-4164-95FF-4461E9F35D51} Fagot.a.exe -
Boot or Logon Autostart Execution: Port Monitors 1 TTPs 13 IoCs
Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation.
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\USB Monitor Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port\Ports Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Local Port Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Appmon\Ports Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\WSPrint\OfflinePorts Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Microsoft Shared Fax Monitor Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Appmon Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Ports Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\WSPrint Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\IPP Fagot.a.exe -
Downloads MZ/PE file 5 IoCs
flow pid Process 69 3840 msedge.exe 69 3840 msedge.exe 69 3840 msedge.exe 69 3840 msedge.exe 69 3840 msedge.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 47 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\splwow64.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setlang.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sdxhelper.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoasb.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ieUnatt.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excelcnv.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ngen.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoadfsb.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ieinstal.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SystemSettings.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrServicesUpdater.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PrintIsolationHost.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenotem.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenote.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msosrec.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msfeedssync.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excel.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\selfcert.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrCEF.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PresentationHost.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msohtmed.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ielowutil.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\graph.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PrintDialog.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powerpnt.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ngentask.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msqry32.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ie4uinit.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clview.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32Info.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runtimebroker.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\orgchart.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msosync.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wordconv.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoxmled.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorsvw.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ExtExport.exe Fagot.a.exe -
Manipulates Digital Signatures 1 TTPs 64 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2006 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{31D1ADC1-D329-11D1-8ED8-0080C76516C6} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.12.2.3 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.3 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{C689AAB9-8E78-11D0-8C47-00C04FC295EE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2006 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2008 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetCaps\{C689AAB8-8E78-11D0-8C47-00C04FC295EE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.12 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetCaps\{DE351A42-8E59-11D0-8C47-00C04FC295EE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{C689AAB8-8E78-11D0-8C47-00C04FC295EE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\Certificates\11194FAB14616ED8259FB94DCD17CE99DAB04CDD Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{6078065b-8f22-4b13-bd9b-5b762776f386} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{D41E4F1F-A407-11D1-8BC9-00C04FA30A41} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{5598CFF1-68DB-4340-B57F-1CACF88C9A51} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSealedDigest\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{189A3842-3041-11D1-85E1-00C04FC295EE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.10 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{31D1ADC1-D329-11D1-8ED8-0080C76516C6} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{31D1ADC1-D329-11D1-8ED8-0080C76516C6} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{6078065b-8f22-4b13-bd9b-5b762776f386} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2130 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{5598CFF1-68DB-4340-B57F-1CACF88C9A51} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{31D1ADC1-D329-11D1-8ED8-0080C76516C6} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.20 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{C689AAB8-8E78-11D0-8C47-00C04FC295EE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllProtectPrompt Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{000C10F1-0000-0000-C000-000000000046} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.25 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2011 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{5598CFF1-68DB-4340-B57F-1CACF88C9A51} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{189A3842-3041-11D1-85E1-00C04FC295EE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{7801EBD0-CF4B-11D0-851F-0060979387EA} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-AABA-11D0-8CCB-00C04FC295EE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.27 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.28 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2009 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2007 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{0F5F58B3-AADE-4B9A-A434-95742D92ECEB} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSealedDigest\{C689AAB8-8E78-11D0-8C47-00C04FC295EE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine Fagot.a.exe -
Boot or Logon Autostart Execution: Print Processors 1 TTPs 2 IoCs
Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Print Processors\winprint Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Print Processors Fagot.a.exe -
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 001aa198dd220207cd3e53c7e8b081dd093beb969f099d0ce61cb0cd452c14b3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 001aa198dd220207cd3e53c7e8b081dd093beb969f099d0ce61cb0cd452c14b3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 001aa198dd220207cd3e53c7e8b081dd093beb969f099d0ce61cb0cd452c14b3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 001aa198dd220207cd3e53c7e8b081dd093beb969f099d0ce61cb0cd452c14b3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 001aa198dd220207cd3e53c7e8b081dd093beb969f099d0ce61cb0cd452c14b3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 001aa198dd220207cd3e53c7e8b081dd093beb969f099d0ce61cb0cd452c14b3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 001aa198dd220207cd3e53c7e8b081dd093beb969f099d0ce61cb0cd452c14b3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 001aa198dd220207cd3e53c7e8b081dd093beb969f099d0ce61cb0cd452c14b3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 001aa198dd220207cd3e53c7e8b081dd093beb969f099d0ce61cb0cd452c14b3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 001aa198dd220207cd3e53c7e8b081dd093beb969f099d0ce61cb0cd452c14b3.exe -
Executes dropped EXE 9 IoCs
pid Process 5036 000a5351b371aded2fb7194910ee210cb029199eb65a4f755f23a4f904117607.exe 3368 000a5351b371aded2fb7194910ee210cb029199eb65a4f755f23a4f904117607.exe 5268 001aa198dd220207cd3e53c7e8b081dd093beb969f099d0ce61cb0cd452c14b3.exe 5124 001aa198dd220207cd3e53c7e8b081dd093beb969f099d0ce61cb0cd452c14b3.exe 428 001aa198dd220207cd3e53c7e8b081dd093beb969f099d0ce61cb0cd452c14b3.exe 5528 001aa198dd220207cd3e53c7e8b081dd093beb969f099d0ce61cb0cd452c14b3.exe 2464 001aa198dd220207cd3e53c7e8b081dd093beb969f099d0ce61cb0cd452c14b3.exe 6040 WinNuke.98.exe 2164 Fagot.a.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys Fagot.a.exe -
Modifies system executable filetype association 2 TTPs 54 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\IconHandler Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\{00021401-0000-0000-C000-000000000046} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\PropertySheetHandlers Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\DropHandler Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\tabsets Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\PintoStartScreen Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers\Compatibility Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DropHandler Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\DropHandler Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\OpenContainingFolderMenu Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\PropertySheetHandlers Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex\DropHandler Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\DefaultIcon Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\IconHandler Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\CLSID Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\DropHandler Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\Compatibility Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\PropertySheetHandlers Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\{8895b1c6-b41f-4c1c-a562-0d564250836f} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell Fagot.a.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dllhost32 = "C:\\Windows\\system32\\dllhost32.exe" Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Fagot.a.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 5 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 001aa198dd220207cd3e53c7e8b081dd093beb969f099d0ce61cb0cd452c14b3.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 001aa198dd220207cd3e53c7e8b081dd093beb969f099d0ce61cb0cd452c14b3.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 001aa198dd220207cd3e53c7e8b081dd093beb969f099d0ce61cb0cd452c14b3.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 001aa198dd220207cd3e53c7e8b081dd093beb969f099d0ce61cb0cd452c14b3.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 001aa198dd220207cd3e53c7e8b081dd093beb969f099d0ce61cb0cd452c14b3.exe -
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32Info.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\splwow64.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runtimebroker.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\orgchart.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clview.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoxmled.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorsvw.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ieinstal.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ie4uinit.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setlang.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrServicesUpdater.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrCEF.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PrintIsolationHost.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powerpnt.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msosync.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msosrec.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msohtmed.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\selfcert.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ielowutil.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ExtExport.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excelcnv.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excel.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SystemSettings.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenotem.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ngentask.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoadfsb.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wordconv.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sdxhelper.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenote.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msqry32.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoasb.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ieUnatt.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PrintDialog.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PresentationHost.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ngen.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msfeedssync.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\graph.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe Fagot.a.exe -
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects Fagot.a.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 68 raw.githubusercontent.com 69 raw.githubusercontent.com -
Maps connected drives based on registry 3 TTPs 3 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum Fagot.a.exe -
Modifies WinLogon 2 TTPs 13 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861} Fagot.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName = "COCK_SUCKING_FAGGOT" Fagot.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AltDefaultUserName = "COCK_SUCKING_FAGGOT" Fagot.a.exe -
Drops file in System32 directory 41 IoCs
description ioc Process File created C:\Windows\SysWOW64\dllhost32.exe:SmartScreen:$DATA Fagot.a.exe File created C:\windows\SysWOW64\progman.exe Fagot.a.exe File created C:\windows\SysWOW64\shutdown.exe Fagot.a.exe File created C:\windows\SysWOW64\ntkrnlpa.exe Fagot.a.exe File created C:\Windows\SysWOW64\alg.exe:SmartScreen:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\wuauclt.exe:SmartScreen:$DATA Fagot.a.exe File created C:\windows\SysWOW64\chcp.exe Fagot.a.exe File created C:\Windows\SysWOW64\MDM.exe:SmartScreen:$DATA Fagot.a.exe File created C:\windows\SysWOW64\regedit.exe Fagot.a.exe File created C:\windows\SysWOW64\alg.exe Fagot.a.exe File created C:\windows\SysWOW64\ctfmon.exe Fagot.a.exe File created C:\Windows\SysWOW64\imapi.exe:SmartScreen:$DATA Fagot.a.exe File created C:\windows\SysWOW64\MDM.exe Fagot.a.exe File created C:\windows\SysWOW64\services.exe Fagot.a.exe File created C:\Windows\SysWOW64\wowexec.exe:SmartScreen:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\dllhost32.exe Fagot.a.exe File created C:\windows\SysWOW64\imapi.exe Fagot.a.exe File created C:\windows\SysWOW64\recover.exe Fagot.a.exe File opened for modification C:\Windows\SysWOW64\userinit32.exe Fagot.a.exe File created C:\windows\SysWOW64\bootok.exe Fagot.a.exe File created C:\Windows\SysWOW64\chcp.exe:SmartScreen:$DATA Fagot.a.exe File created C:\windows\SysWOW64\dumprep.exe Fagot.a.exe File created C:\Windows\SysWOW64\win.exe:SmartScreen:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\userinit32.exe:SmartScreen:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\progman.exe:SmartScreen:$DATA Fagot.a.exe File created C:\windows\SysWOW64\chkntfs.exe Fagot.a.exe File created C:\Windows\SysWOW64\ntkrnlpa.exe:SmartScreen:$DATA Fagot.a.exe File created C:\windows\SysWOW64\win.exe Fagot.a.exe File created C:\WINDOWS\SysWOW64\userinit.exe Fagot.a.exe File created C:\windows\SysWOW64\autochk.exe Fagot.a.exe File created C:\Windows\SysWOW64\dumprep.exe:SmartScreen:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\logon.exe:SmartScreen:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\services.exe:SmartScreen:$DATA Fagot.a.exe File created C:\windows\SysWOW64\wowexec.exe Fagot.a.exe File created C:\windows\SysWOW64\wuauclt.exe Fagot.a.exe File created C:\Windows\SysWOW64\userinit32.exe Fagot.a.exe File created C:\windows\SysWOW64\ntoskrnl.exe Fagot.a.exe File created C:\Windows\SysWOW64\ntoskrnl.exe:SmartScreen:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\bootok.exe:SmartScreen:$DATA Fagot.a.exe File created C:\windows\SysWOW64\logon.exe Fagot.a.exe File created C:\windows\SysWOW64\systray.exe Fagot.a.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\NOTEPAD.EXE Fagot.a.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh Fagot.a.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh Fagot.a.exe -
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinNuke.98.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 000a5351b371aded2fb7194910ee210cb029199eb65a4f755f23a4f904117607.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 001aa198dd220207cd3e53c7e8b081dd093beb969f099d0ce61cb0cd452c14b3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 001aa198dd220207cd3e53c7e8b081dd093beb969f099d0ce61cb0cd452c14b3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 001aa198dd220207cd3e53c7e8b081dd093beb969f099d0ce61cb0cd452c14b3.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 001aa198dd220207cd3e53c7e8b081dd093beb969f099d0ce61cb0cd452c14b3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 001aa198dd220207cd3e53c7e8b081dd093beb969f099d0ce61cb0cd452c14b3.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 Fagot.a.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 Fagot.a.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM Fagot.a.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 Fagot.a.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 Fagot.a.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters Fagot.a.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Storport Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 Fagot.a.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters Fagot.a.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport Fagot.a.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport Fagot.a.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM Fagot.a.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 Fagot.a.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Storport Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Storport Fagot.a.exe -
Checks processor information in registry 2 TTPs 11 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 Fagot.a.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 msedge.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Fagot.a.exe -
Enumerates system info in registry 2 TTPs 64 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController Fagot.a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 Fagot.a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 Fagot.a.exe -
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{4FA211A0-FD53-11D2-ACB6-0080C877D9B9} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{39A2C2A6-4778-11D2-9BDB-204C4F4F5020} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C2C4F00A-720E-4389-AEB9-E9C4B0D93C6F} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0F6A72B9-D3C5-4FCE-89A3-4E3D19C3580A} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{fa6f0991-f729-4899-b095-d3fbca253cf6} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\MULTIMEDIA\SOUNDS Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\XMLHTTP Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AF604EFE-8897-11D1-B944-00A0C90312E1} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{44C79591-D0DE-49C4-BA3C-A45AB7003356} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm5v.dll Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{EDC0F17F-F4B7-47E4-B73E-887FAEB376FA} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{053017A8-53F7-4EA3-AA38-A4CCAAF1F9E7} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\FileAssociations Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm7b.dll Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{812954F9-FAA2-4aee-A9E7-3C4FDE2166A6} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.dir Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D9BB4CEE-B87A-47F1-AC92-B08D9C7813FC} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C46C1BC4-3C52-11D0-9200-848C1D000000} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{b4b3aecb-dfd6-11d1-9daa-00805f85cfe3} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AA13BD85-7EC0-4CC8-9958-1BB2AA32FD0B} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{930FD02C-BBE7-4EB9-91CF-FC45CC91E3E6} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F2175210-368C-11D0-AD81-00A0C90DC8D9} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D02AAC50-027E-11D3-9D8E-00C04F72D980} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6C095616-6064-43CA-9180-CF1B6B6A0BE4} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{3f8a6c33-e0fd-11d0-8a8c-00a0c90c2bc5} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\SearchSuggestions Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{4F1E5B1A-2A80-42CA-8532-2D05CB959537} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{33d9a761-90c8-11d0-bd43-00a0c911ce86} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{03D9F3F2-B0E3-11D2-B081-006008039BF0} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm7s.dll Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{4becf16c-74f0-429b-8d3e-4fba507ac661} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\Roaming\FormSuggestAskUser Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{EFEE43D6-BFE5-44B0-8063-AC3B2966AB2C} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{931a8c29-3ea9-494d-91e7-22e9a9247687} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{81361152-FAF9-11D3-B0D3-00C04F612FF1} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6F225D94-9318-11D4-9223-005004B34F28} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E554-0000-0000-C000-000000000046} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E532-0000-0000-C000-000000000046} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\UnattendBackup\ActiveSetup\DisableFirstRunWizard Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AD5FBDB8-C518-47F7-B4F1-F1F58D21A716} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8FE85D00-4647-40B9-87E4-5EB8A52F4759} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{03405269-b4e2-11d0-8a77-00aa00a4fbc5} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{EC85D8F1-1C4E-46E4-A748-7AA04E7C0496} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9E77AAC4-35E5-42A1-BDC2-8F3FF399847C} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\Roaming\TabRoaming Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\ULINKS Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{FF2BBC4A-6881-4294-BE0C-17535B1FCCFA} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{E80353D3-677D-11d2-875E-00A0C93C09B3} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{812AE312-8B8E-11CF-93C8-00AA00C08FDF} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\Restriction Policies\Hashes\C1637989205DAFC7035F8D43D76CF87FD11E99DB Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_WINDOWEDSELECTCONTROL Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\MIMEAssociations Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C3EB1670-84E0-4EDA-B570-0B51AAE81679} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6F750201-1362-4815-A476-88533DE61D0C} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{02466323-75ed-11cf-a267-0020af2546ea} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DOCUMENT_COMPATIBLE_MODE Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{E9CB13DB-20AB-43C5-B283-977C58FB5754} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{E673DCF2-C316-4C6F-AA96-4E4DC6DC291E} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C679DECC-5289-4856-B504-74B11ADD424A} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{5D80A6D1-B500-47DA-82B8-EB9875F85B4D} Fagot.a.exe -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "www.blacksnake.com" Fagot.a.exe -
Modifies registry class 64 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C50E1E9-DB15-4410-89C5-D27F4B727368} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020830-0000-0000-C000-000000000046}\AuxUserType\2 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\IE.AssocFile.HTM\shell\print Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F268-98B5-11CF-BB82-00AA00BDCE0B} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mpeg\shell\AddToPlaylistVLC\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\ms-quick-assist\Shell\Open\Command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\DVD\shell\PlayWithVLC Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.pptxml Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.mapimail\PersistentHandler Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Forms.SpinButton.1 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\bootstrap.vsto.1\CLSID Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{C660D7A6-D1DD-3E9D-85EB-F844791E2DAE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B691E011-1797-432E-907A-4D8C69339129}\6.0\FLAGS Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C030D-0000-0000-C000-000000000046}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Word.DocumentMacroEnabled.12\shell\Printto Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.12\shell\OnenotePrintto\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1DDDB704-CF99-4B8A-B746-DABB01DD13A0}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Word.OpenDocumentText.12\shell\New\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.FLAC\shell Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\GCSXFile Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{39843BF2-C4D2-41FD-B4B2-AEDBEE5E1900}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{C888351B-5DFD-3A9F-8D36-96E7770D0EBF} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.TemplateMacroEnabled\shell\New\ddeexec Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DF48072F-5EF8-434E-9B40-E2F3AE759B5F} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BF032216-2C7F-4682-84C1-76EF432D840B} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDE0D630-7801-47cd-984E-1F0AFBC5ACBF}\ProgID Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{1D415254-6D7E-315C-86CC-90A641A57703} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{048FA0C2-8EBB-3BC2-A47F-01F12A32008E} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.fileTypeAssociation\.fh\AppXj4qrs60k02d8kcd8ycgdx89mga9t57z3 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{ef5af41f-d68c-48f7-bfb0-5055718601fc}\Dependents Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\FDate.Factoid\CurVer Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DF2BBE39-40A8-433B-A279-073F48DA94B6}\1.0\FLAGS Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9ED13477-E909-45BC-BADC-2106D04D6BD7}\Programmable Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{F04DAF91-E45E-301A-9038-5F5738A64FDA}\15.0.0.0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{0E37EEFA-84BD-300E-8AB4-7CFC2C8C3F38}\15.0.0.0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.protocol\ms-people Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\AudioVBScript.1 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.xfdf\AcroExch.XFDFDoc Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.wmx\PersistentHandler Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.rct Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6F81EA95-074E-48D4-AA96-62197E0AE96F}\TypeLib Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{41487E33-9A10-42FE-BA3B-15FDE59D09D5} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{000CDB0D-0000-0000-C000-000000000046}\InprocServer32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.protocol\tel\AppXvvr0sjtc34r6nk4mhn2e608s2xp2tezg Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.png\PersistentHandler Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF538114-BD14-53B0-B1D1-841DCAA451AD} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.12\Insertable Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mp1\shell\AddToPlaylistVLC Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\themefile\shellex Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A9BE00DF-7346-37EF-AA43-8C68F18230D8}\15.0.0.0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{8351108F-34E3-3CC9-BF5A-C76C48060835}\2.0.0.0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\OrgPlusWOPX.4\shell\open Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList\Media Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5852F5E0-8BF4-11D4-A245-0080C6F74284}\1.0\0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F73605E1-E491-4012-90BE-F8AAF1A8D179}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{51973C22-CB0C-11D0-B5C9-00A0244A0E7A}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5007373A-20D7-458F-9FFB-ABC900E3A831}\ProxyStubClsid Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9DF1F64D8EF250D42BCA10C1326BB942\SourceList\Net Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\awdvstub.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.ttc\PersistentHandler Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{83E4294C-E0BB-4E62-AC48-00F226021136} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}\NumMethods Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C037A-0000-0000-C000-000000000046} Fagot.a.exe -
Modifies system certificate store 2 TTPs 63 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\Certificates\D73F0C22273FA4C717A3A735F7E992F31190F010 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\Certificates\CE97FCF4ABACBFC662AF418EA1D4862F951D3D5D Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\51501FBFCE69189D609CFAF140C576755DCC1FDF Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\Certificates\2BD63D28D7BCD0E251195AEB519243C13142EBC3 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs\A377D1B1C0538833035211F4083D00FECC414DAB Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D559A586669B08F46A30A133F8A9ED3D038E2EA8 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\Certificates Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BE36A4562FB2EE05DBB3D32323ADF445084ED656 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7F88CD7223F3C813818C994614A89C99FA3B5247 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18F7C1FCC3090203FD5BAA2F861A754976C8DD25 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CDD4EEAE6000AC7F40C3802C171E30148030C072 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8F43288AD272F3103B6FB1428485EA3014C0BCFE Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\Certificates Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\Certificates\6CA22E5501CC80885FF281DD8B3338E89398EE18 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\Certificates Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CTLs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7E04DE896A3E666D00E687D33FFAD93BE83D349E Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3679CA35668772304D30A5FB873B0FA77BB70D54 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs\27748148BBE67A43CDBFEC6C3784862CE134E6EA Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\109F1CAED645BB78B3EA2B94C0697C740733031C Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates\B68D8F953E551914324E557E6164D68B9926650C Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\CTLs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\FEE449EE0E3965A5246F000E87FDE2A065FD89D4 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\CRLs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\245C97DF7514E7CF2DF8BE72AE957B9E04741E85 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\06F1AA330B927B753A40E68CDF22E34BCBEF3352 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\FlightRoot Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\CRLs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\73A5E64A3BFF8316FF0EDCCC618A906E4EAE4D74 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates\2C85006A1A028BCC349DF23C474724C055FDE8B6 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\31F9FC8BA3805986B721EA7295C65B3A44534274 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\Certificates\F8DB7E1C16F1FFD4AAAD4AAD8DFF0F2445184AEB Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CRLs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\Certificates Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\92B46C76E13054E104F230517E6E504D43AB10B5 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\Certificates\A4B37F4F6DE956922273D5CB8E7E0AAFB7033B90 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0119E81BE9A14CD8E22F40AC118C687ECBA3F4D8 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\Certificates Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\CTLs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\Certificates\8A334AA8052DD244A647306A76B8178FA215F344 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\Certificates\9E78FB9F9527D859700D303DFA589B3073951DCB Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\Certificates\11194FAB14616ED8259FB94DCD17CE99DAB04CDD Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\Certificates Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3B1EFD3A66EA28B16697394703A72CA340A05BD5 Fagot.a.exe -
NTFS ADS 5 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 649753.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 594842.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 649406.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 673524.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 370119.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3840 msedge.exe 3840 msedge.exe 4480 msedge.exe 4480 msedge.exe 4280 identity_helper.exe 4280 identity_helper.exe 716 msedge.exe 716 msedge.exe 5176 msedge.exe 5176 msedge.exe 4584 msedge.exe 4584 msedge.exe 4584 msedge.exe 4584 msedge.exe 2512 msedge.exe 2512 msedge.exe 3276 msedge.exe 3276 msedge.exe 1688 msedge.exe 1688 msedge.exe 2164 Fagot.a.exe 2164 Fagot.a.exe 2164 Fagot.a.exe 2164 Fagot.a.exe 2164 Fagot.a.exe 2164 Fagot.a.exe 2164 Fagot.a.exe 2164 Fagot.a.exe 2164 Fagot.a.exe 2164 Fagot.a.exe 2164 Fagot.a.exe 2164 Fagot.a.exe 2164 Fagot.a.exe 2164 Fagot.a.exe 2164 Fagot.a.exe 2164 Fagot.a.exe 2164 Fagot.a.exe 2164 Fagot.a.exe 2164 Fagot.a.exe 2164 Fagot.a.exe 2164 Fagot.a.exe 2164 Fagot.a.exe 2164 Fagot.a.exe 2164 Fagot.a.exe 2164 Fagot.a.exe 2164 Fagot.a.exe 2164 Fagot.a.exe 2164 Fagot.a.exe 2164 Fagot.a.exe 2164 Fagot.a.exe 2164 Fagot.a.exe 2164 Fagot.a.exe 2164 Fagot.a.exe 2164 Fagot.a.exe 2164 Fagot.a.exe 2164 Fagot.a.exe 2164 Fagot.a.exe 2164 Fagot.a.exe 2164 Fagot.a.exe 2164 Fagot.a.exe 2164 Fagot.a.exe 2164 Fagot.a.exe 2164 Fagot.a.exe 2164 Fagot.a.exe -
Suspicious behavior: LoadsDriver 64 IoCs
pid Process 5024 Process not Found 5788 Process not Found 5784 Process not Found 1780 Process not Found 324 Process not Found 5720 Process not Found 1692 Process not Found 5896 Process not Found 5928 Process not Found 4896 Process not Found 5944 Process not Found 6036 Process not Found 5296 Process not Found 6048 Process not Found 6052 Process not Found 6064 Process not Found 6044 Process not Found 5032 Process not Found 6124 Process not Found 6092 Process not Found 3544 Process not Found 6020 Process not Found 6024 Process not Found 6128 Process not Found 6008 Process not Found 2932 Process not Found 4816 Process not Found 5280 Process not Found 3456 Process not Found 4056 Process not Found 6136 Process not Found 6040 Process not Found 5404 Process not Found 4040 Process not Found 4220 Process not Found 4564 Process not Found 3740 Process not Found 1644 Process not Found 3656 Process not Found 3296 Process not Found 5396 Process not Found 1732 Process not Found 1168 Process not Found 4720 Process not Found 5796 Process not Found 5780 Process not Found 1944 Process not Found 4584 Process not Found 3876 Process not Found 1636 Process not Found 4596 Process not Found 5232 Process not Found 1772 Process not Found 3452 Process not Found 3012 Process not Found 3892 Process not Found 3320 Process not Found 5480 Process not Found 4476 Process not Found 4828 Process not Found 5880 Process not Found 4556 Process not Found 3608 Process not Found 2352 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
pid Process 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe -
Suspicious use of SendNotifyMessage 56 IoCs
pid Process 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe 4480 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4480 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4480 wrote to memory of 1276 4480 msedge.exe 84 PID 4480 wrote to memory of 1276 4480 msedge.exe 84 PID 4480 wrote to memory of 4388 4480 msedge.exe 85 PID 4480 wrote to memory of 4388 4480 msedge.exe 85 PID 4480 wrote to memory of 4388 4480 msedge.exe 85 PID 4480 wrote to memory of 4388 4480 msedge.exe 85 PID 4480 wrote to memory of 4388 4480 msedge.exe 85 PID 4480 wrote to memory of 4388 4480 msedge.exe 85 PID 4480 wrote to memory of 4388 4480 msedge.exe 85 PID 4480 wrote to memory of 4388 4480 msedge.exe 85 PID 4480 wrote to memory of 4388 4480 msedge.exe 85 PID 4480 wrote to memory of 4388 4480 msedge.exe 85 PID 4480 wrote to memory of 4388 4480 msedge.exe 85 PID 4480 wrote to memory of 4388 4480 msedge.exe 85 PID 4480 wrote to memory of 4388 4480 msedge.exe 85 PID 4480 wrote to memory of 4388 4480 msedge.exe 85 PID 4480 wrote to memory of 4388 4480 msedge.exe 85 PID 4480 wrote to memory of 4388 4480 msedge.exe 85 PID 4480 wrote to memory of 4388 4480 msedge.exe 85 PID 4480 wrote to memory of 4388 4480 msedge.exe 85 PID 4480 wrote to memory of 4388 4480 msedge.exe 85 PID 4480 wrote to memory of 4388 4480 msedge.exe 85 PID 4480 wrote to memory of 4388 4480 msedge.exe 85 PID 4480 wrote to memory of 4388 4480 msedge.exe 85 PID 4480 wrote to memory of 4388 4480 msedge.exe 85 PID 4480 wrote to memory of 4388 4480 msedge.exe 85 PID 4480 wrote to memory of 4388 4480 msedge.exe 85 PID 4480 wrote to memory of 4388 4480 msedge.exe 85 PID 4480 wrote to memory of 4388 4480 msedge.exe 85 PID 4480 wrote to memory of 4388 4480 msedge.exe 85 PID 4480 wrote to memory of 4388 4480 msedge.exe 85 PID 4480 wrote to memory of 4388 4480 msedge.exe 85 PID 4480 wrote to memory of 4388 4480 msedge.exe 85 PID 4480 wrote to memory of 4388 4480 msedge.exe 85 PID 4480 wrote to memory of 4388 4480 msedge.exe 85 PID 4480 wrote to memory of 4388 4480 msedge.exe 85 PID 4480 wrote to memory of 4388 4480 msedge.exe 85 PID 4480 wrote to memory of 4388 4480 msedge.exe 85 PID 4480 wrote to memory of 4388 4480 msedge.exe 85 PID 4480 wrote to memory of 4388 4480 msedge.exe 85 PID 4480 wrote to memory of 4388 4480 msedge.exe 85 PID 4480 wrote to memory of 4388 4480 msedge.exe 85 PID 4480 wrote to memory of 3840 4480 msedge.exe 86 PID 4480 wrote to memory of 3840 4480 msedge.exe 86 PID 4480 wrote to memory of 4784 4480 msedge.exe 87 PID 4480 wrote to memory of 4784 4480 msedge.exe 87 PID 4480 wrote to memory of 4784 4480 msedge.exe 87 PID 4480 wrote to memory of 4784 4480 msedge.exe 87 PID 4480 wrote to memory of 4784 4480 msedge.exe 87 PID 4480 wrote to memory of 4784 4480 msedge.exe 87 PID 4480 wrote to memory of 4784 4480 msedge.exe 87 PID 4480 wrote to memory of 4784 4480 msedge.exe 87 PID 4480 wrote to memory of 4784 4480 msedge.exe 87 PID 4480 wrote to memory of 4784 4480 msedge.exe 87 PID 4480 wrote to memory of 4784 4480 msedge.exe 87 PID 4480 wrote to memory of 4784 4480 msedge.exe 87 PID 4480 wrote to memory of 4784 4480 msedge.exe 87 PID 4480 wrote to memory of 4784 4480 msedge.exe 87 PID 4480 wrote to memory of 4784 4480 msedge.exe 87 PID 4480 wrote to memory of 4784 4480 msedge.exe 87 PID 4480 wrote to memory of 4784 4480 msedge.exe 87 PID 4480 wrote to memory of 4784 4480 msedge.exe 87 PID 4480 wrote to memory of 4784 4480 msedge.exe 87 PID 4480 wrote to memory of 4784 4480 msedge.exe 87 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI\Clipboard\ExceptionFormats Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\Users Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI\Clipboard Fagot.a.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Pyran1/MalwareDatabaseUnsorted/blob/master/Samples/000a5351b371aded2fb7194910ee210cb029199eb65a4f755f23a4f904117607.exe1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9dbc746f8,0x7ff9dbc74708,0x7ff9dbc747182⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:1276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,5611954814190757329,8921297092227853478,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:22⤵PID:4388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,5611954814190757329,8921297092227853478,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:32⤵
- Downloads MZ/PE file
- Suspicious behavior: EnumeratesProcesses
PID:3840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,5611954814190757329,8921297092227853478,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:82⤵PID:4784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5611954814190757329,8921297092227853478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:12⤵PID:324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5611954814190757329,8921297092227853478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:12⤵PID:516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,5611954814190757329,8921297092227853478,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 /prefetch:82⤵PID:5032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,5611954814190757329,8921297092227853478,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2132,5611954814190757329,8921297092227853478,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5068 /prefetch:82⤵PID:4932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5611954814190757329,8921297092227853478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:12⤵PID:5060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2132,5611954814190757329,8921297092227853478,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6072 /prefetch:82⤵PID:2260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,5611954814190757329,8921297092227853478,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5916 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:716
-
-
C:\Users\Admin\Downloads\000a5351b371aded2fb7194910ee210cb029199eb65a4f755f23a4f904117607.exe"C:\Users\Admin\Downloads\000a5351b371aded2fb7194910ee210cb029199eb65a4f755f23a4f904117607.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5611954814190757329,8921297092227853478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:12⤵PID:3532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5611954814190757329,8921297092227853478,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:12⤵PID:2208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5611954814190757329,8921297092227853478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:12⤵PID:5296
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5611954814190757329,8921297092227853478,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6468 /prefetch:12⤵PID:5304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5611954814190757329,8921297092227853478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:12⤵PID:6036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2132,5611954814190757329,8921297092227853478,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3448 /prefetch:82⤵PID:2680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,5611954814190757329,8921297092227853478,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6348 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5176
-
-
C:\Users\Admin\Downloads\001aa198dd220207cd3e53c7e8b081dd093beb969f099d0ce61cb0cd452c14b3.exe"C:\Users\Admin\Downloads\001aa198dd220207cd3e53c7e8b081dd093beb969f099d0ce61cb0cd452c14b3.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
PID:5268
-
-
C:\Users\Admin\Downloads\001aa198dd220207cd3e53c7e8b081dd093beb969f099d0ce61cb0cd452c14b3.exe"C:\Users\Admin\Downloads\001aa198dd220207cd3e53c7e8b081dd093beb969f099d0ce61cb0cd452c14b3.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
PID:5124
-
-
C:\Users\Admin\Downloads\001aa198dd220207cd3e53c7e8b081dd093beb969f099d0ce61cb0cd452c14b3.exe"C:\Users\Admin\Downloads\001aa198dd220207cd3e53c7e8b081dd093beb969f099d0ce61cb0cd452c14b3.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
PID:428
-
-
C:\Users\Admin\Downloads\001aa198dd220207cd3e53c7e8b081dd093beb969f099d0ce61cb0cd452c14b3.exe"C:\Users\Admin\Downloads\001aa198dd220207cd3e53c7e8b081dd093beb969f099d0ce61cb0cd452c14b3.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
PID:5528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,5611954814190757329,8921297092227853478,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4584
-
-
C:\Users\Admin\Downloads\001aa198dd220207cd3e53c7e8b081dd093beb969f099d0ce61cb0cd452c14b3.exe"C:\Users\Admin\Downloads\001aa198dd220207cd3e53c7e8b081dd093beb969f099d0ce61cb0cd452c14b3.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
PID:2464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5611954814190757329,8921297092227853478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6244 /prefetch:12⤵PID:2928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2132,5611954814190757329,8921297092227853478,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4924 /prefetch:82⤵PID:180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,5611954814190757329,8921297092227853478,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6420 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5611954814190757329,8921297092227853478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4020 /prefetch:12⤵PID:4356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2132,5611954814190757329,8921297092227853478,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4056 /prefetch:82⤵PID:5192
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,5611954814190757329,8921297092227853478,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6420 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5611954814190757329,8921297092227853478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6412 /prefetch:12⤵PID:2420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2132,5611954814190757329,8921297092227853478,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7088 /prefetch:82⤵PID:2608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,5611954814190757329,8921297092227853478,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1688
-
-
C:\Users\Admin\Downloads\Fagot.a.exe"C:\Users\Admin\Downloads\Fagot.a.exe"2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies security service
- Boot or Logon Autostart Execution: Active Setup
- Boot or Logon Autostart Execution: Port Monitors
- Event Triggered Execution: Image File Execution Options Injection
- Manipulates Digital Signatures
- Boot or Logon Autostart Execution: Print Processors
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Modifies system executable filetype association
- Adds Run key to start application
- Indicator Removal: Clear Persistence
- Installs/modifies Browser Helper Object
- Maps connected drives based on registry
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:2164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,5611954814190757329,8921297092227853478,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:22⤵PID:5208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,5611954814190757329,8921297092227853478,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3544 /prefetch:22⤵PID:2716
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3736
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2844
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5160
-
C:\Users\Admin\Downloads\000a5351b371aded2fb7194910ee210cb029199eb65a4f755f23a4f904117607.exe"C:\Users\Admin\Downloads\000a5351b371aded2fb7194910ee210cb029199eb65a4f755f23a4f904117607.exe"1⤵
- Executes dropped EXE
PID:3368
-
C:\Users\Admin\Downloads\WinNuke.98.exe"C:\Users\Admin\Downloads\WinNuke.98.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6040
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000b0 000000841⤵PID:5208
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000ac 000000841⤵PID:2716
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
7Active Setup
1Port Monitors
1Print Processors
1Registry Run Keys / Startup Folder
2Winlogon Helper DLL
2Browser Extensions
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
3Change Default File Association
1Image File Execution Options Injection
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
7Active Setup
1Port Monitors
1Print Processors
1Registry Run Keys / Startup Folder
2Winlogon Helper DLL
2Create or Modify System Process
2Windows Service
2Event Triggered Execution
3Change Default File Association
1Image File Execution Options Injection
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Safe Mode Boot
1Indicator Removal
1Clear Persistence
1Modify Registry
13Subvert Trust Controls
2Install Root Certificate
1SIP and Trust Provider Hijacking
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\a6915810-deb5-4c1f-911d-42036540335f.dmp
Filesize825KB
MD5c90818d9d99bfa4d465f464953bcd92f
SHA198b27c4d660f6f3138720e78cd6927c3d04315bf
SHA256ec5c5b44cff13dc53b721d01d82f2a3b9ee09e5d01b6d1e05ffbff85329f36f0
SHA512ecef09ab42fbf6f041a6206d983a72c41a5f996c130761f0d74d2803bcc8728ac33917bc613530957afc1c45b70a14164b8f7ca3e8f68405afbdd51d6d8d3103
-
Filesize
152B
MD5830046cdf9c0ae18c66ab451c0c67a8b
SHA18c8763173b45f9f751d869b3ffcaa8b8f54120b2
SHA25623929a828521bc566ba7b04a70b66f68ca7138b4a3c0ecf07eadecc680bb17a7
SHA512495c87451008286022c112afb71b5f6bb2a6d2ed02f5765ead5b3d94c29733af6b8c83dcc64de6b0cd890f0cc3afc1d5fdc59140e04082a6a42d658aab2b3697
-
Filesize
152B
MD50d47548749f21064e18eeb2a53583399
SHA16c4623c7977090ccde01d48745b02d9485de838e
SHA2562cfa2f680e7a0b94fe69e1cf5415effa1bc7982754a4adb806c04b5666f1ac45
SHA512148ad4ea174563b4effcf6f4a0fdf5f0c86f9637c21a11407974ab603e0867b3a0dcfd9f53b57bfec7fdf1767edd74d09fb58cb806cde17fad50158ba5cc8f40
-
Filesize
152B
MD5530542a18a6a8ed6ee368e1ef7dc5b6c
SHA1dbe2ed90dc289b52318ab71c4e1afd4761458a2b
SHA256d82bae18f65b2d3bfba38ea5eaada2191503fb0d723b8788eb4f664ac553a718
SHA51250d2ab00f22e942d3fc7293ba30dc7cb91bff5faf91c16b970d99f59865d5f1f7c58b4e886658779cb4b15bc21cc998d04d20fe3043cf5a2379f9a6befb37571
-
Filesize
21KB
MD559fedd41e3287d05e9b9c44352da74d4
SHA1cb0e50d8060ecf457116c2711b1cfacc595763f0
SHA25649b133300b409b02cad9a1f3ba3eede1da07d8c482b7b37d4d1a56b6166da721
SHA5127f374c04f574347992d5aff304cea0828f8359e794ba4bb9572acdc026c0cdde704a2f77b8856f834d18cd65ddd092a84049dc427151b087ce97a1651e2ec0f3
-
Filesize
45KB
MD51b2510252d927858a861b7567b09193f
SHA1cd2ccc85e7e438aae22e27ad692c5f25cbd0b1ac
SHA256c916ec16688b5ef1f60c29272d80b9121566c8dab4b228cc338fc8ca2447042f
SHA512c4c610241f50e011f19e248041f8fdeb644092aba6795a5470b2a5ad516e7bf6ee9555dd99ce7376502e4bebada57469ffdce9433a74f2afa001aad9660750fe
-
Filesize
2KB
MD5feb52abf829fb6b1087730aa58e8405f
SHA11ffb201a4c719ef48b0083c8704243adf41d4c89
SHA25625151e7e5533d92457aeb32fd3a97eb80c820dd6e4e1266d6a2a637a17c0c863
SHA5127debb203bd91d6b6b26de900f4e115dbc51a508907f3fe77e31278426c62a786dc526e4df0d5a68eb0e458ae7582e45a89bd3a68f6329c07afefff9d61a13c26
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5d4345916e7a599252a6f5db049acca57
SHA1198700c5fbfa61c9ac790f01008e78e4a504afa1
SHA256962fefebe629bf9c3ae3cadaefa28e014859716170034bd6d46d8fcc599df898
SHA512da555271a8490588c3bb71bc630f4980f4786a7fe669869ddb2a0cbd73030c029d1d18d5cd8cf216fb2a9156e0f4ac08f006b8aa78bb258459adf7d608574fa5
-
Filesize
579B
MD5f27ed958e1ac5d59278dbe10e34865e2
SHA1c003f415b2942510a0f7adc5b41f7e2bc14394f4
SHA256c3a7404c67078e04ba08b496bd13fd25416feb35d6cd8c021b2a2f79fa7b1598
SHA512dff1a1812ff4e30dbd1cdc7addca61afed9db876813c13779446901ae0361e9cfa31ddcb67ab46a44d235971eabef17fc05f3badb926be3869ad9e2f6a43a049
-
Filesize
5KB
MD53cb0607b054037c711f1d00e4165502f
SHA10ad1420d0a8fa775831c24d9a3b2f68357f579a2
SHA2565b115828afb20e8ac73fc0882f1cff32ac99882455efaa04de9705537f376d08
SHA512f6b35aee10910931fc8bd4925e9ccf9b91a66e2694fb3e036b0f31e9feacde4e0ca1e7d589809205f3d4df910a723447a19491248f8588a59212af4c861d5061
-
Filesize
6KB
MD5c14d798b5bd4196e53c4c61575f3b927
SHA1200c187b2a636aa5902f10bd04c89a179d9b2f44
SHA256f15024aae0336de3ac32a4dca0390653a5b0cf47b97023cd62128ffa585d41fa
SHA51214d074aee70ae200eb4755516ca8fe3327edc370aec9472e1c31ad85351aca69966c9f23cedb57ce199b6d978fdbdf4c154528efbe7fd132847b67cb2d2914e3
-
Filesize
6KB
MD5e9426563d1e1e9e3ebd5144de6e2602b
SHA1fbbcc0b10a409e4ace9b6beff98726eb12037fa5
SHA2564bc662b76e3abb365212a0138fc809b755f26e0a4d7ebcd665b786a0427f2d54
SHA512081b669c115c26972d40805750e634f3b787bfb79fa5b6a6881761e216149e2b879f6d58a1fb4afea72d5afff2ec6aa548df95960571c0e78351aaaaefa1a447
-
Filesize
6KB
MD557ec1d55c97a235e7ff3d44463dc341a
SHA1e79b7cbfdbe0775f93a69dd2c38a39fd0a58de3b
SHA256b89374bc4dfb12ea8d94594eaa64213972fdf2fae2c6a63c35dcb114fb6183e0
SHA512eb62e04260d3b8cf4cb0282a8c15ea3cbefa6640766846733257443cf2b5dd79cf681c5fbb6c272e1b62892c016507705cb1cc3da9a15028f1ba706a21ccd576
-
Filesize
6KB
MD5efc4e674443645bd239c3fe93d329e73
SHA1e73a6e19a0564de82aa5801d0d523b945eef49c8
SHA2568d628bdc50fbe7be02b97b9e0d2d8e4a236d7e4594a9d3e2aaa683b1453a9fb4
SHA512193241fc87ba1a40a4d70b8539f6c861e81b6264dac13409dfee7598078676f659170f25869abf4e4e863ee5c6fbdb175a3937c94c0d00b75662af7ba9b518c5
-
Filesize
6KB
MD59ab95916df3ce897b4957ecd21bc531d
SHA180611442353416e1baad09153a5b46c1c3df0ac6
SHA256c6bcc9806f3b722280667d71fe3207e21585d497b65f5ffff4124cd0eb4f1ba5
SHA512ab22f328c27355fdd4fe03f1031189dc71aa0a16cf1b5f58236868f78059e9de1567a65b1a7c1f21bad613cea887d8b318ecccd57e09a2e96c85020d38a80a40
-
Filesize
6KB
MD555cccd6455a8cac8d89f5435fffa9659
SHA11aa9de96d667b51dd34ce96af2eb99949da8c836
SHA256d5f804d1faf6729d432f1d3fa9e761af8d8fbe62fcfd1a20c65d0136cdf25c39
SHA512e56bc924fca38b534f20e02a3298011e64153c4ad349fdfeb190db9308c2c0cad3f479084c25a78f1a1351efb54f462f2b0ce4c73fe09fa9b0b0ffd44703404a
-
Filesize
5KB
MD5cb6fc34faed64683507d8acb66bce865
SHA14ad617c221726fb94627b6688132cda2712cfe55
SHA2567ec56d7eaa20292bc755349e83f5c016a9c9919664a5d019af0114af77043a7a
SHA51274453618befe772e41663909a4ff55e16821a95ca19b467660f081af7ca80a439e411562ae5a4f0bdc7b9344501cda85bbfacfae4ae19010d9627939396be01e
-
Filesize
6KB
MD5ba85b197cf67a7b1d073ce747d1670f7
SHA18ff03f489bb9d18490e36da8f7ad88811af3e1d9
SHA256034f919c3509a91fd24970061b329027f53402d100d5a34144b2c0e373a6ada8
SHA512c86caf201cb4b83a79cfba51a5214fc95634c0cae2d5d66b050729e3a7dd6d10c0e6389354113c8ea115f794fdbd7f2c629631d1dd5220dce0fccc9c82cd3781
-
Filesize
24KB
MD57b706f81ccfddbd2defe1dae334468b0
SHA18eaee7ac615073c268177d2938f08c1d72c9dd92
SHA256fc464dd3dfc999d09fa7bb9c66eecb61dd942e386382027383dd7c8cc71a0221
SHA5127c3a0dd7258c8ae1516e7b3f469c61d53161ee3ae8a3e82050dc70b56be2875eac8e3411636baec9a4e2a9d5cff6a552117d946f39fd9fcea4ad682d6412d995
-
Filesize
1KB
MD5296d67fdc47426ce80c40e9f1d4e85ff
SHA18102cda50aa71f7729ef547511789bf0b7c1f77b
SHA256a5044da57131aee7e32a88f6d754f7a14539b1cf2427d14e5c7630a2c5c035d1
SHA512fdcd20f57e025f4ddea856255021988f9aa639c506429ebf12d0c14a3dba6448d10d87262a19efdd3792e3af19384128e9695e05e2c32c00fa325d97c386d0fc
-
Filesize
1KB
MD58b4e359c8b3f8612eee24bd04a6c5060
SHA1e162b601ac1b3af371f88ac09a515774c80e45a3
SHA256256463b61a3df7d23b4604ca224a476f84a8869df32c8b0d64822497b0f5d767
SHA512de2658e3ad5aa4a601784c8de2eec87bbab4173af6d2ba654de1b1450889a77948e1a913b84bf7240f276fa696535057267ce53f7bd952334548d666300fb80f
-
Filesize
1KB
MD5b4b2233b2125e7753ce796a2ef64c328
SHA1895169a08ff683073f054bc434e9ea3fe438aa1a
SHA25636332993bf552309d3627be085065c57d771743be6c9d9616871066c3968e243
SHA512128e22e1e25373e3009408a33aa9439d255d90bc4bb71cb3d9f00b376089068eb71d8494f4bddb437d427f515bcf2e049affc602268d529004853a4cca9cac1d
-
Filesize
1KB
MD503755b938aac83e48707d5fc8f373bce
SHA1944530a96c134bb5c6544517f3160fb77e0a23ee
SHA256fb04c74bad527f0b70986c5a14415e755cfd1ba37f644a1f9baf33865c6c6eb6
SHA512c23c22ea6aebc0ad8c689d1838f4858e5dfc60d7aa4869ae51ac9c878dc22d104e75105693ff336e94567eb8cfc29411ae9b5cccc6aa5ca74f4cdda646b37341
-
Filesize
1KB
MD5950517922218e29149700596305c51fc
SHA1cee311cb012f047d922038dc82768035eb98bd36
SHA25606763c14a353d5f6935538d96d4b120cb3f2f196f9636b0bf61818050585b3d0
SHA51298236587c98d00c8c3925eaa3764b21d4de806561fa2dfe8eaee8b4c3e004f87bc0fe230603c43e072c3f9c94b943889e7ae9fae182d79e0d3e5f84661f18638
-
Filesize
1KB
MD5f01b22bcf6037ae11194f55ef9989dc6
SHA1d718d632ab61ef041da873331521897b50b12609
SHA2567a767672360d00fc7f8ed7eefa514e2d8645790430c906e6b1db62426d3fd293
SHA512f1231fec95e31d7dcc64e99fd4c6aa3aae5924ec11f66c6a521bbee59b2271ce1ed9a66140d73b2ed5ca453e201ea9248f573dfb6472969b0aa615d0319a230d
-
Filesize
1KB
MD5da2c97339d5edb2b1b9d5d4abdcf20b9
SHA12da8bf71055220ff2ab23c787495ad99f01d3bee
SHA25606acc4ec05acab6db327dd17efef9988af813edbd6c3a2f7b6f82d7fcfced31f
SHA5121f9872c707bb4db34ddccfdf45f7059e1d69ff2b81a60a1dd97d6d0b84dd6799597d70ae20a306691c497b60b970d8343c00b52cd1deef2ec8f30021e12bec49
-
Filesize
1KB
MD519d1f461ba44611c197bd454c31a9e1a
SHA1e8d60df57b8d4cdcd1336a9324ce153f8cc031b7
SHA256c9809b79291d9ff8da2a16d86d34bff6d0c3b6016b38c4726dcbb08308b3a097
SHA51236309325adbe5ccc0d4cf70f0d68c691b72584a59b763363fd6c24f0a74a3c155e081deb851ca86c7aaed22d90ff9332e8cb2315abb1d95b8359f7abba3f3c30
-
Filesize
1KB
MD511aeb8d8334da526e97e7a310d99e4d1
SHA158bd90fba502554c4340edf9182cc81486b88a66
SHA256d38cbca08011ad6f383fc3af1c1f9abb021f8fd6f295b9e0971f4b7d5664bfea
SHA5122c8034d23c3b58cdecc695e41f9de3636229c4c896e13a5cfe759e91c1b99f39019fb79e254bcf441923103ce140a722a813e84fdaa204defce97985b0a49a4c
-
Filesize
1KB
MD527171ca076dd6f8d4d5456b4b654213d
SHA1ccf3273b136bb62e84b15cfca86deb6c367767f2
SHA256b33615918f1e91a3c17cfab5071d28b94c195ddbdef725dd1cc7819b31b552f0
SHA5124c17fad819230ebec00b9fd4be7593344c0e946a9b9d25ea517600ae54be64b2d237b30ef68e11dc3d04a0ccb399b4beecf6f42778e0ee919c58d36dc15a2a84
-
Filesize
1KB
MD5ed23401b6e689845464cd0bf3da53646
SHA16e8383154ebf7717f14556c970d1d682114d6fc3
SHA2561bd2bd37636c6e25617746120f9e131b0b58069f18e5e335f79a12c46638a285
SHA5124a159a17a00c5f5ab4a03a094b444050ff6f3e1bf5d8be3009a63d4b40e14e3c714ab5f9f537639e93f95c045d9decef904c0fa1c4a05e8afb929dcc164f0d94
-
Filesize
874B
MD51d97a2cdb17244b8c16ff8f3fd9dd188
SHA1b476cbf4543744b21aefb511c249676784a1f4ca
SHA256448b0b3cc27be6bbbdf4f44d6eb0942dbae070e707ccbf7b87c0dbe523352589
SHA512a1bda07fa6ef19f62e0bc55db95446e7466c93b236a70224c913999b694eceac79a6988c4f3ca822767a5d4e1f07fc5c96376fd895a8ffcb71a5bc833dbfa58a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\b8720c0f-3efe-42df-ac47-f24ed95295a0.tmp
Filesize1KB
MD5c6dfbc71207b0e6a8c1dc51f90c373f1
SHA141990be587a665eb1a6360a0e17f0e0b80f3ae16
SHA2567af7ee9c2adba08809bf10cf2baf1cda95c7a1a63065d5d29b9c9c89687baa3a
SHA512b8e3aadd7b18dc0a1dfcaf6a247c454882d0ad4fb2d88185afd322cc364ced3653d696c7a423f4bd41364f0e0dea5424a5aed55b8341bcbb13b340102cfab723
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD55d7fb68098e37d4239f0e1bbcad3d2f0
SHA1bbea7b962d30d0f7cba7855315ac65f5fe54ce8a
SHA2567be6e2c69ca7160ab50192f80531ca3eddf8b96509403f05ef92fd0bb880b45f
SHA512344ee47ee9ab9fd3ca379480e17f5ce168778cce382d967ec6fb5014ca9bb0b5ff2558976eef77f073098b8dde71678d9d85e18eb45fd1800b6c5308748120c0
-
Filesize
11KB
MD57f6279f711e38adcd83e4a596e2a9aef
SHA1f01865a6c749158bab9a16e618191b8ed655a8d7
SHA2565a174599f9c9b25ffb586d73cf860504f7e5595af7528398b64c742d1ba3c807
SHA512807ae0eec88dff56c46e5508555da776128ea632e87361ddbf2b2f8f79dccf42012a886a0635d506004dc1d159dc2f86bba09de7b2bd288caed97a5976a5fa88
-
Filesize
11KB
MD5640d9006b1ef313318582307b87c45b5
SHA198ac4036e0d5de134818a54938dd3e0382bc4730
SHA256abf647afaa43f43c1696a8265a53ce3fd748b3bdb680fa671507554bec66f9a8
SHA512cd00c9da6fc2be6012ff27c31393d84bca05e5a1e71dc29daf210f970f7b033af61f49dd21902e2d323f7f95959726fecba5c2a6b1ee07e0406e75e481dc725e
-
Filesize
11KB
MD5aa370fe05effa499d24cd01618469aa3
SHA1b1048587447282d344149db424c02a98de0bb6f8
SHA256c01538ba7016b6e4ba26d88c1ea5605f4988baccd99b31217fa2be680fa3a48b
SHA5129736b7c6e093f4c8295f0d32d230bcbe66f18da2d462f42fc90bc68c194e4ae219de9dd394d1b76a3d6193f09185bb320b72bf391f5c9532d4ea0f693c9fe047
-
Filesize
11KB
MD52fad38852d229055c094b7173c1f6978
SHA16c53d39a76fd1bf5fef20912bf6cad39d9296051
SHA25687e66a96eeb3ccc6fa0dda0b8767036a9d19dea8b10d50177511f32c680f0aef
SHA512d313330007c43ee94f0c1871b45fa1b2a3c84c65f95d75acd637f6c859b0eefc0acfad1a8335d832fa0a7a6d4e63389d07ef85974add6e1e5fa531969b31eca2
-
Filesize
10KB
MD5422a4991b3b711327cb14bfc4931c024
SHA17567c5c28635709982180eed73548a5c16956598
SHA2565529d75c7b86fd802150bfea8bedff5394a61b9db2a3146f3c79f7ae1443477c
SHA512320dd372b4983af539ff1316641fcea3393a21dc4c5a2a676605fe380b1a38901191824f2411b1c16a4b7313b710267701382b7adc2538ef605ef757c80e599b
-
Filesize
264KB
MD51897ac06938a832e966b406338f396eb
SHA1dfd688b453141fa07fbf94eb616db03c4e2fad6b
SHA256ee45cc28ba4fe83813337a34cce084d9423ecd7894647719b96b7befafc11364
SHA512cab29594ce6979c22b56fba37bb34ca5c0b7723708a49065e1dc58d68ab42d80984207cfd351d077b676d38d2bede0317ba8297deb9f696eedcee7a883f31b1c
-
Filesize
1.3MB
MD527c325bb5e2dc3a9fb5c0b4437bc243f
SHA19880c96589a67b363377cffd1c565e1e60502afa
SHA256001aa198dd220207cd3e53c7e8b081dd093beb969f099d0ce61cb0cd452c14b3
SHA512916c2b7890a83e650efbedf669fef1883771d17d745a5d3affe942825da44b7467b16ee12cd83c7d6f50cb5ba92a86dfa0f7fc6124bcbc73b1ffc36cf95e6691
-
Filesize
32KB
MD5eb9324121994e5e41f1738b5af8944b1
SHA1aa63c521b64602fa9c3a73dadd412fdaf181b690
SHA2562f1f93ede80502d153e301baf9b7f68e7c7a9344cfa90cfae396aac17e81ce5a
SHA5127f7a702ddec8d94cb2177b4736d94ec53e575be3dd2d610410cb3154ba9ad2936c98e0e72ed7ab5ebbcbe0329be0d9b20a3bcd84670a6d1c8d7e0a9a3056edd2
-
Filesize
373KB
MD530cdab5cf1d607ee7b34f44ab38e9190
SHA1d4823f90d14eba0801653e8c970f47d54f655d36
SHA2561517527c1d705a6ebc6ec9194aa95459e875ac3902a9f4aab3bf24b6a6f8407f
SHA512b465f3b734beaea3951ff57759f13971649b549fafca71342b52d7e74949e152c0fbafe2df40354fc00b5dc8c767f3f5c6940e4ba308888e4395d8fd21e402b3
-
Filesize
7B
MD54047530ecbc0170039e76fe1657bdb01
SHA132db7d5e662ebccdd1d71de285f907e3a1c68ac5
SHA25682254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750
SHA5128f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e
-
Filesize
2KB
MD5a56d479405b23976f162f3a4a74e48aa
SHA1f4f433b3f56315e1d469148bdfd835469526262f
SHA25617d81134a5957fb758b9d69a90b033477a991c8b0f107d9864dc790ca37e6a23
SHA512f5594cde50ca5235f7759c9350d4054d7a61b5e61a197dffc04eb8cdef368572e99d212dd406ad296484b5f0f880bdc5ec9e155781101d15083c1564738a900a
-
Filesize
454KB
MD5a29b233216094ad01ecd5c5405bda21c
SHA1874b0eab36e5951df9a129ae272c627d661a69a4
SHA256000a5351b371aded2fb7194910ee210cb029199eb65a4f755f23a4f904117607
SHA51211365254b7b91b1ea81ce84a4c05ff18b9c60f4e97c32d8c770adc9168798553768ef271ccfca812b8d10e2330fb3c95d8fbcb9a01d61454619483682cdae63e