Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
292s -
max time network
300s -
platform
windows11-21h2_x64 -
resource
win11-20231222-en -
resource tags
arch:x64arch:x86image:win11-20231222-enlocale:en-usos:windows11-21h2-x64system -
submitted
24/01/2024, 15:37
Static task
static1
URLScan task
urlscan1
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" reg.exe -
Executes dropped EXE 4 IoCs
pid Process 3060 MSI2921.tmp 840 dach.exe 5536 AliIM.exe 6020 Telegram.exe -
Loads dropped DLL 9 IoCs
pid Process 1852 MsiExec.exe 1852 MsiExec.exe 1852 MsiExec.exe 1852 MsiExec.exe 1852 MsiExec.exe 1852 MsiExec.exe 1736 MsiExec.exe 1736 MsiExec.exe 5536 AliIM.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: AliIM.exe File opened (read-only) \??\I: AliIM.exe File opened (read-only) \??\S: AliIM.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\H: AliIM.exe File opened (read-only) \??\Y: AliIM.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Q: AliIM.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: AliIM.exe File opened (read-only) \??\J: AliIM.exe File opened (read-only) \??\R: AliIM.exe File opened (read-only) \??\B: AliIM.exe File opened (read-only) \??\L: AliIM.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\W: AliIM.exe File opened (read-only) \??\X: AliIM.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: AliIM.exe File opened (read-only) \??\P: AliIM.exe File opened (read-only) \??\T: AliIM.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\K: AliIM.exe File opened (read-only) \??\M: AliIM.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\O: AliIM.exe File opened (read-only) \??\E: AliIM.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\I: msiexec.exe -
Drops file in Windows directory 15 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI2130.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF89B5A97698EB023F.TMP msiexec.exe File created C:\Windows\Installer\SourceHash{E10BFCE9-5548-4AA7-B08C-001328E66852} msiexec.exe File created C:\Windows\SystemTemp\~DFE9E2B85DB086772F.TMP msiexec.exe File created C:\Windows\Installer\e582064.msi msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\SystemTemp\~DF1B1DFCFEC672CF5E.TMP msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI22C7.tmp msiexec.exe File created C:\Windows\Installer\e582066.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI2921.tmp msiexec.exe File opened for modification C:\Windows\Installer\e582064.msi msiexec.exe File created C:\Windows\SystemTemp\~DFC3C8E3B403BCAAD2.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI20F1.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000930f8a5de76563100000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000930f8a5d0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900930f8a5d000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d930f8a5d000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000930f8a5d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AliIM.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AliIM.exe -
Enumerates system info in registry 2 TTPs 9 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ Telegram.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Telegram.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct Telegram.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Telegram.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily Telegram.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Telegram.exe -
Modifies data under HKEY_USERS 57 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\RenderSoft TextCalc\TextCalc\Settings dach.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mmc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mmc.exe Key created \REGISTRY\USER\.DEFAULT\Software\RenderSoft TextCalc\TextCalc dach.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mmc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mmc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Microsoft Management Console\Settings mmc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ AliIM.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" AliIM.exe Key created \REGISTRY\USER\.DEFAULT\Software AliIM.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ MSI2921.tmp Key created \REGISTRY\USER\S-1-5-18_Classes\Local Settings dach.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Microsoft Management Console mmc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mmc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" AliIM.exe Key created \REGISTRY\USER\.DEFAULT\Software\RenderSoft TextCalc dach.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Microsoft Management Console mmc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" dach.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mmc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" AliIM.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Microsoft Management Console mmc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" dach.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Microsoft Management Console\Settings mmc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mmc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft AliIM.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie AliIM.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft mmc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft mmc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" dach.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Microsoft Management Console\Recent File List mmc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" dach.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" AliIM.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23 msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" MSI2921.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E mmc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mmc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ dach.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Microsoft Management Console\Recent File List mmc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mmc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Microsoft Management Console\Recent File List mmc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" MSI2921.tmp Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E\@mmcbase.dll,-14008 = "Folder" mmc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mmc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mmc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Microsoft Management Console\Settings mmc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mmc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft mmc.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" MSI2921.tmp Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" MSI2921.tmp Key created \REGISTRY\USER\.DEFAULT\Software\RenderSoft TextCalc\TextCalc\Recent File List dach.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mmc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mmc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7" AliIM.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mmc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum AliIM.exe -
Modifies registry class 40 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9ECFB01E84557AA40BC80031826E8625\PackageCode = "10A04DD12B963124AA49C192A3DF0D39" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\tdesktop.tg Telegram.exe Set value (str) \REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\tg\URL Protocol Telegram.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\447F7D330553290408AE46A6F6C24E4D\9ECFB01E84557AA40BC80031826E8625 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9ECFB01E84557AA40BC80031826E8625\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_CS-HY-A8-bei.zip\\" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\tdesktop.tg\DefaultIcon Telegram.exe Key created \REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\tg\shell\open\command Telegram.exe Set value (str) \REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\tg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\CS-HY\\telegram\\Telegram.exe\" -- \"%1\"" Telegram.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9ECFB01E84557AA40BC80031826E8625 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9ECFB01E84557AA40BC80031826E8625 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9ECFB01E84557AA40BC80031826E8625\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9ECFB01E84557AA40BC80031826E8625\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9ECFB01E84557AA40BC80031826E8625\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9ECFB01E84557AA40BC80031826E8625\SourceList\Media\1 = ";" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\tg Telegram.exe Set value (str) \REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\tg\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\CS-HY\\telegram\\Telegram.exe,1\"" Telegram.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9ECFB01E84557AA40BC80031826E8625\AdvertiseFlags = "388" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\447F7D330553290408AE46A6F6C24E4D msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9ECFB01E84557AA40BC80031826E8625\SourceList\PackageName = "CS-HY-A8-bei.msi" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\tdesktop.tg\shell\open Telegram.exe Key created \REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\tg\shell\open Telegram.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9ECFB01E84557AA40BC80031826E8625\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9ECFB01E84557AA40BC80031826E8625\DeploymentFlags = "3" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9ECFB01E84557AA40BC80031826E8625\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\tdesktop.tg\shell Telegram.exe Key created \REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\tg\DefaultIcon Telegram.exe Key created \REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings msedge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9ECFB01E84557AA40BC80031826E8625\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9ECFB01E84557AA40BC80031826E8625\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_CS-HY-A8-bei.zip\\" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\tdesktop.tg\shell\open\command Telegram.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9ECFB01E84557AA40BC80031826E8625\MainFeature msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9ECFB01E84557AA40BC80031826E8625\Language = "2052" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9ECFB01E84557AA40BC80031826E8625\Version = "16777216" msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\tdesktop.tg\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\CS-HY\\telegram\\Telegram.exe,1\"" Telegram.exe Set value (str) \REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\tdesktop.tg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\CS-HY\\telegram\\Telegram.exe\" -- \"%1\"" Telegram.exe Set value (str) \REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\tg\ = "URL:Telegram Link" Telegram.exe Key created \REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\tg\shell Telegram.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9ECFB01E84557AA40BC80031826E8625\ProductName = "CS-HY" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9ECFB01E84557AA40BC80031826E8625\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9ECFB01E84557AA40BC80031826E8625\SourceList msiexec.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 6020 Telegram.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 2632 msedge.exe 2632 msedge.exe 3416 msedge.exe 3416 msedge.exe 1376 msedge.exe 1376 msedge.exe 1124 identity_helper.exe 1124 identity_helper.exe 4448 msedge.exe 4448 msedge.exe 1616 msiexec.exe 1616 msiexec.exe 5536 AliIM.exe 5536 AliIM.exe 1180 msedge.exe 1180 msedge.exe 1180 msedge.exe 1180 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
pid Process 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe -
Suspicious behavior: SetClipboardViewer 2 IoCs
pid Process 4344 mmc.exe 5484 mmc.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1940 msiexec.exe Token: SeIncreaseQuotaPrivilege 1940 msiexec.exe Token: SeSecurityPrivilege 1616 msiexec.exe Token: SeCreateTokenPrivilege 1940 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1940 msiexec.exe Token: SeLockMemoryPrivilege 1940 msiexec.exe Token: SeIncreaseQuotaPrivilege 1940 msiexec.exe Token: SeMachineAccountPrivilege 1940 msiexec.exe Token: SeTcbPrivilege 1940 msiexec.exe Token: SeSecurityPrivilege 1940 msiexec.exe Token: SeTakeOwnershipPrivilege 1940 msiexec.exe Token: SeLoadDriverPrivilege 1940 msiexec.exe Token: SeSystemProfilePrivilege 1940 msiexec.exe Token: SeSystemtimePrivilege 1940 msiexec.exe Token: SeProfSingleProcessPrivilege 1940 msiexec.exe Token: SeIncBasePriorityPrivilege 1940 msiexec.exe Token: SeCreatePagefilePrivilege 1940 msiexec.exe Token: SeCreatePermanentPrivilege 1940 msiexec.exe Token: SeBackupPrivilege 1940 msiexec.exe Token: SeRestorePrivilege 1940 msiexec.exe Token: SeShutdownPrivilege 1940 msiexec.exe Token: SeDebugPrivilege 1940 msiexec.exe Token: SeAuditPrivilege 1940 msiexec.exe Token: SeSystemEnvironmentPrivilege 1940 msiexec.exe Token: SeChangeNotifyPrivilege 1940 msiexec.exe Token: SeRemoteShutdownPrivilege 1940 msiexec.exe Token: SeUndockPrivilege 1940 msiexec.exe Token: SeSyncAgentPrivilege 1940 msiexec.exe Token: SeEnableDelegationPrivilege 1940 msiexec.exe Token: SeManageVolumePrivilege 1940 msiexec.exe Token: SeImpersonatePrivilege 1940 msiexec.exe Token: SeCreateGlobalPrivilege 1940 msiexec.exe Token: SeCreateTokenPrivilege 1940 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1940 msiexec.exe Token: SeLockMemoryPrivilege 1940 msiexec.exe Token: SeIncreaseQuotaPrivilege 1940 msiexec.exe Token: SeMachineAccountPrivilege 1940 msiexec.exe Token: SeTcbPrivilege 1940 msiexec.exe Token: SeSecurityPrivilege 1940 msiexec.exe Token: SeTakeOwnershipPrivilege 1940 msiexec.exe Token: SeLoadDriverPrivilege 1940 msiexec.exe Token: SeSystemProfilePrivilege 1940 msiexec.exe Token: SeSystemtimePrivilege 1940 msiexec.exe Token: SeProfSingleProcessPrivilege 1940 msiexec.exe Token: SeIncBasePriorityPrivilege 1940 msiexec.exe Token: SeCreatePagefilePrivilege 1940 msiexec.exe Token: SeCreatePermanentPrivilege 1940 msiexec.exe Token: SeBackupPrivilege 1940 msiexec.exe Token: SeRestorePrivilege 1940 msiexec.exe Token: SeShutdownPrivilege 1940 msiexec.exe Token: SeDebugPrivilege 1940 msiexec.exe Token: SeAuditPrivilege 1940 msiexec.exe Token: SeSystemEnvironmentPrivilege 1940 msiexec.exe Token: SeChangeNotifyPrivilege 1940 msiexec.exe Token: SeRemoteShutdownPrivilege 1940 msiexec.exe Token: SeUndockPrivilege 1940 msiexec.exe Token: SeSyncAgentPrivilege 1940 msiexec.exe Token: SeEnableDelegationPrivilege 1940 msiexec.exe Token: SeManageVolumePrivilege 1940 msiexec.exe Token: SeImpersonatePrivilege 1940 msiexec.exe Token: SeCreateGlobalPrivilege 1940 msiexec.exe Token: SeCreateTokenPrivilege 1940 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1940 msiexec.exe Token: SeLockMemoryPrivilege 1940 msiexec.exe -
Suspicious use of FindShellTrayWindow 51 IoCs
pid Process 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 1940 msiexec.exe 1940 msiexec.exe 6020 Telegram.exe 6020 Telegram.exe 6020 Telegram.exe 6020 Telegram.exe -
Suspicious use of SendNotifyMessage 16 IoCs
pid Process 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 3416 msedge.exe 6020 Telegram.exe 6020 Telegram.exe 6020 Telegram.exe 6020 Telegram.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 840 dach.exe 840 dach.exe 2944 mmc.exe 2944 mmc.exe 4344 mmc.exe 4344 mmc.exe 5484 mmc.exe 5484 mmc.exe 6020 Telegram.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3416 wrote to memory of 2592 3416 msedge.exe 71 PID 3416 wrote to memory of 2592 3416 msedge.exe 71 PID 3416 wrote to memory of 3136 3416 msedge.exe 80 PID 3416 wrote to memory of 3136 3416 msedge.exe 80 PID 3416 wrote to memory of 3136 3416 msedge.exe 80 PID 3416 wrote to memory of 3136 3416 msedge.exe 80 PID 3416 wrote to memory of 3136 3416 msedge.exe 80 PID 3416 wrote to memory of 3136 3416 msedge.exe 80 PID 3416 wrote to memory of 3136 3416 msedge.exe 80 PID 3416 wrote to memory of 3136 3416 msedge.exe 80 PID 3416 wrote to memory of 3136 3416 msedge.exe 80 PID 3416 wrote to memory of 3136 3416 msedge.exe 80 PID 3416 wrote to memory of 3136 3416 msedge.exe 80 PID 3416 wrote to memory of 3136 3416 msedge.exe 80 PID 3416 wrote to memory of 3136 3416 msedge.exe 80 PID 3416 wrote to memory of 3136 3416 msedge.exe 80 PID 3416 wrote to memory of 3136 3416 msedge.exe 80 PID 3416 wrote to memory of 3136 3416 msedge.exe 80 PID 3416 wrote to memory of 3136 3416 msedge.exe 80 PID 3416 wrote to memory of 3136 3416 msedge.exe 80 PID 3416 wrote to memory of 3136 3416 msedge.exe 80 PID 3416 wrote to memory of 3136 3416 msedge.exe 80 PID 3416 wrote to memory of 3136 3416 msedge.exe 80 PID 3416 wrote to memory of 3136 3416 msedge.exe 80 PID 3416 wrote to memory of 3136 3416 msedge.exe 80 PID 3416 wrote to memory of 3136 3416 msedge.exe 80 PID 3416 wrote to memory of 3136 3416 msedge.exe 80 PID 3416 wrote to memory of 3136 3416 msedge.exe 80 PID 3416 wrote to memory of 3136 3416 msedge.exe 80 PID 3416 wrote to memory of 3136 3416 msedge.exe 80 PID 3416 wrote to memory of 3136 3416 msedge.exe 80 PID 3416 wrote to memory of 3136 3416 msedge.exe 80 PID 3416 wrote to memory of 3136 3416 msedge.exe 80 PID 3416 wrote to memory of 3136 3416 msedge.exe 80 PID 3416 wrote to memory of 3136 3416 msedge.exe 80 PID 3416 wrote to memory of 3136 3416 msedge.exe 80 PID 3416 wrote to memory of 3136 3416 msedge.exe 80 PID 3416 wrote to memory of 3136 3416 msedge.exe 80 PID 3416 wrote to memory of 3136 3416 msedge.exe 80 PID 3416 wrote to memory of 3136 3416 msedge.exe 80 PID 3416 wrote to memory of 3136 3416 msedge.exe 80 PID 3416 wrote to memory of 3136 3416 msedge.exe 80 PID 3416 wrote to memory of 2632 3416 msedge.exe 81 PID 3416 wrote to memory of 2632 3416 msedge.exe 81 PID 3416 wrote to memory of 5068 3416 msedge.exe 82 PID 3416 wrote to memory of 5068 3416 msedge.exe 82 PID 3416 wrote to memory of 5068 3416 msedge.exe 82 PID 3416 wrote to memory of 5068 3416 msedge.exe 82 PID 3416 wrote to memory of 5068 3416 msedge.exe 82 PID 3416 wrote to memory of 5068 3416 msedge.exe 82 PID 3416 wrote to memory of 5068 3416 msedge.exe 82 PID 3416 wrote to memory of 5068 3416 msedge.exe 82 PID 3416 wrote to memory of 5068 3416 msedge.exe 82 PID 3416 wrote to memory of 5068 3416 msedge.exe 82 PID 3416 wrote to memory of 5068 3416 msedge.exe 82 PID 3416 wrote to memory of 5068 3416 msedge.exe 82 PID 3416 wrote to memory of 5068 3416 msedge.exe 82 PID 3416 wrote to memory of 5068 3416 msedge.exe 82 PID 3416 wrote to memory of 5068 3416 msedge.exe 82 PID 3416 wrote to memory of 5068 3416 msedge.exe 82 PID 3416 wrote to memory of 5068 3416 msedge.exe 82 PID 3416 wrote to memory of 5068 3416 msedge.exe 82 PID 3416 wrote to memory of 5068 3416 msedge.exe 82 PID 3416 wrote to memory of 5068 3416 msedge.exe 82 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://teleglren.com/1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa6be63cb8,0x7ffa6be63cc8,0x7ffa6be63cd82⤵PID:2592
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,2290033605557971978,229898428173180750,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1948 /prefetch:22⤵PID:3136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1936,2290033605557971978,229898428173180750,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1936,2290033605557971978,229898428173180750,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:82⤵PID:5068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,2290033605557971978,229898428173180750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:12⤵PID:4588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,2290033605557971978,229898428173180750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:12⤵PID:4976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1936,2290033605557971978,229898428173180750,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4128 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1936,2290033605557971978,229898428173180750,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5348 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,2290033605557971978,229898428173180750,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:12⤵PID:924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,2290033605557971978,229898428173180750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:12⤵PID:4620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,2290033605557971978,229898428173180750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:12⤵PID:948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,2290033605557971978,229898428173180750,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:12⤵PID:772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,2290033605557971978,229898428173180750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:12⤵PID:1488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,2290033605557971978,229898428173180750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:12⤵PID:2840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,2290033605557971978,229898428173180750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:12⤵PID:488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,2290033605557971978,229898428173180750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:12⤵PID:4700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1936,2290033605557971978,229898428173180750,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6324 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,2290033605557971978,229898428173180750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:12⤵PID:2244
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,2290033605557971978,229898428173180750,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1020 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1180
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2884
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5032
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2772
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\Temp1_CS-HY-A8-bei.zip\CS-HY-A8-bei.msi"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1940
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1616 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 65ED2C78D5F7D3112520A243DF617AA2 C2⤵
- Loads dropped DLL
PID:1852
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:4972
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 9BA6F3524023BE6A890AC8CAA7FC91842⤵
- Loads dropped DLL
PID:1736
-
-
C:\Windows\Installer\MSI2921.tmp"C:\Windows\Installer\MSI2921.tmp" /EnforcedRunAsAdmin /RunAsAdmin "C:\Users\Admin\AppData\Roaming\CS-HY\telegram\tdata\emoji\dach.exe"2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3060 -
C:\Users\Admin\AppData\Roaming\CS-HY\telegram\tdata\emoji\dach.exe"C:\Users\Admin\AppData\Roaming\CS-HY\telegram\tdata\emoji\dach.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:840 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\mhT2S.bat"4⤵PID:5280
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop /t reg_dword /d 0 /F5⤵
- UAC bypass
PID:5368
-
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t reg_dword /d 0 /F5⤵
- UAC bypass
PID:5352
-
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t reg_dword /d 0 /F5⤵
- UAC bypass
PID:5336
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /b C:\Users\Public\Pictures\Ob5t2\X6ytc_A8\n+C:\Users\Public\Pictures\Ob5t2\X6ytc_A8\m C:\Users\Public\Pictures\Ob5t2\X6ytc_A8\UpdateAssist.dll4⤵PID:5420
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:1912
-
C:\Windows\system32\mmc.exeC:\Windows\system32\mmc.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2944 -
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" interface ip set address 以太网 static 1.0.0.2 255.255.255.0 1.0.0.1 12⤵PID:1260
-
-
C:\Windows\system32\mmc.exeC:\Windows\system32\mmc.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:4344 -
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" interface ip set address \"WLAN\" static 1.0.0.3 255.255.255.0 1.0.0.1 12⤵PID:4812
-
-
C:\Windows\system32\mmc.exeC:\Windows\system32\mmc.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:5484 -
C:\Users\Public\Pictures\Ob5t2\X6ytc_A8\AliIM.exe"C:\Users\Public\Pictures\Ob5t2\X6ytc_A8\AliIM.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:5536 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" interface ip set address \"ÒÔÌ«Íø\" dhcp3⤵PID:5680
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" interface ip set address \"WLAN\" dhcp3⤵PID:5700
-
-
-
C:\Users\Admin\AppData\Roaming\CS-HY\telegram\Telegram.exe"C:\Users\Admin\AppData\Roaming\CS-HY\telegram\Telegram.exe"1⤵
- Executes dropped EXE
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:6020
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
421KB
MD52a6a0868d91c40d6ae8c6e9d6492d6cc
SHA144d1fb71f1c96d21a38123c9cffa300117221418
SHA25649a98269a7257ce5f37281ff984cb0fc37b9a7dc3c1b0e915eee26f9d423a42c
SHA512f5030204e641c5d20068d391be0621de3eaf0b3e842e023b98c0fde9ebcd914ddd30382ea3dc3a419f17ba9eb746bc04ac63837c40028b8d7dd13c1af1be859c
-
Filesize
152B
MD50bed556ffeb1e69835b408d733b041f0
SHA1e2aec94abd489a26f36a9694c7ef3903af6409b6
SHA2567d60b9117a935eaba25d7273a5b5e8ba04ece22672661ecb37a3c8a08f61def3
SHA51247d492a7c72f9d12511f070d7d28451b1c52c5f0d446890e704b02bbc51330b1890c5ac4e050d514ff1bfd9c64421adeebee114718042af5aee3f5fdfb413fc8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize72B
MD5f4c097cd03f7634c5f84faa38612059c
SHA1ae602aa37b6db472a7a5d6e7497a87530ae5248e
SHA25683a46957debb555f73bce399db0963117c651d9d37c10fcc3329da1c04de342d
SHA512235b62f8b7b810a3e441aa88625c37aee7ea8cad1f369939ec13f3dbdc980b8e65d497e60ab110c5acee613e9d3b30746f61c79f8a750b7c4e853286593ad60f
-
Filesize
1KB
MD591aafe7bf915ec63b61b801cf62b8973
SHA16ea68fc692cfb5cbc6e8c92c4a66a31eeebcf946
SHA25678eae3b1defa8e6cae3f3a55296059fcf08ab5148491958e68427d468258e143
SHA512ccf7fbfae651ece8253b83dcec7179b9bc5d046e8eb42e16af9d3bfcec271ee892ea08a8169da79e8a81b1616d71f8ec0068b03f4731b26e0aae877e76abf112
-
Filesize
4KB
MD5199edd1df7f83e4aa3f55fae1f88c265
SHA1fde18c3e3e91819ccf9e1ceaeaf628f84bbb2354
SHA2565fbf516786671534acc3b1f066d7331fc2ffebfaf03f64797e7b2c737dd98939
SHA512486c327322ea833ec7733e8695d353f9b1d7a41a7dfcf54652f8395ac091c5e662094155bc01db866bc7ad10b316acbcc80c803bd5fab40a115f6731cdc3340d
-
Filesize
5KB
MD567e2f4ea301256c27ecbaaec529dbd65
SHA1b5551978c291de325f4b3cf772f06747ba2e7936
SHA25694a925c8d90152df82c3b588b700c40198951cb907a50152a0e80ea959f050ad
SHA51245a0398e68d7a5a67a5a088daef7793b186d00d1b8afdee6219c6ba37d5bba1dad4a8a2742f395f2847bf3cda3e2b882e8759ea91c46c7a7eb6f89bebfff358d
-
Filesize
6KB
MD56b07e8693ce2ff5257cbbddbed442795
SHA1885246e34554e1559b5bdb7bca0ecbbeb37c3183
SHA256a71fff7aa6b926bb90e3dd917f08daa7535c85af33471d1e0e5f552709cadf96
SHA5120b7a3ce89ed52d66acaf79330c3acb2ab3e102bda2c3f3a6f9d9012b5c04f5cec5103eb66567edf3b52dc82690f27d3e97599128596f66c3e81c76f48dde75b7
-
Filesize
6KB
MD5ef3da358ece26644962aa4a35df77e14
SHA1657eb5c84bb9cf7f1a9a3ff6ebf7f0fd97dcd0be
SHA2562b36bbc95595cb0b07942f17390aa7aea7cbaff74f6085ba17326999c6851012
SHA51213c7ecc2f0519265b0921ab9b70222f088a3007a51901ed29e436845f08fbfe56ef674f4141e3eed7c83e039dcd179ef3d60e28eb09272d85d569fb69b0f4ca8
-
Filesize
25KB
MD55e1542ec05a1840cfb56ae87d1c2e16e
SHA125bdd95b83b7c614a6446609cff6ecbcab58d9d8
SHA25641acd6ffea81ff1b8b58a4693696a397817473eb899edbf6606314820a8e40b8
SHA51212c32368cbedc3d2515907ab740c75022fc4eaecec9b45734f346db0df209e667b066b2fcd891e84193868ecec8b892e7b484c66a8b329562bad53a69b25c0db
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\80bf87fbb7f348794743b0f19b710d3cfa91e4b6\3ff0e4ab-282c-48d9-b3a2-5ae7dd81cd32\042303667bb256b3_0
Filesize2.4MB
MD5afe4fa2495e831f2d5c975aae048072e
SHA14b9944677a719d780c5d7bfacd85870026dd0b69
SHA2563784e78826278b9e336ded29bff363a02dba34fc68257607069fa568f68de791
SHA5121ba367fd3a9361f51ae13135f0a5c4d150f3f33f4c6f9219ae99f07ed053afbf145f5574400c6c834d47ef53b3afb698e9d1a41096187e2e8666d368bb4aa3fd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\80bf87fbb7f348794743b0f19b710d3cfa91e4b6\3ff0e4ab-282c-48d9-b3a2-5ae7dd81cd32\index
Filesize24B
MD554cb446f628b2ea4a5bce5769910512e
SHA1c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA5128f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\80bf87fbb7f348794743b0f19b710d3cfa91e4b6\3ff0e4ab-282c-48d9-b3a2-5ae7dd81cd32\index-dir\temp-index
Filesize48B
MD5c2f5cabab966762e54934408fbee5629
SHA1116af1182b188259341b2b262a273280b48c78f1
SHA2566f61dd46e92a0113e53901c77ec027edead5a37069f9045d7d9c16e493e7b172
SHA512c3eeb22ed19c982e6da255975f5e7f1001e6c66f41d42269474f6bbb375247a8f12a61ee1274d5c7cf1458bd277e96875033b2d47ebb88ba5cfcb9ec68cfe517
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\80bf87fbb7f348794743b0f19b710d3cfa91e4b6\3ff0e4ab-282c-48d9-b3a2-5ae7dd81cd32\index-dir\the-real-index
Filesize144B
MD5fa307b37c74e904086e2b3f77d670ba5
SHA174ad546a9fc56bda37381e16d9cffec10f80520b
SHA256bc41127cbf57185357dbf8aca63fd41a7bd4463032623a44de6f3b63b0c1ff3e
SHA512c5c25a68b49be49010a1c3f2a1b251985cb0db167a70cde7ff09ee157c38fd2a3aafc4df2f0f15826cf013043691914b6dd1ac483b56d7506150f44459093e94
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\80bf87fbb7f348794743b0f19b710d3cfa91e4b6\44749d9b-313c-410c-b4b9-1296754f11b2\index-dir\temp-index
Filesize144B
MD5f3cf809df24a2529da5da93607dc856b
SHA1ccbc708b0b07dc4d28ea6154de7d692cc4c5011f
SHA256572f9bb0b8e22beb39ac526e6a98064b32def3c3688e2fa1220cef1056003363
SHA5120ec497ff384050c8728e88654b9f11fcf6eed5007ededd9cf4e809badc5d3317bbc9328d498d5e6c5975dc932cfb5c2899042b16190e0dd6e63ca24650d2c144
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\80bf87fbb7f348794743b0f19b710d3cfa91e4b6\f030dcad-f964-47c1-a269-9f9d3bbcbd2b\index-dir\the-real-index
Filesize72B
MD5e28d41aad47fd3c3dda70021a7eee3e0
SHA1564e3a4384079331df58e6cc3ef4722a92f1f93f
SHA256425afe40c3ef1b8de5051b5daba3b3dbe8d4883ace36f6dc23818921261da033
SHA5124d1cb0ff427377f5541a328c23096ed80492f45337481e8cdfd29d6c7518cc3c7e11187b5313b1f533de38147550a482458cf175156720e5f285393c4b58b671
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\80bf87fbb7f348794743b0f19b710d3cfa91e4b6\index.txt
Filesize97B
MD58b012b9a17fc5a2ec5b0dc90fcb9042c
SHA19eb4ffbb7c88f8231641c0d7e44dad651a93fdb4
SHA25619a08403628e4670373c7892a3ad017904ea7437fc2d40452a672a29a7428659
SHA5125b1299fe0b308bcd30175cb07b6157e3130810110d022a4d514842bf0e4299332f26441776a7248097b1f3dd0399b59900ae4cfc9f341783ebe4c0fa9707901b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\80bf87fbb7f348794743b0f19b710d3cfa91e4b6\index.txt
Filesize165B
MD574a7db10b5e8079c994886ac356a1da0
SHA18941a1007ed9802e46aee49e6b9fc06c075ff1bf
SHA256b3d8767d0f018b3289a9eecc5136b2147dc1dd45bb4517f28b47d9a8e1c100c7
SHA512943ddc9c096c9e510c23abf675aced2da7f2217e1f1995c49fbd4ff351e77c2fbf4aef173398d65058c717c79df41852e41fc5f8644322423c2d82b4e1259fef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\80bf87fbb7f348794743b0f19b710d3cfa91e4b6\index.txt
Filesize233B
MD54ce2818b6db74b0281cd5057d247cd2b
SHA16d9aa3f9b09256577c3431047fe5e5ce89073128
SHA25611dbe28c399d9789929f8586121323814791b9fb91f873a1b1ad6efa0124fb56
SHA5121ae7816cc70bc11cfca4ee53da404e1e860adba801c4ad44da396a28a2a6b3156ed1f0cf22c48b0700d1f4cddf1bed8ce6278c3a7b726b5a68a41a8eea78e00d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\80bf87fbb7f348794743b0f19b710d3cfa91e4b6\index.txt
Filesize233B
MD5c96fde6686976b99e14dd9a60dbad934
SHA1718893ac847a76d37d01c9cbf12db6e571bb22e2
SHA256985d38721ec8ca58e186475dc564402ce3853d94a47a3e3cbac1a6e00eec2969
SHA51283541cfa0f6303fd780bfb1ae09dae18fe6882ce37a052fbc2feeb4bb030c956072ed6e1b359fac3139d46617e47be671090f7b3a2c65291ecd5461f660dbf7d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\80bf87fbb7f348794743b0f19b710d3cfa91e4b6\index.txt
Filesize161B
MD522fec9d0d1161e2af6dfbcc58d96ada8
SHA17e257e8e91005808e70664b4151a73552ad45f4d
SHA2566f1cd339b23a6ded5dd0b7c2a873960c2a2649a3a0467e4e837410192e10a2c2
SHA512b0bf873f750ed136ebdccf373c99c71dfe96affc3b4f6be3f53ee5d0a8d5560654d47954d08db41e25ec05f309c0fe291af8f4c61dde76abc650e035420ef055
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\80bf87fbb7f348794743b0f19b710d3cfa91e4b6\index.txt
Filesize161B
MD5f074f625969ddd206129554ef3b410f2
SHA1e6912f5d4a5b1fc1242c474979ff0133ff9f9c6d
SHA2568681b57be2f90503987f37c4cd7f3927728a99b022d6a1bf2a92cd27691501cc
SHA5129b24a7a3523391e3c53aa1a87f684841fee4a02367929de94f61c31969c62cca7b23ee1715019ed06ec881d24fa11d86dfeae7105c99ba81eb931d3dd5ac8215
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\80bf87fbb7f348794743b0f19b710d3cfa91e4b6\index.txt
Filesize160B
MD586ca16db2a9e587eb76cb8c668fdad54
SHA17e62f2c27f2792d2cdfb11456e76de61f325aa13
SHA2560b6f854180cce2d10b1e593c6f7d4b43600473e4278fe48cf4980a2e02067a95
SHA512d9167b85adc4ceb48635aea23f2825c380d100448fcf2db168d6147bcfdd4c61cc00c5db046303195366d2bbb32070d81fdb22a7b5ef3d330028784994c92f31
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD56de99bceac486cb3ebc97ebc89942284
SHA12347e3dc38e35f50da850f96c7912f8fa40b8563
SHA2563382bdcd68ea20c1fb757dbaa0ad23415cb888fac532a6c4466d3aeb22333772
SHA512131cfc412198a9f53d3b6d02dc7a737f42846e65981a06dbb735f7618b761cd015bb82bc6f2fb0de37b3bc2ebb06638beef33e2b5ee8b895ae5f04d2d66a4c9e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57a8f2.TMP
Filesize48B
MD57bd82ad544db6a812a08569593b50ef5
SHA1cd837267377245e5444d47e39017f7ff24ec6094
SHA2562bd771cbed6611a767f5436848cad3e4168b7a66c2f38b0407894421d48a17a6
SHA5127af8a066c0665a127664450ce5eb96fc4c3f04006eb555805f459eafcb43959def0ee2667cc54dee1c272366e4de81fc5dcfdb615ecb67a0b001f7b83b487f81
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5c6cc7773756f94c5d5d48bdfd801b22b
SHA127c2c28fdc0ab05e1c33f76b2b3be3dcb9c0cca7
SHA25699f3daa54f150ac07151a66e4e3f8eb1889df9e8372aff213bb1370fe5c5540b
SHA5123a707bc09f70daf66be464da739f0cd8419c0cae497598a7911d2929bd54f8267aed8e22c983062904b4bc3e7464b59858ed828bf6dd12b015d5650f6fdc7967
-
Filesize
10KB
MD567f88e8c5ca1fd93859c28f0c4479624
SHA1f90afd5526197ae35a9239668fc8df047ed09ae2
SHA256899671f9d077f201d0e9a3f307a231d7861bcf1d09a519c2b5d6e0cbb114e521
SHA51222c11c0e08662bc733122cfd81b46dc1511ab6bc74ce63c39ff0f0069ee11a9bb5b9342f450c2be312bed112134ca2a0816559d8d2385b86d871d0e57f09f88e
-
Filesize
10KB
MD57fe10a42345f947a34f144eab547e274
SHA1294ec797c609ed97e60d5a35967b007e753cadf9
SHA256cf5c8f7d32c54b6781fd757213d75feed4b68bea61effce6a0796f3bef6ca782
SHA5126cc6ab4a1835851e20b0448a80d476ff60c504cd46d9aa3b933948edb442f51303eff914ebdf8bbbdbef18cacc5bf1497a6245d98f63bcaad9c214526367ef46
-
Filesize
540KB
MD5dfc682d9f93d6dcd39524f1afcd0e00d
SHA1adb81b1077d14dbe76d9ececfc3e027303075705
SHA256f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328
SHA51252f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9
-
Filesize
9.2MB
MD53a02061b4342bd2137ed355a74e13ab4
SHA111912896078f679a88eeac8ae1ad90ca0a66e79d
SHA2562bf69ff1d569c9851f98bbce9255adc6f80bfd51bc9f7051c00cced7337b41d6
SHA51256b68912cb59b7b634a2429c0b557d9b8273bfbd46582ce0be7e0ebc50b6f90820735b54df54899750215ad3e9cc6ea90f20e2dbac9e7d0f1108275053a1823d
-
Filesize
15.8MB
MD57ba8407f5572cd8d07c484237a057f05
SHA18f222f0b1b69b3feb4b9c1ad3bb1553cdc32e97f
SHA256edc2b1cd07915b8f1b8b498b900b1c35aa3d5f8043b6173b536f7905c715e1cc
SHA5124169abe7215b7df6b02b9904dd255b0a7c61cbdce0bd9eac6a449a5d88f47ad4ccb1474d6631b8dfea5aa9c6f7444d816d836b4459ff9cafcad433c13cde0ed8
-
Filesize
140B
MD554291af0f142fa44542dd9b923c62599
SHA1e4003f0b6f4647ec0f9b5aee43fd194657b0c272
SHA256725450027a36383781222d1eb19461bebae3d01c0ac16ec86e082e0aaec69fc1
SHA512f772fe404af8da115ec6773c68ea1946d0b9917ccb1d50497b365f6d7ca8595fbf0ed52b901b68d4f161e76895789d71b6437a9259b66d519db266468807cc3d
-
Filesize
521KB
MD5f927b4fe63715ccb8b4801ecc2b0d455
SHA1613811df57a5b731dc2252d6fdd8549269efbe01
SHA2563b3236943b2c5f46ce0a483b1a1e303ae4bb270ef4fe6e44e2d61fa64f9a4f80
SHA51232fbd874d190031d198a827338f8a15abc4ce9ca05f3cc4ff83d3295823719e6e922009f1fddb7241ea9ab58ea6f312ee9cd913df496deb2390622784e87d8d7
-
Filesize
648KB
MD5a9d5fcb4edadcf53399f1c5f9ae5d9ae
SHA1210377216a6869a40655c75f47a392b4600f6f44
SHA256a917a5dcf7e329dfb760ece674de96a01ab5e2f51751de95d032c4bb5e2a1f0e
SHA5127a47a64e1dacc0b3c621b13d9d0cc60bf98d58d2a93add9beb87ce476cce296029f028feea1970bfacbbbaae6b143e24f8245ac32bfdf6cee65089b568bf6ec4
-
Filesize
648KB
MD5cc3e1de71fc3e46f0774c3f8f8ea9b1b
SHA170ffcb8672d696fc2bb83f2e6e112597fc8b5176
SHA256930fe88d51a087136652557a8d61fb90e69be49b66d106c1454bf2b5250eddc9
SHA5125d424cca4674eb52f76b64d85528ce6e1473d641ed715e8fdd03718cca8496a7b04fe35626cd9aaaac85bf1f19acedb325df4edd244ea19ef550fff0135f3b8a
-
Filesize
648KB
MD53c09f59fabc14d9bf2c04214f37551d4
SHA17c6ab40bd202c57a48fb6f9c6083539ae51cc477
SHA256cff511baeb67be6ddd3295f6a2509ccb65a1d26c720ddc9927fa1285ec4d91eb
SHA512aa3eaa31bc152571fd1668fc20ad6cf3d4969346ad282ae46db8f1590cef6cc84ef6109a1627292fec7f5899a1cb9792f71121bc4bac3a6f297b211f9c6c904b
-
Filesize
648KB
MD5ab32d1ee5424e7b8fb5577c12d12479b
SHA128729ec84c94abe81ff767620ece694ef351baab
SHA2562c4ddb2f126e0a472dc368fe4d3f6e47fa3a3b242e72541a301493a91ba85e8c
SHA512ca57a2febefc3a36bf94b6f443b3e472aa1b61e74fc9ab14b2f10dceaa793d0cace2687a3d5defe0f95adf13e39ad63fde4397a794a5668126ed036409452284
-
Filesize
648KB
MD5d4a65f12b0ce2f747db593571ce91e73
SHA15b826ce617aa5434e22038a42462d56872402f6d
SHA256e51cf3e32d1a1dd81f0414e9890253b616c4537b1f5162a27b7d1cb5148448f8
SHA512e8406ccafaff921731c4e5a2dc7202fd5e0e5e2b4b2429c21580cd908d9c580b8dde38c7792815b51e574a735fb391c4087f023abd902544ef1d36b4ed2b036c
-
Filesize
1.1MB
MD512c4ba6a0de449f15e431a08106e9cac
SHA1e652220fa60a6b661b3ecce477c5496dc497942c
SHA2566c25a4f25c152cf981427c584fa367259afc5ca43e178e2b504575c9c98765c3
SHA512dc6941776c82e529186791b991faea486a25d09711cebe4bb411e8a4d697c4d6f19c2fbefdb18696b8cfc2e0aaa7efc14211cbdf14911e42259ad8030eb5ca70
-
Filesize
1.1MB
MD5bb05e538eb0fd043124c1dbd7a54f6a0
SHA1c44c550a754d87880e3413cfa0cb3bcbe7523edb
SHA2560255d50c8fc8f036794a3cebdf2937a94821c6cf07caee1be90cf11fbf4f4c47
SHA512ff6a9b0862307ebe85d72a62eefc09054290995c373f3c5b248bb6f04a6246d68160f6227873bc11649b894cd011f263c0d258796dffa09afb31412d78a8be69
-
Filesize
1.1MB
MD538e5a642ca28eab4c6bddeb2908190b8
SHA1840b5d2650224b1d02ce6b0cf57b76cebbf52015
SHA256664fa25af0aaf12f4d670854310da7b0f90aa8f014612c2a83a7e709fb1493f6
SHA5123ccb86a3b8b8ffc6b3310d1f731d6dc6b2fa77025496959bd263de075f8f7972cc04232212043761099aec9f0ef19a6ed3bdab1aa19ad7131628bed10a02c683
-
Filesize
1.1MB
MD51155913391a91542fb8883b76cfefd33
SHA1095640ba8b772ffd5c28bf7ef67dc9f54b450b73
SHA2564bbdfe290b7f6b33a32b761937a865ddfecb06524da1f0374eb464cb7641e21b
SHA5127bc73dbb9910112e6012a521e49f9c679d1ff23049c7a32312eb6c8d270583ed9a7734640836f204cde46654571388fad1824569e266975889d019da072c60e4
-
Filesize
1.1MB
MD593d8c2620c847c9c0326650a3404b6da
SHA1767f0443ff10e1461fc36196dbcb0f3bbc93f4ce
SHA256a0367df00c87309dfa33a51c13b4c4fb2121e5f525825ef974f1b933b9d7c83c
SHA512c6420515bae4be6421b35f71f39ceb0cc464b9a6d4229b2417a9b33fc1ddaeb412672969ee8280abbffea3fb7bb943e2258be594030cdeaa4c34f0a52d0c883f
-
Filesize
1.1MB
MD53b6c60db60eb2334bfc9d4e48456116d
SHA16daa92bc661da4c59f9f71bdf5b432b2e9ed3628
SHA2563b7bc00e250fdb865fc934673390f7fb66077db5aebc8c77ad355169202bf13f
SHA51252afaba93c073f8822f771f2d9c60fb558065ed243eaa3c9f457ee02f418594315a5f615d0d105ebc0ac4bf963241c17afb03c6fc48afdd714c8944801984065
-
Filesize
1.4MB
MD5f17a65506bce13a32b9a14de2b0abc47
SHA189ad86dbaaf927d518d179465ee2b71b97bf7689
SHA25667bda5d3ae1c4da7e178e1487ca0838ee216af65aa868915a4d97f7d1e7810cd
SHA5123a716151b66742a78bb8899be8b89d5def1e991b9e1120f440f7b5da400d30929a37c1658e7a906a4001c431246cc0c2b1c084374b6cd431d9358b0908d43cfd
-
Filesize
1.4MB
MD59bfc8ff6bd4c6bdd109cbb1825dba030
SHA11c9743176b9777c5f1205da9afbcf9b23f276b78
SHA2568bdcb6e887b63a9a5786ece3b93571eae76265835b3ec93f3eaa0646e5dcbea6
SHA5121b73999ec821e9aa27c12a53d74e188818741a9c10b8ec168e2779930ac804d82536dc4cb5f8e87e4288a3fae7f7c86f046a94fc48fbc33fce31902d8a4a31ca
-
Filesize
1KB
MD544172c590a8ca9599229aa0c38baba53
SHA1fb599d9422bd8c01b56474c7dc5b1fb6c01d88a4
SHA2562f7d3c137ca7f6adddc12c601484f05b001889ff1a56812efcb2f0daf742b83f
SHA512450279af0a36da24dc0ab231ce52fdae7c0fd434ed621864fde9db3dbb83c1aaa47ff8cf5cedd7980b1989be01ca4c7429e82543826be1d51b8404be0a52d409
-
Filesize
404B
MD5874b930b4c2fddc8043f59113c044a14
SHA175b14a96fe1194f27913a096e484283b172b1749
SHA256f4f666f4b831e84710983b0e9e905e87342b669f61109fd693688d89c12309d8
SHA512f4b0337fba5c5f4d7e7a02aa5d4538334edd38f5df179e4f1701fa2f1c4d3d856a074fa55ea724c4e2a6c5a1ac1dbfc7e9966c814475c7cd2c65cd44fca14621
-
Filesize
2KB
MD59c623a8f65b6f843ab4948029e8926cf
SHA147de92f25a6492f22a73a22149f9f44d6203ecf7
SHA256235d19aa7b98b48ef40fe05f3964a5950f630959572baa5288a8b1c729a01186
SHA512d28863be1accd2948ff97c00b18ba9d5d9f60e7d60712517a6599cef813142f623c891c6266c0c9d7b6551cd2add01c5a88290b360200fbac3991ee6c7108d8c
-
Filesize
8B
MD502fcd3a4e0f4bef1016affcce43facfe
SHA17aabd850de5437a3c468eee9c04bed4beb775279
SHA256af85e9ba6adee8fc04b413d9e865e49268e9b5f6f61557ab17d0c8c1294e1666
SHA5120d69295f1f9585bac640cb6b2277e6d820778e71f35df80296298799365fff73ede43c7e1b6bb07da7c22d73541b5de3f5ea087b83a64fd08792d4368cbd7bb1
-
Filesize
392B
MD530d6eb22d6aeec10347239b17b023bf4
SHA1e2a6f86d66c699f6e0ff1ac4e140af4a2a4637d1
SHA256659df6b190a0b92fc34e3a4457b4a8d11a26a4caf55de64dfe79eb1276181f08
SHA512500872c3f2f3f801ec51717690873194675cb7f32cc4a862c09d90c18638d364d49b0e04c32323f52734e5c806e3503a63ac755c7019d762786a72840123df76
-
Filesize
12.8MB
MD57618d093596031859f067973a3e55257
SHA115d4fdd99f8fa43452b8d6bfa9fbd6c4b14a18af
SHA25606f179a92d683ab3f18b53443ad489c636cc9cb7797f120e4d074b8d82addb4a
SHA512b9e03981954f1f6928b05452049b1bc5e29692444c784226bf159fc46600c67e055912a422e1efc6b3982e214c37b2dc9761c5c5a8737d0c877ecde09ef3cbcc
-
Filesize
473KB
MD5ed17abee766074018926ff48e0ce7a3d
SHA1d6d3172176302db9ee6225ea06dc1667a814327b
SHA256a8325bd88171952dfb45b16d8bf541e4fbe5d0e546c4e6f6d8aca32b96756dc8
SHA5127dba4925e7aa66b172c76e294938385db09edaf652b751ca3464b03b6203387c07c13c93eafaa9707ec8ad03cc586b1d67abbc731ff6792d422f49a18c30ca86
-
Filesize
215KB
MD50ba0713397a453abccfdd0542a8a8c1d
SHA138825f7a4f8997998620d695beb80f7aa9748e6a
SHA2566e0aaf4d72409c28d8ae7bd0b669615cd5bc7d1b3631e024dc04db57f02b16b3
SHA512f550cdd6f9dfb4763c8677d3ba807137c7ff7865484817321d5c28d8a1b8177fb3d2016662c27e04cb27df935bb963c51e374888dd8046a8f19bdebd9421a5a8
-
Filesize
1.7MB
MD5da8a43bc19d1401a975510704b4e78a8
SHA11e192b81e43d6aa107cc6a6b12eadfa61fe34fc3
SHA256d3aaf6590b429f88a82cd0a4d6a30ee45bf2f8f2f0e7da041cca1c9a7a4c7f81
SHA5126f1cdb8d39fbf8cd8ee98e4e70fc7c426f8ceda5ba54193a56271ac61cd37407de787a97b6f59ad03dcf8212da90836271159d3db3a429a6ef3e898d53900618
-
Filesize
159KB
MD53a79ecff355c03d2e803a7206aeddec3
SHA1b4b7007b10bd32932984398b3db9cfa3ec14c2c7
SHA25636b5c3b7c5bbb49ba6d98f96386c6daac2d0ad95040873b9499e54637fd45586
SHA5125c43515e8a30171a95520702c52324c56f56799430afc6784af41b03c96ab2296244cce57cae1e5de74e5630c15a57da4cb381b3b597c51db94430f8b64ea7f1
-
Filesize
713KB
MD5d783c18900bf6065387f3b52b241bea5
SHA1b81ec61dc4441d04ee7e0b2c7a215c5f8e117611
SHA256800e9b6e7b54ec09d0399363b013b5c81d4bfc1419c5c89e05afdefb7664faee
SHA5121d863d05b209c4d77e9e3633c133f7c55a526488c756cf3f6b710238ba58f987ad82d25af8f0dae530bfc8002c6e3c1f5c0ad9f65801836001aab4a3ff88bd4e
-
Filesize
879KB
MD5edc02187d3d635fde5ae61405ed800ec
SHA1c4376528a1b791f09af2834b0ce133700ab8b370
SHA256287272690d20a53d3df95513ab846038b9e3d7f25522dc9f6de130bcb5d240ec
SHA5123b32c60fc9113f76dc3dfb6ba2f59861538332b514d43e3006a6b3940bd0054d19e195b63bf337a73309f31fa67fc40065484c7ad432199034628837a43d677b
-
Filesize
410KB
MD520010f9d322a1260ee0953852264a7cd
SHA16ac58fdf5e414bd6396443a420da99b87ee0e0a2
SHA256d6973be60891c55e0e97d218347dcb2009e2fe687b7df5cfd43536d2af6ea165
SHA5122f62cb4269d929f8bc97c103156de3588b38e9f4c2776d7441db270b8427c2b47bc8e57d786c06da37455b105b077b789e161b21a145a33e420522864d1f913a
-
Filesize
85.4MB
MD5833128952da9a0668d3ca26c248c4267
SHA175349c4f319c16ffb7e90d427a8339d144a33104
SHA25663b89ca863d22a0f88ead1e18576a7504740b2771c1c32d15e2c04141795d79a
SHA512aa2784363d8115dedb51d733fb296bbf6b858bfaca316c4a5eee7d6dff2b75cc16cda5654d428820668695d45f7fa066d390372214d5daf9dbfae33b177763c0
-
Filesize
7.8MB
MD5727fa6ae13090f4f01c5287d50eaeedf
SHA12e40363c869f3427c5dec57efd98677894a3e036
SHA25664b45d80935276005e9bb0e7bce75893a76160cc4e3c40be54396c0d549636ab
SHA512b6bfe92295f09314dbb12cf967330709baa2072b4da5f8a037fafdfd9cb56dd665778dbfe1ebf9f9cbb50fea7e90c3b1c434a6b8617c05bc9a43a18f9dd4cd97
-
\??\Volume{5d8a0f93-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{3c103172-76e3-4130-b40d-244f574834da}_OnDiskSnapshotProp
Filesize6KB
MD5211c0a3703dbcdf034d899defc402b63
SHA11e6163970d216fa437c68ab75a46564ffd51ced2
SHA256cc5cb8b62a66cce749e1ea47af5b0df0f4934e9b3167e2c6589d56d7f3d304a0
SHA51283b25be87f31e813d272a57d6ce62de59f3a4738a42fd9b49402e768adc30c2cb0dbfffc91413db11004f3bf4ad82b0735e64736177a1c3bf6501e04d87a85c0