80b1cbfc43e41cd245787212d6b4da84631594152ac83dcf1796bf5ae0386178

Analysis

max time kernel
27s
max time network
31s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
08/06/2024, 01:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

InstallDefenderUIPro.exe
Size

20.4MB
MD5

96d22442433cc2ea86d5c0e811199161
SHA1

0bd186aee9a0c43ba555319e6a2b7f1c01e83f39
SHA256

80b1cbfc43e41cd245787212d6b4da84631594152ac83dcf1796bf5ae0386178
SHA512

ed5704906b662958b164688ac8d28dde0c1028814b21da7b1f8fd59d1e2ba948156b2b61fb327389d2d02a503d711c88d601e0c90df500721df087e1dea1f490
SSDEEP

393216:gMhVOKf1xjdG/abh9ObZ/B50Ex80G2RKo01kHjihYaZRuMhdguO4N2PqswK50IXD:gMhV9fjjdG/4mZcPq4o0ymaaPuMMPqng

Score

8^/10

discovery evasion execution persistence

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\SET7A21.tmp	rundll32.exe
File created	C:\Windows\system32\DRIVERS\SET7A21.tmp	rundll32.exe
File opened for modification	C:\Windows\system32\DRIVERS\vsscanner.sys	rundll32.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\DefenderUI\WDAC Wizard\is-0S6SE.tmp	InstallDefenderUIPro.tmp
File created	C:\Program Files\DefenderUI\WDAC Wizard\is-L7D7Q.tmp	InstallDefenderUIPro.tmp
File created	C:\Program Files\DefenderUI\WDAC Wizard\is-K2K99.tmp	InstallDefenderUIPro.tmp
File created	C:\Program Files\DefenderUI\is-JB6B5.tmp	InstallDefenderUIPro.tmp
File created	C:\Program Files\DefenderUI\Localizations\de-DE\is-R4K6A.tmp	InstallDefenderUIPro.tmp
File opened for modification	C:\Program Files\DefenderUI\DriverTransport.dll	InstallDefenderUIPro.tmp
File opened for modification	C:\Program Files\DefenderUI\WDAC Wizard\Azure.Storage.Common.dll	InstallDefenderUIPro.tmp
File created	C:\Program Files\DefenderUI\Policies\Enforced\is-RTF8N.tmp	InstallDefenderUIPro.tmp
File opened for modification	C:\Program Files\DefenderUI\Localizations\el-GR\DefenderUI.resources.dll	InstallDefenderUIPro.tmp
File created	C:\Program Files\DefenderUI\WDAC Wizard\Assets\is-DFESG.tmp	InstallDefenderUIPro.tmp
File created	C:\Program Files\DefenderUI\WDAC Wizard\Assets\is-RL5VI.tmp	InstallDefenderUIPro.tmp
File opened for modification	C:\Program Files\DefenderUI\Localizations\ro-RO\DefenderUI.resources.dll	InstallDefenderUIPro.tmp
File created	C:\Program Files\DefenderUI\WDAC Wizard\Assets\is-HS095.tmp	InstallDefenderUIPro.tmp
File opened for modification	C:\Program Files\DefenderUI\WDAC Wizard\Newtonsoft.Json.dll	InstallDefenderUIPro.tmp
File created	C:\Program Files\DefenderUI\Policies\Audit\is-D6SVH.tmp	InstallDefenderUIPro.tmp
File created	C:\Program Files\DefenderUI\WDAC Wizard\Assets\is-ULT39.tmp	InstallDefenderUIPro.tmp
File opened for modification	C:\Program Files\DefenderUI\Localizations\lv-LV\DefenderUI.resources.dll	InstallDefenderUIPro.tmp
File created	C:\Program Files\DefenderUI\WDAC Wizard\Assets\is-T8J5N.tmp	InstallDefenderUIPro.tmp
File created	C:\Program Files\DefenderUI\WDAC Wizard\is-QTTIS.tmp	InstallDefenderUIPro.tmp
File created	C:\Program Files\DefenderUI\WDAC Wizard\is-TSLBS.tmp	InstallDefenderUIPro.tmp
File created	C:\Program Files\DefenderUI\WDAC Wizard\is-8HVAM.tmp	InstallDefenderUIPro.tmp
File opened for modification	C:\Program Files\DefenderUI\DefenderUIService.exe	InstallDefenderUIPro.tmp
File opened for modification	C:\Program Files\DefenderUI\WDAC Wizard\System.Runtime.CompilerServices.Unsafe.dll	InstallDefenderUIPro.tmp
File opened for modification	C:\Program Files\DefenderUI\WDAC Wizard\SharpCompress.dll	InstallDefenderUIPro.tmp
File created	C:\Program Files\DefenderUI\WDAC Wizard\is-304PH.tmp	InstallDefenderUIPro.tmp
File created	C:\Program Files\DefenderUI\is-7J103.tmp	InstallDefenderUIPro.tmp
File opened for modification	C:\Program Files\DefenderUI\Localizations\ja-JP\DefenderUI.resources.dll	InstallDefenderUIPro.tmp
File created	C:\Program Files\DefenderUI\WDAC Wizard\Assets\is-TTBJJ.tmp	InstallDefenderUIPro.tmp
File opened for modification	C:\Program Files\DefenderUI\Localizations\da-DK\DefenderUI.resources.dll	InstallDefenderUIPro.tmp
File created	C:\Program Files\DefenderUI\WDAC Wizard\is-K80G9.tmp	InstallDefenderUIPro.tmp
File created	C:\Program Files\DefenderUI\unins000.msg	InstallDefenderUIPro.tmp
File opened for modification	C:\Program Files\DefenderUI\Localizations\uk-UA\DefenderUI.resources.dll	InstallDefenderUIPro.tmp
File created	C:\Program Files\DefenderUI\WDAC Wizard\is-EFAV2.tmp	InstallDefenderUIPro.tmp
File opened for modification	C:\Program Files\DefenderUI\Newtonsoft.Json.dll	InstallDefenderUIPro.tmp
File created	C:\Program Files\DefenderUI\WDAC Wizard\Assets\is-MLVVD.tmp	InstallDefenderUIPro.tmp
File created	C:\Program Files\DefenderUI\Localizations\fi-FI\is-4823F.tmp	InstallDefenderUIPro.tmp
File created	C:\Program Files\DefenderUI\Driver\is-T122G.tmp	InstallDefenderUIPro.tmp
File created	C:\Program Files\DefenderUI\is-CI1HU.tmp	InstallDefenderUIPro.tmp
File created	C:\Program Files\DefenderUI\WDAC Wizard\Assets\is-SV1K2.tmp	InstallDefenderUIPro.tmp
File created	C:\Program Files\DefenderUI\WDAC Wizard\is-L7KVP.tmp	InstallDefenderUIPro.tmp
File created	C:\Program Files\DefenderUI\WDAC Wizard\is-K7CVV.tmp	InstallDefenderUIPro.tmp
File created	C:\Program Files\DefenderUI\Localizations\ru-RU\is-HF092.tmp	InstallDefenderUIPro.tmp
File created	C:\Program Files\DefenderUI\Driver\is-RIE3J.tmp	InstallDefenderUIPro.tmp
File opened for modification	C:\Program Files\DefenderUI\Localizations\ko-KR\DefenderUI.resources.dll	InstallDefenderUIPro.tmp
File created	C:\Program Files\DefenderUI\WDAC Wizard\Assets\is-LMQDO.tmp	InstallDefenderUIPro.tmp
File created	C:\Program Files\DefenderUI\WDAC Wizard\is-M2G2K.tmp	InstallDefenderUIPro.tmp
File created	C:\Program Files\DefenderUI\is-OTEUS.tmp	InstallDefenderUIPro.tmp
File created	C:\Program Files\DefenderUI\WDAC Wizard\Assets\is-ODA6T.tmp	InstallDefenderUIPro.tmp
File created	C:\Program Files\DefenderUI\WDAC Wizard\Assets\is-FIJIQ.tmp	InstallDefenderUIPro.tmp
File created	C:\Program Files\DefenderUI\WDAC Wizard\Assets\is-4I0PN.tmp	InstallDefenderUIPro.tmp
File created	C:\Program Files\DefenderUI\WDAC Wizard\is-B7JLC.tmp	InstallDefenderUIPro.tmp
File created	C:\Program Files\DefenderUI\WDAC Wizard\is-M1JTI.tmp	InstallDefenderUIPro.tmp
File opened for modification	C:\Program Files\DefenderUI\DefenderUI.exe	InstallDefenderUIPro.tmp
File created	C:\Program Files\DefenderUI\is-K8VLD.tmp	InstallDefenderUIPro.tmp
File created	C:\Program Files\DefenderUI\WDAC Wizard\Assets\is-4ALK0.tmp	InstallDefenderUIPro.tmp
File created	C:\Program Files\DefenderUI\WDAC Wizard\is-JVNMR.tmp	InstallDefenderUIPro.tmp
File created	C:\Program Files\DefenderUI\WDAC Wizard\is-US1NJ.tmp	InstallDefenderUIPro.tmp
File created	C:\Program Files\DefenderUI\WDAC Wizard\Assets\is-BTQFT.tmp	InstallDefenderUIPro.tmp
File created	C:\Program Files\DefenderUI\WDAC Wizard\is-MA3N6.tmp	InstallDefenderUIPro.tmp
File created	C:\Program Files\DefenderUI\WDAC Wizard\is-51DH7.tmp	InstallDefenderUIPro.tmp
File opened for modification	C:\Program Files\DefenderUI\WDAC Wizard\Splat.dll	InstallDefenderUIPro.tmp
File opened for modification	C:\Program Files\DefenderUI\Localizations\pt-BR\DefenderUI.resources.dll	InstallDefenderUIPro.tmp
File created	C:\Program Files\DefenderUI\WDAC Wizard\is-HL3TS.tmp	InstallDefenderUIPro.tmp
File created	C:\Program Files\DefenderUI\Localizations\pl-PL\is-SEQV5.tmp	InstallDefenderUIPro.tmp

Executes dropped EXE 6 IoCs

pid	Process
2544	InstallDefenderUIPro.tmp
3524	_setup64.tmp
2272	DefenderUIService.exe
2480	DefenderUIService.exe
5040	DefenderUI.exe
1008	DefenderUI.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5020	sc.exe
2604	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3252	taskkill.exe

Modifies registry class 18 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\DefenderUI Scan	InstallDefenderUIPro.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\DefenderUI Scan\command	InstallDefenderUIPro.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\DefenderUI Add Exclusion\Icon = "\"C:\\Program Files\\DefenderUI\\DefenderUI.exe\",0"	InstallDefenderUIPro.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\DefenderUI Add Exclusion\command\ = "\"C:\\Program Files\\DefenderUI\\DefenderUI.exe\" \"%1 /addfileexclusion\""	InstallDefenderUIPro.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\DefenderUI Add Exclusion\Icon = "\"C:\\Program Files\\DefenderUI\\DefenderUI.exe\",0"	InstallDefenderUIPro.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\DefenderUI Add Exclusion\command	InstallDefenderUIPro.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\DefenderUI Scan\ = "DefenderUI Scan"	InstallDefenderUIPro.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\DefenderUI Scan\MultiSelectModel = "Single"	InstallDefenderUIPro.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\DefenderUI Add Exclusion	InstallDefenderUIPro.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\DefenderUI Add Exclusion\ = "DefenderUI Add Exclusion"	InstallDefenderUIPro.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\DefenderUI Add Exclusion\MultiSelectModel = "Single"	InstallDefenderUIPro.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\DefenderUI Add Exclusion\command	InstallDefenderUIPro.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\DefenderUI Add Exclusion\ = "DefenderUI Add Exclusion"	InstallDefenderUIPro.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\DefenderUI Scan\command\ = "\"C:\\Program Files\\DefenderUI\\DefenderUI.exe\" \"%1 /scan\""	InstallDefenderUIPro.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\DefenderUI Add Exclusion	InstallDefenderUIPro.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\DefenderUI Scan\Icon = "\"C:\\Program Files\\DefenderUI\\DefenderUI.exe\",0"	InstallDefenderUIPro.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\DefenderUI Add Exclusion\MultiSelectModel = "Single"	InstallDefenderUIPro.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\DefenderUI Add Exclusion\command\ = "\"C:\\Program Files\\DefenderUI\\DefenderUI.exe\" \"%1 /addfolderexclusion\""	InstallDefenderUIPro.tmp

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	DefenderUIService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0400000001000000100000001bfe69d191b71933a372a80fe155e5b50f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	DefenderUIService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254830400000001000000100000001bfe69d191b71933a372a80fe155e5b52000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	DefenderUIService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	DefenderUIService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	DefenderUIService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	DefenderUIService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	DefenderUIService.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2544	InstallDefenderUIPro.tmp
2544	InstallDefenderUIPro.tmp
2480	DefenderUIService.exe
2480	DefenderUIService.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
676	Process not Found
676	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3252	taskkill.exe
Token: SeDebugPrivilege	2480	DefenderUIService.exe
Token: SeDebugPrivilege	5040	DefenderUI.exe
Token: SeDebugPrivilege	1008	DefenderUI.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2544	InstallDefenderUIPro.tmp

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 3736 wrote to memory of 2544	3736	InstallDefenderUIPro.exe	76
PID 3736 wrote to memory of 2544	3736	InstallDefenderUIPro.exe	76
PID 3736 wrote to memory of 2544	3736	InstallDefenderUIPro.exe	76
PID 2544 wrote to memory of 3252	2544	InstallDefenderUIPro.tmp	77
PID 2544 wrote to memory of 3252	2544	InstallDefenderUIPro.tmp	77
PID 2544 wrote to memory of 3252	2544	InstallDefenderUIPro.tmp	77
PID 2544 wrote to memory of 5020	2544	InstallDefenderUIPro.tmp	79
PID 2544 wrote to memory of 5020	2544	InstallDefenderUIPro.tmp	79
PID 2544 wrote to memory of 5020	2544	InstallDefenderUIPro.tmp	79
PID 2544 wrote to memory of 3524	2544	InstallDefenderUIPro.tmp	82
PID 2544 wrote to memory of 3524	2544	InstallDefenderUIPro.tmp	82
PID 2544 wrote to memory of 4124	2544	InstallDefenderUIPro.tmp	84
PID 2544 wrote to memory of 4124	2544	InstallDefenderUIPro.tmp	84
PID 4124 wrote to memory of 4912	4124	rundll32.exe	86
PID 4124 wrote to memory of 4912	4124	rundll32.exe	86
PID 4912 wrote to memory of 1864	4912	runonce.exe	87
PID 4912 wrote to memory of 1864	4912	runonce.exe	87
PID 2544 wrote to memory of 2272	2544	InstallDefenderUIPro.tmp	88
PID 2544 wrote to memory of 2272	2544	InstallDefenderUIPro.tmp	88
PID 2480 wrote to memory of 5040	2480	DefenderUIService.exe	90
PID 2480 wrote to memory of 5040	2480	DefenderUIService.exe	90
PID 2544 wrote to memory of 2604	2544	InstallDefenderUIPro.tmp	91
PID 2544 wrote to memory of 2604	2544	InstallDefenderUIPro.tmp	91

C:\Users\Admin\AppData\Local\Temp\InstallDefenderUIPro.exe
"C:\Users\Admin\AppData\Local\Temp\InstallDefenderUIPro.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3736
- C:\Users\Admin\AppData\Local\Temp\is-HPOQS.tmp\InstallDefenderUIPro.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-HPOQS.tmp\InstallDefenderUIPro.tmp" /SL5="$901AA,20505195,1072128,C:\Users\Admin\AppData\Local\Temp\InstallDefenderUIPro.exe"
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im DefenderUI.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3252
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" stop DefenderUIService
    3⤵
    - Launches sc.exe
    PID:5020
- - C:\Users\Admin\AppData\Local\Temp\is-UA7AO.tmp\_isetup\_setup64.tmp
    helper 105 0x55C
    3⤵
    - Executes dropped EXE
    PID:3524
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 C:\Program Files\DefenderUI\Driver\vsscanner.inf
    3⤵
    - Drops file in Drivers directory
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4124
  - - C:\Windows\system32\runonce.exe
      "C:\Windows\system32\runonce.exe" -r
      4⤵
      Checks processor information in registry
      Suspicious use of WriteProcessMemory
      PID:4912
    - - C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        5⤵
        
        PID:1864
- - C:\Program Files\DefenderUI\DefenderUIService.exe
    "C:\Program Files\DefenderUI\DefenderUIService.exe" --install
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    PID:2272
- - C:\Windows\system32\sc.exe
    "C:\Windows\system32\sc.exe" sdset DefenderUIService D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)
    3⤵
    - Launches sc.exe
    PID:2604

C:\Program Files\DefenderUI\DefenderUIService.exe
"C:\Program Files\DefenderUI\DefenderUIService.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Program Files\DefenderUI\DefenderUI.exe
  "C:\Program Files\DefenderUI\DefenderUI.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5040

C:\Program Files\DefenderUI\DefenderUI.exe
"C:\Program Files\DefenderUI\DefenderUI.exe" /sw
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\DEFEND~1\Driver\vsscanner.sys

Filesize
29KB

MD5
46c6e91f541a7b8ebdc053fdf26f99b1

SHA1
76754e7394194dbd8770d270cf6ce2b27da9ff58

SHA256
6c2b166e289138e6ccd0e61ca6fac2c8f3362af1ab71ef56b7b58c23e3c81ec2

SHA512
3ff9630bab1ce9bb43e8424ef0ad008c14fa985b9d121ef51319f568b8a95dab6fde96b1099a7fb2fae343cef7dd2723f6ac9c0b28c42d9dd398dd855dbb7b12

Download Submit
C:\Program Files\DefenderUI\DefenderUI.exe

Filesize
1.3MB

MD5
cdbf9bbd1378cc07fdd92b13023c9bcc

SHA1
878e875131bfc46e07574d54926862a8646b4104

SHA256
ef166bb2658800fb4744fe98e53898e6b4bd8c59d6009dd4f4ce8ac918551a80

SHA512
a87159ccc223f5b92a439f5daf68098bb08e5c573c7075e4f814776f6b1f2304fc3f4d74cfd3a064c331bd6776588920d57cc765af005787bedcb32041eae2e1

Download Submit
C:\Program Files\DefenderUI\DefenderUI.exe.config

Filesize
1KB

MD5
c6b2de0f8113184c04769bb6f134d9f1

SHA1
0ebf02392a1d28593a44de1f21935550bc19defc

SHA256
175ed8238069585caf13fc51a77dca2390bd943251d8d1399b2e2c01ffe9f363

SHA512
6708fc7066d90896ed362a4e7fe4c7cf4c85c583eacac6ac8cf3c9aaf9e944390d3fcf9f384bc1f8127fbaef759e99d8e8aedee42bcbdbbbeb015304a48ab6b2

Download Submit
C:\Program Files\DefenderUI\DefenderUIService.exe

Filesize
361KB

MD5
ffba3b6c96181a7b54a7d7af139ba615

SHA1
2473b8e122e14ac6fe0636470a4a691ad9728359

SHA256
9ad10a2a5548806acc39772556c94681ea6ff04746abbb1214b3e7d124f4847e

SHA512
a114e76f9e8cb77aaf3a31a135ca36cfdd52c9aa094f5eba23f45366aa191e8b10e0ca98ab5870d38ed2712c2cf4091f5a460b7ef808eab6367ee576bf777636

Download Submit
C:\Program Files\DefenderUI\DefenderUIService.exe.config

Filesize
3KB

MD5
5cb67e84b23249734d137883ab92b530

SHA1
cfc77dff844c6d99ac1fe359ab3503069097042c

SHA256
d7904044c960312f80c3ee5c9e60bfc278a6eff9f6bf2827b0f94b4e4400bdec

SHA512
6554bb815fb06cd35cb2cc54e7d71ff5b0843865bf92f37bf0df22b6e08c8e951c8bb81c93d3f2cbe6774e70fba4e7ff762b1b6ab64c95b7730319e2b85364ac

Download Submit
C:\Program Files\DefenderUI\Driver\vsscanner.inf

Filesize
2KB

MD5
d82e80adad75bae02c6da59858a6b4b9

SHA1
20fe218cc855f40a4c034a0a2c43465a01f045df

SHA256
a81a5ac2602ed63933db5399ecec11e727920a5d041b6ecb67356c9562d8e6ec

SHA512
fc3ff08f6086235dce5100687f3d89396bb51f2ce2e3ba6c3d0b410a39dab9a713e94e5708ea4793a79ac8e8f57ffc73e296ada8cc2e43ef9bccff96ce07df62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DefenderUI.exe.log

Filesize
2KB

MD5
5f10bc8d97e2410e8c71383b88089be2

SHA1
9fab31aa82dff8693991cca0f54888341324e6e9

SHA256
c2b26ea61e02203ddca7cef244bb8209226e25412ef4e1d0c61ee911845cdca6

SHA512
7f9edd3b62bd5d4ffcd5918f4a19d20d1368105f62c63195f0589db4584465dacda0b582a8e155d42cb7a9487edc29d21bf3ba756eac0000e35b58085b52f4e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HPOQS.tmp\InstallDefenderUIPro.tmp

Filesize
3.3MB

MD5
0119f46005416658b46f39ddc8163fc5

SHA1
63dae48d758f4e299397775ded455449ae73edc7

SHA256
a5e3d60b69d9af9cc48242a9a7dd04f9ec3e9652ec8e279fd38df7d2d0afa83f

SHA512
13a1d9488cc633789ae76838d71a1887aa8c474c01144dc962cdceb5533420c2552238857a8ab133ca4b9d58a361fa18e25f0deca8081998d1052f28d96dfa2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UA7AO.tmp\_isetup\_setup64.tmp

Filesize
6KB

MD5
e4211d6d009757c078a9fac7ff4f03d4

SHA1
019cd56ba687d39d12d4b13991c9a42ea6ba03da

SHA256
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95

SHA512
17257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e

Download Submit
memory/2272-361-0x0000023C313B0000-0x0000023C3140E000-memory.dmp

Filesize
376KB

Download
memory/2272-369-0x0000023C33000000-0x0000023C33012000-memory.dmp

Filesize
72KB

Download
memory/2272-370-0x0000023C33200000-0x0000023C3323C000-memory.dmp

Filesize
240KB

Download
memory/2480-396-0x000001A6570B0000-0x000001A657100000-memory.dmp

Filesize
320KB

Download
memory/2480-397-0x000001A657210000-0x000001A65731A000-memory.dmp

Filesize
1.0MB

Download
memory/2480-395-0x000001A63E6F0000-0x000001A63E718000-memory.dmp

Filesize
160KB

Download
memory/2544-409-0x0000000000400000-0x000000000074F000-memory.dmp

Filesize
3.3MB

Download
memory/2544-7-0x0000000000400000-0x000000000074F000-memory.dmp

Filesize
3.3MB

Download
memory/3736-394-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/3736-0-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/3736-410-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/3736-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/5040-402-0x0000028B553A0000-0x0000028B554EA000-memory.dmp

Filesize
1.3MB

Download
memory/5040-411-0x0000028B720C0000-0x0000028B721C4000-memory.dmp

Filesize
1.0MB

Download