hxxp://www[.]tightvnc[.]com

Resubmissions

29-06-2024 09:05

240629-k2k6zaxdrl 7

29-06-2024 08:34

240629-kgnflaxbrr 7

29-06-2024 08:28

240629-kc48jstgka 1

Analysis

max time kernel
203s
max time network
203s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
29-06-2024 09:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://www.tightvnc.com

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
1020	tvnserver.exe
3504	tvnserver.exe
1484	tvnserver.exe
5084	tvnserver.exe
880	tvnserver.exe
4876	tvnserver.exe

Loads dropped DLL 8 IoCs

pid	Process
3108	MsiExec.exe
4816	MsiExec.exe
3852	MsiExec.exe
3852	MsiExec.exe
4816	MsiExec.exe
3384	MsiExec.exe
2656	MsiExec.exe
2656	MsiExec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tvncontrol = "\"C:\\Program Files\\TightVNC\\tvnserver.exe\" -controlservice -slave"	tvnserver.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\TightVNC\TightVNC Web Site.url	msiexec.exe
File created	C:\Program Files\TightVNC\tvnviewer.exe	msiexec.exe
File created	C:\Program Files\TightVNC\LICENSE.txt	msiexec.exe
File created	C:\Program Files\TightVNC\screenhooks32.dll	msiexec.exe
File created	C:\Program Files\TightVNC\screenhooks64.dll	msiexec.exe
File created	C:\Program Files\TightVNC\hookldr.exe	msiexec.exe
File created	C:\Program Files\TightVNC\tvnserver.exe	msiexec.exe

Drops file in Windows directory 23 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\~DFBD3A4AB4F686EE80.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI430F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI433F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI45E3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4799.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5841e6.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI443C.tmp	msiexec.exe
File created	C:\Windows\Installer\{5AE9C1FB-F4F8-44A7-8550-F0592F56A1F2}\tvnserver.ico	msiexec.exe
File created	C:\Windows\SystemTemp\~DF2720EC183EB9E4C3.TMP	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI43BE.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{5AE9C1FB-F4F8-44A7-8550-F0592F56A1F2}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI437E.tmp	msiexec.exe
File created	C:\Windows\Installer\{5AE9C1FB-F4F8-44A7-8550-F0592F56A1F2}\viewer.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI48A4.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF14DE9082C2265056.TMP	msiexec.exe
File created	C:\Windows\Installer\e5841e6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\{5AE9C1FB-F4F8-44A7-8550-F0592F56A1F2}\viewer.ico	msiexec.exe
File created	C:\Windows\Installer\e5841e8.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF602FCA7100A27C12.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\{5AE9C1FB-F4F8-44A7-8550-F0592F56A1F2}\tvnserver.ico	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000002d32c3174d432a560000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800002d32c3170000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809002d32c317000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d2d32c317000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000002d32c31700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe

Modifies registry class 39 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BF1C9EA58F4F7A4458050F95F2651A2F\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vnc\ = "VncViewer.Config"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VncViewer.Config\ = "VNCviewer Config File"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\BF1C9EA58F4F7A4458050F95F2651A2F\Server = "TightVNC"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BF1C9EA58F4F7A4458050F95F2651A2F\PackageCode = "CD83E1E9ADCA794418EB6A6F993EE74E"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BF1C9EA58F4F7A4458050F95F2651A2F\InstanceType = "0"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BF1C9EA58F4F7A4458050F95F2651A2F\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BF1C9EA58F4F7A4458050F95F2651A2F\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.vnc	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VncViewer.Config\shell	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VncViewer.Config\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VncViewer.Config\shell\open\command\ = "\"C:\\Program Files\\TightVNC\\tvnviewer.exe\" -optionsfile=\"%1\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\BF1C9EA58F4F7A4458050F95F2651A2F\TightVNC	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BF1C9EA58F4F7A4458050F95F2651A2F\ProductIcon = "C:\\Windows\\Installer\\{5AE9C1FB-F4F8-44A7-8550-F0592F56A1F2}\\tvnserver.ico"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BF1C9EA58F4F7A4458050F95F2651A2F\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\BF1C9EA58F4F7A4458050F95F2651A2F\Viewer = "TightVNC"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BF1C9EA58F4F7A4458050F95F2651A2F\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BF1C9EA58F4F7A4458050F95F2651A2F\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0B272F1B74B50F64A92F07E546BEA196\BF1C9EA58F4F7A4458050F95F2651A2F	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\VncViewer.Config	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VncViewer.Config\DefaultIcon\ = "C:\\Program Files\\TightVNC\\tvnviewer.exe,0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VncViewer.Config\shell\open	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BF1C9EA58F4F7A4458050F95F2651A2F\ProductName = "TightVNC"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\VncViewer.Config\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VncViewer.Config	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0B272F1B74B50F64A92F07E546BEA196	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BF1C9EA58F4F7A4458050F95F2651A2F\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BF1C9EA58F4F7A4458050F95F2651A2F\SourceList\PackageName = "tightvnc-2.8.84-gpl-setup-64bit.msi"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BF1C9EA58F4F7A4458050F95F2651A2F\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BF1C9EA58F4F7A4458050F95F2651A2F\Version = "34078804"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\BF1C9EA58F4F7A4458050F95F2651A2F	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BF1C9EA58F4F7A4458050F95F2651A2F\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BF1C9EA58F4F7A4458050F95F2651A2F\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\VncViewer.Config\DefaultIcon	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BF1C9EA58F4F7A4458050F95F2651A2F	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BF1C9EA58F4F7A4458050F95F2651A2F\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BF1C9EA58F4F7A4458050F95F2651A2F\SourceList\Net\1 = "C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 647013.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\tightvnc-2.8.84-gpl-setup-64bit.msi:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
5084	msedge.exe
5084	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
980	identity_helper.exe
980	identity_helper.exe
2348	msedge.exe
2348	msedge.exe
1224	msedge.exe
1224	msedge.exe
2164	msiexec.exe
2164	msiexec.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2972	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2972	msiexec.exe
Token: SeSecurityPrivilege	2164	msiexec.exe
Token: SeCreateTokenPrivilege	2972	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2972	msiexec.exe
Token: SeLockMemoryPrivilege	2972	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2972	msiexec.exe
Token: SeMachineAccountPrivilege	2972	msiexec.exe
Token: SeTcbPrivilege	2972	msiexec.exe
Token: SeSecurityPrivilege	2972	msiexec.exe
Token: SeTakeOwnershipPrivilege	2972	msiexec.exe
Token: SeLoadDriverPrivilege	2972	msiexec.exe
Token: SeSystemProfilePrivilege	2972	msiexec.exe
Token: SeSystemtimePrivilege	2972	msiexec.exe
Token: SeProfSingleProcessPrivilege	2972	msiexec.exe
Token: SeIncBasePriorityPrivilege	2972	msiexec.exe
Token: SeCreatePagefilePrivilege	2972	msiexec.exe
Token: SeCreatePermanentPrivilege	2972	msiexec.exe
Token: SeBackupPrivilege	2972	msiexec.exe
Token: SeRestorePrivilege	2972	msiexec.exe
Token: SeShutdownPrivilege	2972	msiexec.exe
Token: SeDebugPrivilege	2972	msiexec.exe
Token: SeAuditPrivilege	2972	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2972	msiexec.exe
Token: SeChangeNotifyPrivilege	2972	msiexec.exe
Token: SeRemoteShutdownPrivilege	2972	msiexec.exe
Token: SeUndockPrivilege	2972	msiexec.exe
Token: SeSyncAgentPrivilege	2972	msiexec.exe
Token: SeEnableDelegationPrivilege	2972	msiexec.exe
Token: SeManageVolumePrivilege	2972	msiexec.exe
Token: SeImpersonatePrivilege	2972	msiexec.exe
Token: SeCreateGlobalPrivilege	2972	msiexec.exe
Token: SeCreateTokenPrivilege	2972	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2972	msiexec.exe
Token: SeLockMemoryPrivilege	2972	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2972	msiexec.exe
Token: SeMachineAccountPrivilege	2972	msiexec.exe
Token: SeTcbPrivilege	2972	msiexec.exe
Token: SeSecurityPrivilege	2972	msiexec.exe
Token: SeTakeOwnershipPrivilege	2972	msiexec.exe
Token: SeLoadDriverPrivilege	2972	msiexec.exe
Token: SeSystemProfilePrivilege	2972	msiexec.exe
Token: SeSystemtimePrivilege	2972	msiexec.exe
Token: SeProfSingleProcessPrivilege	2972	msiexec.exe
Token: SeIncBasePriorityPrivilege	2972	msiexec.exe
Token: SeCreatePagefilePrivilege	2972	msiexec.exe
Token: SeCreatePermanentPrivilege	2972	msiexec.exe
Token: SeBackupPrivilege	2972	msiexec.exe
Token: SeRestorePrivilege	2972	msiexec.exe
Token: SeShutdownPrivilege	2972	msiexec.exe
Token: SeDebugPrivilege	2972	msiexec.exe
Token: SeAuditPrivilege	2972	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2972	msiexec.exe
Token: SeChangeNotifyPrivilege	2972	msiexec.exe
Token: SeRemoteShutdownPrivilege	2972	msiexec.exe
Token: SeUndockPrivilege	2972	msiexec.exe
Token: SeSyncAgentPrivilege	2972	msiexec.exe
Token: SeEnableDelegationPrivilege	2972	msiexec.exe
Token: SeManageVolumePrivilege	2972	msiexec.exe
Token: SeImpersonatePrivilege	2972	msiexec.exe
Token: SeCreateGlobalPrivilege	2972	msiexec.exe
Token: SeCreateTokenPrivilege	2972	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2972	msiexec.exe
Token: SeLockMemoryPrivilege	2972	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
2972	msiexec.exe
4072	msedge.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe
5084	tvnserver.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4116	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4072 wrote to memory of 5076	4072	msedge.exe	80
PID 4072 wrote to memory of 5076	4072	msedge.exe	80
PID 4072 wrote to memory of 3224	4072	msedge.exe	81
PID 4072 wrote to memory of 3224	4072	msedge.exe	81
PID 4072 wrote to memory of 3224	4072	msedge.exe	81
PID 4072 wrote to memory of 3224	4072	msedge.exe	81
PID 4072 wrote to memory of 3224	4072	msedge.exe	81
PID 4072 wrote to memory of 3224	4072	msedge.exe	81
PID 4072 wrote to memory of 3224	4072	msedge.exe	81
PID 4072 wrote to memory of 3224	4072	msedge.exe	81
PID 4072 wrote to memory of 3224	4072	msedge.exe	81
PID 4072 wrote to memory of 3224	4072	msedge.exe	81
PID 4072 wrote to memory of 3224	4072	msedge.exe	81
PID 4072 wrote to memory of 3224	4072	msedge.exe	81
PID 4072 wrote to memory of 3224	4072	msedge.exe	81
PID 4072 wrote to memory of 3224	4072	msedge.exe	81
PID 4072 wrote to memory of 3224	4072	msedge.exe	81
PID 4072 wrote to memory of 3224	4072	msedge.exe	81
PID 4072 wrote to memory of 3224	4072	msedge.exe	81
PID 4072 wrote to memory of 3224	4072	msedge.exe	81
PID 4072 wrote to memory of 3224	4072	msedge.exe	81
PID 4072 wrote to memory of 3224	4072	msedge.exe	81
PID 4072 wrote to memory of 3224	4072	msedge.exe	81
PID 4072 wrote to memory of 3224	4072	msedge.exe	81
PID 4072 wrote to memory of 3224	4072	msedge.exe	81
PID 4072 wrote to memory of 3224	4072	msedge.exe	81
PID 4072 wrote to memory of 3224	4072	msedge.exe	81
PID 4072 wrote to memory of 3224	4072	msedge.exe	81
PID 4072 wrote to memory of 3224	4072	msedge.exe	81
PID 4072 wrote to memory of 3224	4072	msedge.exe	81
PID 4072 wrote to memory of 3224	4072	msedge.exe	81
PID 4072 wrote to memory of 3224	4072	msedge.exe	81
PID 4072 wrote to memory of 3224	4072	msedge.exe	81
PID 4072 wrote to memory of 3224	4072	msedge.exe	81
PID 4072 wrote to memory of 3224	4072	msedge.exe	81
PID 4072 wrote to memory of 3224	4072	msedge.exe	81
PID 4072 wrote to memory of 3224	4072	msedge.exe	81
PID 4072 wrote to memory of 3224	4072	msedge.exe	81
PID 4072 wrote to memory of 3224	4072	msedge.exe	81
PID 4072 wrote to memory of 3224	4072	msedge.exe	81
PID 4072 wrote to memory of 3224	4072	msedge.exe	81
PID 4072 wrote to memory of 3224	4072	msedge.exe	81
PID 4072 wrote to memory of 5084	4072	msedge.exe	82
PID 4072 wrote to memory of 5084	4072	msedge.exe	82
PID 4072 wrote to memory of 2320	4072	msedge.exe	83
PID 4072 wrote to memory of 2320	4072	msedge.exe	83
PID 4072 wrote to memory of 2320	4072	msedge.exe	83
PID 4072 wrote to memory of 2320	4072	msedge.exe	83
PID 4072 wrote to memory of 2320	4072	msedge.exe	83
PID 4072 wrote to memory of 2320	4072	msedge.exe	83
PID 4072 wrote to memory of 2320	4072	msedge.exe	83
PID 4072 wrote to memory of 2320	4072	msedge.exe	83
PID 4072 wrote to memory of 2320	4072	msedge.exe	83
PID 4072 wrote to memory of 2320	4072	msedge.exe	83
PID 4072 wrote to memory of 2320	4072	msedge.exe	83
PID 4072 wrote to memory of 2320	4072	msedge.exe	83
PID 4072 wrote to memory of 2320	4072	msedge.exe	83
PID 4072 wrote to memory of 2320	4072	msedge.exe	83
PID 4072 wrote to memory of 2320	4072	msedge.exe	83
PID 4072 wrote to memory of 2320	4072	msedge.exe	83
PID 4072 wrote to memory of 2320	4072	msedge.exe	83
PID 4072 wrote to memory of 2320	4072	msedge.exe	83
PID 4072 wrote to memory of 2320	4072	msedge.exe	83
PID 4072 wrote to memory of 2320	4072	msedge.exe	83

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.tightvnc.com
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffeefc93cb8,0x7ffeefc93cc8,0x7ffeefc93cd8
  2⤵
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1828,9037615555027665640,13301126111669492839,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:3224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1828,9037615555027665640,13301126111669492839,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1828,9037615555027665640,13301126111669492839,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
  2⤵
  PID:2320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,9037615555027665640,13301126111669492839,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:2396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,9037615555027665640,13301126111669492839,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:2524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,9037615555027665640,13301126111669492839,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
  2⤵
  PID:3724
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1828,9037615555027665640,13301126111669492839,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5520 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1828,9037615555027665640,13301126111669492839,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,9037615555027665640,13301126111669492839,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
  2⤵
  PID:732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,9037615555027665640,13301126111669492839,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:1
  2⤵
  PID:1900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,9037615555027665640,13301126111669492839,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1
  2⤵
  PID:572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,9037615555027665640,13301126111669492839,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
  2⤵
  PID:2052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,9037615555027665640,13301126111669492839,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6332 /prefetch:1
  2⤵
  PID:3252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1828,9037615555027665640,13301126111669492839,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5768 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1224
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\tightvnc-2.8.84-gpl-setup-64bit.msi"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2972

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2808

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2476

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2164
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 95C70725E6125433260C7A71292E60DA C
  2⤵
  - Loads dropped DLL
  PID:3108
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4788
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 7D716DBA8A7AF1B0D8693465A390D55F
  2⤵
  - Loads dropped DLL
  PID:4816
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 237A6577E38CB44A3885E476518ADCBD
  2⤵
  - Loads dropped DLL
  PID:3852
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding AC1D21897F94C4062DC4F1B4B784226A E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:3384
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding BA472F7F5D5B56EDA6AF48EC82029B5B E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:2656
- C:\Program Files\TightVNC\tvnserver.exe
  "C:\Program Files\TightVNC\tvnserver.exe" -reinstall -silent
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1020
- C:\Program Files\TightVNC\tvnserver.exe
  "C:\Program Files\TightVNC\tvnserver.exe" -start
  2⤵
  - Executes dropped EXE
  PID:3504
- - C:\Program Files\TightVNC\tvnserver.exe
    "C:\Program Files\TightVNC\tvnserver.exe" -controlservice -slave
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:5084
- C:\Program Files\TightVNC\tvnserver.exe
  "C:\Program Files\TightVNC\tvnserver.exe" -checkservicepasswords
  2⤵
  - Executes dropped EXE
  PID:880
- - C:\Program Files\TightVNC\tvnserver.exe
    "C:\Program Files\TightVNC\tvnserver.exe" -controlservice -reload
    3⤵
    - Executes dropped EXE
    PID:4876

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:1264

C:\Program Files\TightVNC\tvnserver.exe
"C:\Program Files\TightVNC\tvnserver.exe" -service
1⤵
- Executes dropped EXE
PID:1484

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4116

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5841e7.rbs

Filesize
280KB

MD5
b4c8d40787c4920c6625a419e19d7415

SHA1
80eb24e830aba45def09b6c092cdb3fb02f067ce

SHA256
ac8d7198a24e1817045e0348adb91f8f361a8188f87edd78495bc3610793f425

SHA512
8b2c116bb55db2ee9b7615936a7216e325d91615e06a8e6d214cc7fdf00685071c5ba5f734e4307ab4fade89d94f6433d433253a92e6cb8463d877a87a0f5444

Download Submit
C:\Program Files\TightVNC\tvnserver.exe

Filesize
1.7MB

MD5
7bd1d764441242eee15919cc8d4e89aa

SHA1
86a960ea97dfdc89e8d4b1a957d9ec677b8a0ec9

SHA256
6c40060bb7ff914bb1db21058045a8fc80fc168a2c40cc93fa6d68604c04c3f9

SHA512
2aab44c11a3a3868a581f3196e632646d73cdba9c16dec8cabbcfe16bf74d9977c3b660376af06bba04de667ba1e1953a8078cd7fda30b1296a7bd3a2d7cc13a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_6C354C532D063DF5607A63BA827F5164

Filesize
1KB

MD5
8cfa1830d5c2c5b4a8fe373ecaf05c28

SHA1
2f03c1880bd33aa7d51ca191ed00ee337e5ae2c0

SHA256
6ac69d58f1cfae57f621c6961c61ab1fd41118c2820ee8b64326729d866b91ff

SHA512
731c03f808fe5b645e438906727dc5888eea4b5973b7619c0d58337c49cd08856160d83c441e1bc62d6470495d14cd41dd2316e704939e1e4f6e6e6ba63fd92f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A1D627669EFC8CD4F21BCF387D97F9B5_8B01D2E0ECC582A5A5A1E58EC710103F

Filesize
1KB

MD5
87154e92985202bd68e59356e9cb2511

SHA1
40bd23044ee9c7a89e1e516c6cdaf5120a685e4f

SHA256
02e02457af8c266cd70b0711826ee4cfaaa31d914d6befff868834e62c58f002

SHA512
13bba541ffe633979d114ede0cb17163795104899257cf214f53a9125c0d7dd273d1d959c4a34894639c81f61b6a3cd5bdfa9117dcc41d6fb83d3f929d4efc85

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41C

Filesize
1KB

MD5
7be11200b77ce5fe346dadd4d2d58838

SHA1
e0efe47c0abb340cf7b5e25b4adfe1a53eda36cc

SHA256
0d32227a48021d190b15ae350350c21196cc64da5d5fc541471c9c1caef30ff3

SHA512
6388db16cb725e0c9421a19051ef25642603fdf270b2e358387c95695a27374cd66d3ff633beaecdf798547c58060e9bc704b250080137976345ea8da6f56253

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_6C354C532D063DF5607A63BA827F5164

Filesize
532B

MD5
cd443355ebcd4f2c561122398637ba5c

SHA1
0b50b9d5b057ba41be16de4db601da6438a15e19

SHA256
6033504142826c84b0fb7cdf3e071d43d2ffacd47fda611c0ce37906e9a5e640

SHA512
a5ca373158c4237f6914e8019da632ca0fbeeacb6b4a5410a3524d5751b74b6b359d2fc5017d967c9ff77b1cd2d20275b85c11077545fee1f1721c7221deb26f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A1D627669EFC8CD4F21BCF387D97F9B5_8B01D2E0ECC582A5A5A1E58EC710103F

Filesize
540B

MD5
1b11ae7b65af1293757935abbfc83228

SHA1
d4c7fe28b936c3d1fea353e80ef5d93f6681669d

SHA256
f87c563fc7f8e595dde4e5e57a4b1ac1be47b0fc830d83adab08904e32e979d8

SHA512
b3de667446277e75f29f9e05de4789b032f568f83f6274848ca23e6a3d60a1b99d73fb6ec1daa1bcac77d7d2ab71a1e3fc9c4691fbfa7a2afaee3598e592950d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41C

Filesize
508B

MD5
b676f54b4bcc85db6cc45dec0b159610

SHA1
4d5136c5f5aa58018c1d05998e34db047ce70d08

SHA256
2a6c10ceda07ce95bb55aaed8275265c1bd2ca48fb8f2f1a5c8243272e8d87c7

SHA512
8638ddae9581a5ccd49b914f2b4c186a85bf304e67012ec5af32a3d531b855bb4a6aa9c3dd07fbf22d9d8f1538714896652bda54589bc6e91570589cb280d25e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f717f56b5d8e2e057c440a5a81043662

SHA1
0ad6c9bbd28dab5c9664bad04db95fd50db36b3f

SHA256
4286cd3f23251d0a607e47eccb5e0f4af8542d38b32879d2db2ab7f4e6031945

SHA512
61e263935d51028ec0aab51b938b880945a950cec9635a0dafddf795658ea0a2dfcf9cfc0cab5459b659bb7204347b047a5c6b924fabea44ce389b1cbb9867d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
196eaa9f7a574c29bd419f9d8c2d9349

SHA1
19982d15d1e2688903b0a3e53a8517ab537b68ed

SHA256
df1e96677bcfffe5044826aa14a11e85ef2ebb014ee9e890e723a14dc5f31412

SHA512
e066d74da36a459c19db30e68b703ec9f92019f2d5f24fd476a5fd3653c0b453871e2c08cdc47f2b4d4c4be19ff99e6ef3956d93b2d7d0a69645577d44125ac7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
b522ca08c15e9f418ee844d18676f766

SHA1
04ba8d4981cfd0d0734662cbae1cd14384472fdb

SHA256
e49103e2a51c2216ca6b1ac6c42fe296b6b51cbadc928006cacd73d4e7771dd2

SHA512
b8578fde9ca2608d5c42e8f8c5da7fc2eba02b027fbf71e24010af48fc9dde774a5fd2ea3fe6abde684f012719ba80a102ca3b9323863d6d0c4ed075e8dfea60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
2bf4eed63319910616a85cb72fac3120

SHA1
668e89770425316f8d456b265fd6fd37f94b25b5

SHA256
4ac1330646e05da1b6299921f998c3b3ff4a4c5959caab16449ebd2ec05f6007

SHA512
8fe4d3444ec0c761fa575ea3db8755ff88498f26f11aee4019b95b14d17e2ac35386806c50dae7c5c2defe5e1d729d82926c4662995ad9380854b1b6c93b0f20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ff181576caf39ad71afe41c16a373b6c

SHA1
7a49ba889a673799e9c4e4ee8054077c86cb91d4

SHA256
56c3d6b0c9034bf1d5985364d04a0247db4ad9836342607d892fead9dd3f0ffd

SHA512
3ac78183b6f2c09a888473af13003cc959d2c7d200aacadc2cb23f6eb7e521fd312d34043ed37334597e2c6e8af2a7c878a1271ff37f7443091923914d4f4c9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
189122b607e3145200ee2a2a3bdeea1d

SHA1
6b5cdc21553f65833d87c37dcb057ed72e525210

SHA256
70864958e631436a215e935045695cd55ba571623b4fc2dc39908be589f8939b

SHA512
6933df8398a90b2c9d44fbe7688e83069f6e62037b2ea71686971ffdd1028303a74b0b51aa6f8f5571ec887a58acc5fb688a03a1c89cc4eb1f49900645b26d13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7d1c6b4fc425f4ceb1e1fff71d627733

SHA1
929ba8c54c79726a9f2e82d2cb83bc5f2350ce12

SHA256
c084b0e3dae1e98387adfcdae6df3b94ac8b4c05af256e6734a997f0488accaa

SHA512
8f7b953c51aa94746a0c906a978a228a02e85edb8ed4b265341a18a2626ab40f1e528b0e27af3fadcbd8b5c42e9a471373601b4b5aab93b9e6b3a5280363da1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3d148246abbe6e6a3314f4003af30222

SHA1
68b5038328ac026317589111b76ba1598b922f8a

SHA256
ec87dce7fd83292f5fce243c85f46cfdd3abb9a178891d70c0396cdfdd4afc55

SHA512
b91b30e34631501339fab62fd2c4577f0600acce8860f1ef85913c127f7a22fa4d8e0163f51d071c40d44329b54190c61507049b04642999930de84ab9b9c599

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1929819c29753ddb5d6690ac547dd87e

SHA1
6f857facc6f717cd9b93e11b2c60c6ee1e02d3ac

SHA256
8cb6de4e112774129cf1e96bb61a5a9597e3a059cc393e6ea7e53e6ca7b48365

SHA512
3d6725aa98416808ae0db8ac3ac2095122af9546f502d9a020a7ae84234d9c5df64cac92f64117dcc764e868c7874a4ac9c44f7d5bfa4406b8ea4565cdf4cc50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1f455bded300e3eaa25859a983b6180d

SHA1
dbf5ba2cb35158a81965a8f41f3147a6bef864a5

SHA256
166a6342a4151559120207d09cf25bbb285cbf671523107c0501b734c651c828

SHA512
42f1f91c4df76842f487099d23fe099701ecedf3b8e93c31ee0f0403c4c95d3f589944d0359c5cf12d655d70526b4320ee0b2b75a03f988b7e2ab5f44e425bd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
778be0c83852db6a1fed9f46153d6dfd

SHA1
1a30bdf6a9e21dfb8fe04b65ea44c58eaff8ca04

SHA256
3743558f4c607d121b7240fc479f71bb08a55add8fcbc360bdeda159e0e56a40

SHA512
971929b61534568c88ba39278e75607347aef4d664718e963dd5c785542185385a60b43430c58c854c77509ec6f3bb256939660380e96cf7fc85c5b2ab3a0eea

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIBCE7.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 647013.crdownload

Filesize
2.4MB

MD5
d9e810a84ebe69e403a5f7e4c5ab9a37

SHA1
4f9f3e12ffc96dd0c6b479d20ada3f59dc383177

SHA256
1f6f3811e97ea920486a0aaa35410c06253c3659022f5b29e80227e3ceeab3e3

SHA512
9e00a461083eed7c91e0dcf5e3a499355b42d5c03ad569891e5d49ceecd1cd4f9b4d0557adf826dd91b94c9bc33b62e114e939a1a4f8b5d311b2dd952ae405e0

Download Submit
C:\Users\Admin\Downloads\tightvnc-2.8.84-gpl-setup-64bit.msi:Zone.Identifier

Filesize
163B

MD5
0107c73e103763e3396a68122c2b7192

SHA1
0eac8c225b8a4387cac530b110891e8e8fbb96df

SHA256
1b0a6344d119fd4ae7ffe02a8e003668fce57b09e9b07194e8b533504fd920a7

SHA512
d0925670873f1f9304b0a0177379b3805186e65a4e74239892ed19f52ad10105a6b33ec83240729c6ab761a2e678cab458f9fbbfd9f31e4d057b444a79137eef

Download Submit
C:\Windows\Installer\MSI433F.tmp

Filesize
154KB

MD5
b2e2c24ebce4f188cf28b9e1470227f5

SHA1
9de61721326d8e88636f9633aa37fcb885a4babe

SHA256
233f5e43325615710ca1aa580250530e06339def861811073912e8a16b058c69

SHA512
343ea590c7f6b682b3b3e27fd4ab10ffeded788c08000c6dd1e796203f07bf9f8c65d64e9d4b17ce0da8eb17aaf1bd09c002359a89a7e5ab09cf2cb2960e7354

Download Submit
C:\Windows\Installer\MSI437E.tmp

Filesize
127KB

MD5
93394d2866590fb66759f5f0263453f2

SHA1
2f0903d4b21a0231add1b4cd02e25c7c4974da84

SHA256
5c29b8255ace0cd94c066c528c8ad04f0f45eba12fcf94da7b9ca1b64ad4288b

SHA512
f2033997b7622bd7cd6f30fca676ab02ecf6c732bd44e43358e4857b2cf5b227a5aa6bbbf2828c69dd902cbcc6ff983306787a46104ca000187f0cba3743c622

Download Submit
C:\Windows\Installer\MSI48A4.tmp

Filesize
132KB

MD5
d9495b7aa9914dd162ed46ee39d7b3eb

SHA1
2d7363906a021ab833b8ec9c54f2f124921ad13e

SHA256
3cc59e3d0b480344b4e359cd4f93608304b38de24ac4f86f55560f4e6f60438d

SHA512
1139e887ea3b318f3cc44e9bd8f95ccacb22cab69aab1bd6cb7c8d370330f1f583cd9a26fd436b821b07adf0ec106fafacf846952b3a02a961b432c1cad33a25

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
12.8MB

MD5
5f22cc8e73e4ddb7dc358f2b96c5e1db

SHA1
5845cfd9efe955e3f7d90cf02bf9d8ec903395b3

SHA256
8b8774034c3ebe0f7a3902963667dc90650e9e850779d6b9ef8e58aa3c08f237

SHA512
76c3356261529b4871762bf12cb460e6cf3a31d64c96834274d86de86819515ecc5d4f4b13c2a0f2dc8a2b27c4c54c18582fe06695d1d04403c035d298f5cee9

Download Submit
\??\Volume{17c3322d-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{42517d78-f399-4b1d-924e-d069d57810b6}_OnDiskSnapshotProp

Filesize
6KB

MD5
69536c39c1579a23424d857abafceb21

SHA1
e6ef7c98a7a0ae73f31ee7f12f5e16055f6804e4

SHA256
4cdd3f7430c4e243eb8afb48c9d0358ca44bb7a67a980ff47966f99303aad048

SHA512
b2de1eac2008f92026879f938398f9c3fa751fe8b09737704c21236017917e97f81aa916b9764d4e8f217751417caa0a96c4706a9f62b8f0952dc69f12a66eb5

Download Submit