Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-11-2024 10:48
Static task
static1
Behavioral task
behavioral1
Sample
681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe
Resource
win10v2004-20241007-en
General
-
Target
681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe
-
Size
14.2MB
-
MD5
36e634c5cd1d301df846df0d28f0db50
-
SHA1
1daa5039a206eac01555c0554bc0772e477a9dca
-
SHA256
681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352
-
SHA512
133611c233be9b3f4db95514d7e25196c6fe1daf8aa76fdffe572ebd98e00a9f2fc918b7d02c0c6c9b28d45f54aa63c92d15486dffbb0100cde4072104d32c18
-
SSDEEP
393216:lFx5CgKOlGO6btZkqF+vSW14FhXBDaRlISplQ2gOoW:7xwzOw7bgqFHnx+RMI
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
PCPrivacyShield.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PCPrivacyShield = "\"C:\\Program Files (x86)\\PC Privacy Shield\\PCPrivacyShield.exe\" minimized" PCPrivacyShield.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exe681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exedescription ioc Process File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\L: 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe File opened (read-only) \??\U: 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe File opened (read-only) \??\X: 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\N: 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe File opened (read-only) \??\R: 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe File opened (read-only) \??\A: 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\J: 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe File opened (read-only) \??\R: 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe File opened (read-only) \??\U: 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\W: 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe File opened (read-only) \??\Z: 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe File opened (read-only) \??\E: 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe File opened (read-only) \??\K: 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe File opened (read-only) \??\W: 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe File opened (read-only) \??\E: 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe File opened (read-only) \??\V: 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe File opened (read-only) \??\G: 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe File opened (read-only) \??\P: 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe File opened (read-only) \??\S: 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe File opened (read-only) \??\G: 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\I: 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe File opened (read-only) \??\T: 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe File opened (read-only) \??\H: 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe File opened (read-only) \??\Z: 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe File opened (read-only) \??\K: 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe File opened (read-only) \??\Y: 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe File opened (read-only) \??\I: 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe File opened (read-only) \??\T: 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe File opened (read-only) \??\M: 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe File opened (read-only) \??\Q: 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe File opened (read-only) \??\V: 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe File opened (read-only) \??\M: 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe File opened (read-only) \??\P: 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\N: 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe File opened (read-only) \??\O: 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe File opened (read-only) \??\Q: 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe File opened (read-only) \??\S: 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\A: 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe File opened (read-only) \??\X: 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe File opened (read-only) \??\B: 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exeInstAct.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation InstAct.exe -
Drops file in Program Files directory 57 IoCs
Processes:
msiexec.exeInstAct.exedescription ioc Process File created C:\Program Files (x86)\PC Privacy Shield\es\PCPrivacyShield.resources.dll msiexec.exe File created C:\Program Files (x86)\PC Privacy Shield\fr\OpacityGuide.resources.dll msiexec.exe File created C:\Program Files (x86)\PC Privacy Shield\OpacityGuide.dll.config msiexec.exe File created C:\Program Files (x86)\PC Privacy Shield\de\OpacityGuide.resources.dll msiexec.exe File created C:\Program Files (x86)\PC Privacy Shield\ExcelDataReader.dll msiexec.exe File created C:\Program Files (x86)\PC Privacy Shield\Armt.exe.config msiexec.exe File created C:\Program Files (x86)\PC Privacy Shield\OpacityGuide.dll msiexec.exe File created C:\Program Files (x86)\PC Privacy Shield\TreeViewFileExplorer.dll msiexec.exe File created C:\Program Files (x86)\PC Privacy Shield\schedc10.exe msiexec.exe File created C:\Program Files (x86)\PC Privacy Shield\System.Data.SQLite.dll msiexec.exe File created C:\Program Files (x86)\PC Privacy Shield\CaByp.CA.dll msiexec.exe File created C:\Program Files (x86)\PC Privacy Shield\msvcp100.dll msiexec.exe File created C:\Program Files (x86)\PC Privacy Shield\WcDialog.exe.config msiexec.exe File created C:\Program Files (x86)\PC Privacy Shield\README.txt InstAct.exe File created C:\Program Files (x86)\PC Privacy Shield\msvcr100.dll msiexec.exe File created C:\Program Files (x86)\PC Privacy Shield\PdfReader.dll msiexec.exe File created C:\Program Files (x86)\PC Privacy Shield\de\PCPrivacyShield.resources.dll msiexec.exe File created C:\Program Files (x86)\PC Privacy Shield\ja\PCPrivacyShield.resources.dll msiexec.exe File created C:\Program Files (x86)\PC Privacy Shield\updater.exe msiexec.exe File created C:\Program Files (x86)\PC Privacy Shield\BouncyCastle.Crypto.dll msiexec.exe File created C:\Program Files (x86)\PC Privacy Shield\PCPrivacyShield.exe.config msiexec.exe File created C:\Program Files (x86)\PC Privacy Shield\ja\OpacityGuide.resources.dll msiexec.exe File created C:\Program Files (x86)\PC Privacy Shield\fr\PCPrivacyShield.resources.dll msiexec.exe File created C:\Program Files (x86)\PC Privacy Shield\vcruntime140.dll msiexec.exe File created C:\Program Files (x86)\PC Privacy Shield\de\Util.resources.dll msiexec.exe File created C:\Program Files (x86)\PC Privacy Shield\Setup.dll msiexec.exe File created C:\Program Files (x86)\PC Privacy Shield\Util.dll msiexec.exe File created C:\Program Files (x86)\PC Privacy Shield\msvcp120.dll msiexec.exe File created C:\Program Files (x86)\PC Privacy Shield\ICSharpCode.SharpZipLib.dll msiexec.exe File created C:\Program Files (x86)\PC Privacy Shield\InstAct.exe.config msiexec.exe File created C:\Program Files (x86)\PC Privacy Shield\Perpetuum.dll msiexec.exe File created C:\Program Files (x86)\PC Privacy Shield\TaskTools.exe.config msiexec.exe File created C:\Program Files (x86)\PC Privacy Shield\x86\DecryptTool.exe.config msiexec.exe File created C:\Program Files (x86)\PC Privacy Shield\WcDialog.exe msiexec.exe File created C:\Program Files (x86)\PC Privacy Shield\msvcp140.dll msiexec.exe File created C:\Program Files (x86)\PC Privacy Shield\es\Util.resources.dll msiexec.exe File created C:\Program Files (x86)\PC Privacy Shield\msvcr120.dll msiexec.exe File created C:\Program Files (x86)\PC Privacy Shield\Bsm.dll msiexec.exe File created C:\Program Files (x86)\PC Privacy Shield\Tracking.dll msiexec.exe File created C:\Program Files (x86)\PC Privacy Shield\trialnotification.exe.config msiexec.exe File created C:\Program Files (x86)\PC Privacy Shield\x64\DecryptTool.exe.config msiexec.exe File created C:\Program Files (x86)\PC Privacy Shield\Armt.exe msiexec.exe File created C:\Program Files (x86)\PC Privacy Shield\es\OpacityGuide.resources.dll msiexec.exe File created C:\Program Files (x86)\PC Privacy Shield\fr\Util.resources.dll msiexec.exe File created C:\Program Files (x86)\PC Privacy Shield\Microsoft.Deployment.WindowsInstaller.dll msiexec.exe File created C:\Program Files (x86)\PC Privacy Shield\Microsoft.Win32.TaskScheduler.dll msiexec.exe File created C:\Program Files (x86)\PC Privacy Shield\TaskTools.exe msiexec.exe File created C:\Program Files (x86)\PC Privacy Shield\InstAct.exe msiexec.exe File created C:\Program Files (x86)\PC Privacy Shield\CaByp.dll msiexec.exe File created C:\Program Files (x86)\PC Privacy Shield\schedc10.exe.config msiexec.exe File created C:\Program Files (x86)\PC Privacy Shield\TreeViewFileExplorer.dll.config msiexec.exe File created C:\Program Files (x86)\PC Privacy Shield\trialnotification.exe msiexec.exe File created C:\Program Files (x86)\PC Privacy Shield\x64\DecryptTool.exe msiexec.exe File created C:\Program Files (x86)\PC Privacy Shield\x86\DecryptTool.exe msiexec.exe File created C:\Program Files (x86)\PC Privacy Shield\updater.ini InstAct.exe File created C:\Program Files (x86)\PC Privacy Shield\PCPrivacyShield.exe msiexec.exe File created C:\Program Files (x86)\PC Privacy Shield\Newtonsoft.Json.dll msiexec.exe -
Drops file in Windows directory 27 IoCs
Processes:
msiexec.exedescription ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIB8D5.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB69F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC28E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC4D1.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC6C7.tmp msiexec.exe File created C:\Windows\Installer\{AFBC5F3E-A4BA-45F5-AD51-E866312F779E}\SystemFoldermsiexec.exe msiexec.exe File opened for modification C:\Windows\Installer\MSIC9C5.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB79B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB7EA.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIC62A.tmp msiexec.exe File created C:\Windows\Installer\{AFBC5F3E-A4BA-45F5-AD51-E866312F779E}\icon_1.exe msiexec.exe File opened for modification C:\Windows\Installer\MSIC059.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID699.tmp msiexec.exe File created C:\Windows\Installer\e57b3a0.msi msiexec.exe File opened for modification C:\Windows\Installer\e57b3a0.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIC24E.tmp msiexec.exe File opened for modification C:\Windows\Installer\{AFBC5F3E-A4BA-45F5-AD51-E866312F779E}\icon_1.exe msiexec.exe File created C:\Windows\Installer\e57b3a2.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIB6FE.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIBA1E.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\{AFBC5F3E-A4BA-45F5-AD51-E866312F779E}\SystemFoldermsiexec.exe msiexec.exe File opened for modification C:\Windows\Installer\MSIB585.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{AFBC5F3E-A4BA-45F5-AD51-E866312F779E} msiexec.exe File opened for modification C:\Windows\Installer\MSID63A.tmp msiexec.exe -
Executes dropped EXE 8 IoCs
Processes:
InstAct.exeInstAct.exeInstAct.exeInstAct.exeInstAct.exeInstAct.exeInstAct.exePCPrivacyShield.exepid Process 1624 InstAct.exe 1364 InstAct.exe 1628 InstAct.exe 1272 InstAct.exe 5072 InstAct.exe 4552 InstAct.exe 2640 InstAct.exe 3708 PCPrivacyShield.exe -
Loads dropped DLL 64 IoCs
Processes:
MsiExec.exeMsiExec.exeMsiExec.exeInstAct.exeInstAct.exeInstAct.exeInstAct.exeInstAct.exeInstAct.exeInstAct.exepid Process 2800 MsiExec.exe 2800 MsiExec.exe 2800 MsiExec.exe 2800 MsiExec.exe 2800 MsiExec.exe 2800 MsiExec.exe 2800 MsiExec.exe 2800 MsiExec.exe 2800 MsiExec.exe 2800 MsiExec.exe 2800 MsiExec.exe 4956 MsiExec.exe 4956 MsiExec.exe 4956 MsiExec.exe 4956 MsiExec.exe 4956 MsiExec.exe 4956 MsiExec.exe 4956 MsiExec.exe 4956 MsiExec.exe 4956 MsiExec.exe 4956 MsiExec.exe 3196 MsiExec.exe 4956 MsiExec.exe 3196 MsiExec.exe 1624 InstAct.exe 1624 InstAct.exe 1624 InstAct.exe 1624 InstAct.exe 1624 InstAct.exe 1624 InstAct.exe 1364 InstAct.exe 1364 InstAct.exe 1364 InstAct.exe 1364 InstAct.exe 1364 InstAct.exe 1364 InstAct.exe 1628 InstAct.exe 1628 InstAct.exe 1628 InstAct.exe 1628 InstAct.exe 1628 InstAct.exe 1628 InstAct.exe 1628 InstAct.exe 1628 InstAct.exe 5072 InstAct.exe 5072 InstAct.exe 1272 InstAct.exe 1272 InstAct.exe 3196 MsiExec.exe 5072 InstAct.exe 5072 InstAct.exe 1272 InstAct.exe 1272 InstAct.exe 5072 InstAct.exe 5072 InstAct.exe 4956 MsiExec.exe 5072 InstAct.exe 5072 InstAct.exe 1272 InstAct.exe 1272 InstAct.exe 2640 InstAct.exe 2640 InstAct.exe 4552 InstAct.exe 4552 InstAct.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
InstAct.exeInstAct.exeInstAct.exeInstAct.exe681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exeMsiExec.exeMsiExec.exeDllHost.exeInstAct.exeInstAct.exe681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exeMsiExec.exeInstAct.exePCPrivacyShield.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InstAct.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InstAct.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InstAct.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InstAct.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InstAct.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InstAct.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InstAct.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PCPrivacyShield.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 3 IoCs
Processes:
msiexec.exedescription ioc Process Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe -
Modifies registry class 30 IoCs
Processes:
PCPrivacyShield.exemsiexec.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\PC Privacy Shield\command\ = "\"C:\\Program Files (x86)\\PC Privacy Shield\\Armt.exe\" \"addfile\" \"%1\"" PCPrivacyShield.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E3F5CBFAAB4A5F54DA158E6613F277E9\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E3F5CBFAAB4A5F54DA158E6613F277E9\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\PC Privacy Shield\Icon = "C:\\Program Files (x86)\\PC Privacy Shield\\PCPrivacyShield.exe" PCPrivacyShield.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\F5911960AFD4B7C438B8B3ECD173E806\E3F5CBFAAB4A5F54DA158E6613F277E9 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\PC Privacy Shield\ = "Add to PC Privacy Shield Vault" PCPrivacyShield.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\PC Privacy Shield\MultiSelectModel = "Player" PCPrivacyShield.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E3F5CBFAAB4A5F54DA158E6613F277E9\PackageCode = "CFED2A066DB21B24094CB2BEC1BF6081" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E3F5CBFAAB4A5F54DA158E6613F277E9\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\PC Privacy Shield\\PC Privacy Shield 4.9.8\\install\\12F779E\\" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E3F5CBFAAB4A5F54DA158E6613F277E9\Language = "1033" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E3F5CBFAAB4A5F54DA158E6613F277E9\SourceList\Media\1 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E3F5CBFAAB4A5F54DA158E6613F277E9\SourceList\PackageName = "PCPrivacyShield.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E3F5CBFAAB4A5F54DA158E6613F277E9\SourceList\Media msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E3F5CBFAAB4A5F54DA158E6613F277E9\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E3F5CBFAAB4A5F54DA158E6613F277E9\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E3F5CBFAAB4A5F54DA158E6613F277E9\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\F5911960AFD4B7C438B8B3ECD173E806 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E3F5CBFAAB4A5F54DA158E6613F277E9\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\PC Privacy Shield\\PC Privacy Shield 4.9.8\\install\\12F779E\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\PC Privacy Shield\command PCPrivacyShield.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E3F5CBFAAB4A5F54DA158E6613F277E9\ProductName = "PC Privacy Shield" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E3F5CBFAAB4A5F54DA158E6613F277E9\ProductIcon = "C:\\Windows\\Installer\\{AFBC5F3E-A4BA-45F5-AD51-E866312F779E}\\icon_1.exe" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E3F5CBFAAB4A5F54DA158E6613F277E9\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E3F5CBFAAB4A5F54DA158E6613F277E9\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E3F5CBFAAB4A5F54DA158E6613F277E9\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E3F5CBFAAB4A5F54DA158E6613F277E9\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\PC Privacy Shield PCPrivacyShield.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E3F5CBFAAB4A5F54DA158E6613F277E9 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E3F5CBFAAB4A5F54DA158E6613F277E9\Version = "67698696" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E3F5CBFAAB4A5F54DA158E6613F277E9 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E3F5CBFAAB4A5F54DA158E6613F277E9\MainFeature msiexec.exe -
Processes:
681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
MsiExec.exemsiexec.exeInstAct.exemsedge.exemsedge.exePCPrivacyShield.exeidentity_helper.exemsedge.exepid Process 4956 MsiExec.exe 4956 MsiExec.exe 4956 MsiExec.exe 4956 MsiExec.exe 4956 MsiExec.exe 4956 MsiExec.exe 552 msiexec.exe 552 msiexec.exe 5072 InstAct.exe 5072 InstAct.exe 972 msedge.exe 972 msedge.exe 2384 msedge.exe 2384 msedge.exe 3708 PCPrivacyShield.exe 3708 PCPrivacyShield.exe 5092 identity_helper.exe 5092 identity_helper.exe 3708 PCPrivacyShield.exe 6080 msedge.exe 6080 msedge.exe 6080 msedge.exe 6080 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid Process 2384 msedge.exe 2384 msedge.exe 2384 msedge.exe 2384 msedge.exe 2384 msedge.exe 2384 msedge.exe 2384 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exe681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exedescription pid Process Token: SeSecurityPrivilege 552 msiexec.exe Token: SeCreateTokenPrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeAssignPrimaryTokenPrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeLockMemoryPrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeIncreaseQuotaPrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeMachineAccountPrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeTcbPrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeSecurityPrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeTakeOwnershipPrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeLoadDriverPrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeSystemProfilePrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeSystemtimePrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeProfSingleProcessPrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeIncBasePriorityPrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeCreatePagefilePrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeCreatePermanentPrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeBackupPrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeRestorePrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeShutdownPrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeDebugPrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeAuditPrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeSystemEnvironmentPrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeChangeNotifyPrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeRemoteShutdownPrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeUndockPrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeSyncAgentPrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeEnableDelegationPrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeManageVolumePrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeImpersonatePrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeCreateGlobalPrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeCreateTokenPrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeAssignPrimaryTokenPrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeLockMemoryPrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeIncreaseQuotaPrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeMachineAccountPrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeTcbPrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeSecurityPrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeTakeOwnershipPrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeLoadDriverPrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeSystemProfilePrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeSystemtimePrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeProfSingleProcessPrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeIncBasePriorityPrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeCreatePagefilePrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeCreatePermanentPrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeBackupPrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeRestorePrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeShutdownPrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeDebugPrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeAuditPrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeSystemEnvironmentPrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeChangeNotifyPrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeRemoteShutdownPrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeUndockPrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeSyncAgentPrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeEnableDelegationPrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeManageVolumePrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeImpersonatePrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeCreateGlobalPrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeCreateTokenPrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeAssignPrimaryTokenPrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeLockMemoryPrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeIncreaseQuotaPrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe Token: SeMachineAccountPrivilege 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe -
Suspicious use of FindShellTrayWindow 44 IoCs
Processes:
681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exemsedge.exePCPrivacyShield.exepid Process 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe 2384 msedge.exe 2384 msedge.exe 2384 msedge.exe 2384 msedge.exe 2384 msedge.exe 2384 msedge.exe 2384 msedge.exe 2384 msedge.exe 2384 msedge.exe 2384 msedge.exe 2384 msedge.exe 2384 msedge.exe 2384 msedge.exe 2384 msedge.exe 2384 msedge.exe 2384 msedge.exe 2384 msedge.exe 2384 msedge.exe 2384 msedge.exe 2384 msedge.exe 2384 msedge.exe 2384 msedge.exe 2384 msedge.exe 2384 msedge.exe 2384 msedge.exe 3708 PCPrivacyShield.exe 3708 PCPrivacyShield.exe 3708 PCPrivacyShield.exe 3708 PCPrivacyShield.exe 3708 PCPrivacyShield.exe 3708 PCPrivacyShield.exe 3708 PCPrivacyShield.exe 3708 PCPrivacyShield.exe 3708 PCPrivacyShield.exe 3708 PCPrivacyShield.exe 3708 PCPrivacyShield.exe 3708 PCPrivacyShield.exe 3708 PCPrivacyShield.exe 3708 PCPrivacyShield.exe 3708 PCPrivacyShield.exe 3708 PCPrivacyShield.exe 3708 PCPrivacyShield.exe -
Suspicious use of SendNotifyMessage 34 IoCs
Processes:
msedge.exePCPrivacyShield.exepid Process 2384 msedge.exe 2384 msedge.exe 2384 msedge.exe 2384 msedge.exe 2384 msedge.exe 2384 msedge.exe 2384 msedge.exe 2384 msedge.exe 2384 msedge.exe 2384 msedge.exe 2384 msedge.exe 2384 msedge.exe 2384 msedge.exe 2384 msedge.exe 2384 msedge.exe 2384 msedge.exe 2384 msedge.exe 2384 msedge.exe 2384 msedge.exe 2384 msedge.exe 2384 msedge.exe 2384 msedge.exe 2384 msedge.exe 2384 msedge.exe 3708 PCPrivacyShield.exe 3708 PCPrivacyShield.exe 3708 PCPrivacyShield.exe 3708 PCPrivacyShield.exe 3708 PCPrivacyShield.exe 3708 PCPrivacyShield.exe 3708 PCPrivacyShield.exe 3708 PCPrivacyShield.exe 3708 PCPrivacyShield.exe 3708 PCPrivacyShield.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msiexec.exe681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exeMsiExec.exeInstAct.exemsedge.exedescription pid Process procid_target PID 552 wrote to memory of 2800 552 msiexec.exe 86 PID 552 wrote to memory of 2800 552 msiexec.exe 86 PID 552 wrote to memory of 2800 552 msiexec.exe 86 PID 1056 wrote to memory of 3068 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe 90 PID 1056 wrote to memory of 3068 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe 90 PID 1056 wrote to memory of 3068 1056 681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe 90 PID 552 wrote to memory of 4956 552 msiexec.exe 91 PID 552 wrote to memory of 4956 552 msiexec.exe 91 PID 552 wrote to memory of 4956 552 msiexec.exe 91 PID 552 wrote to memory of 3196 552 msiexec.exe 94 PID 552 wrote to memory of 3196 552 msiexec.exe 94 PID 552 wrote to memory of 3196 552 msiexec.exe 94 PID 552 wrote to memory of 1624 552 msiexec.exe 96 PID 552 wrote to memory of 1624 552 msiexec.exe 96 PID 552 wrote to memory of 1624 552 msiexec.exe 96 PID 552 wrote to memory of 1364 552 msiexec.exe 98 PID 552 wrote to memory of 1364 552 msiexec.exe 98 PID 552 wrote to memory of 1364 552 msiexec.exe 98 PID 552 wrote to memory of 1628 552 msiexec.exe 99 PID 552 wrote to memory of 1628 552 msiexec.exe 99 PID 552 wrote to memory of 1628 552 msiexec.exe 99 PID 552 wrote to memory of 1272 552 msiexec.exe 100 PID 552 wrote to memory of 1272 552 msiexec.exe 100 PID 552 wrote to memory of 1272 552 msiexec.exe 100 PID 552 wrote to memory of 5072 552 msiexec.exe 101 PID 552 wrote to memory of 5072 552 msiexec.exe 101 PID 552 wrote to memory of 5072 552 msiexec.exe 101 PID 552 wrote to memory of 4552 552 msiexec.exe 102 PID 552 wrote to memory of 4552 552 msiexec.exe 102 PID 552 wrote to memory of 4552 552 msiexec.exe 102 PID 552 wrote to memory of 2640 552 msiexec.exe 103 PID 552 wrote to memory of 2640 552 msiexec.exe 103 PID 552 wrote to memory of 2640 552 msiexec.exe 103 PID 2800 wrote to memory of 3708 2800 MsiExec.exe 104 PID 2800 wrote to memory of 3708 2800 MsiExec.exe 104 PID 2800 wrote to memory of 3708 2800 MsiExec.exe 104 PID 5072 wrote to memory of 2384 5072 InstAct.exe 105 PID 5072 wrote to memory of 2384 5072 InstAct.exe 105 PID 2384 wrote to memory of 3024 2384 msedge.exe 106 PID 2384 wrote to memory of 3024 2384 msedge.exe 106 PID 2384 wrote to memory of 684 2384 msedge.exe 107 PID 2384 wrote to memory of 684 2384 msedge.exe 107 PID 2384 wrote to memory of 684 2384 msedge.exe 107 PID 2384 wrote to memory of 684 2384 msedge.exe 107 PID 2384 wrote to memory of 684 2384 msedge.exe 107 PID 2384 wrote to memory of 684 2384 msedge.exe 107 PID 2384 wrote to memory of 684 2384 msedge.exe 107 PID 2384 wrote to memory of 684 2384 msedge.exe 107 PID 2384 wrote to memory of 684 2384 msedge.exe 107 PID 2384 wrote to memory of 684 2384 msedge.exe 107 PID 2384 wrote to memory of 684 2384 msedge.exe 107 PID 2384 wrote to memory of 684 2384 msedge.exe 107 PID 2384 wrote to memory of 684 2384 msedge.exe 107 PID 2384 wrote to memory of 684 2384 msedge.exe 107 PID 2384 wrote to memory of 684 2384 msedge.exe 107 PID 2384 wrote to memory of 684 2384 msedge.exe 107 PID 2384 wrote to memory of 684 2384 msedge.exe 107 PID 2384 wrote to memory of 684 2384 msedge.exe 107 PID 2384 wrote to memory of 684 2384 msedge.exe 107 PID 2384 wrote to memory of 684 2384 msedge.exe 107 PID 2384 wrote to memory of 684 2384 msedge.exe 107 PID 2384 wrote to memory of 684 2384 msedge.exe 107 PID 2384 wrote to memory of 684 2384 msedge.exe 107 PID 2384 wrote to memory of 684 2384 msedge.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe"C:\Users\Admin\AppData\Local\Temp\681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe"1⤵
- Enumerates connected drives
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Users\Admin\AppData\Local\Temp\681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe"C:\Users\Admin\AppData\Local\Temp\681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe" /i "C:\Users\Admin\AppData\Roaming\PC Privacy Shield\PC Privacy Shield 4.9.8\install\12F779E\PCPrivacyShield.msi" /L*v "C:\Users\Admin\AppData\Roaming\\PC Privacy Shield\PC Privacy Shield 4.9.8\install\installlog.txt" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\PC Privacy Shield" SHORTCUTDIR="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Privacy Shield" SECONDSEQUENCE="1" CLIENTPROCESSID="1056" AI_MORE_CMD_LINE=12⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies system certificate store
PID:3068
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 8F09966DFD5C1D1310D40463DF400121 C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Program Files (x86)\PC Privacy Shield\PCPrivacyShield.exe"C:\Program Files (x86)\PC Privacy Shield\PCPrivacyShield.exe" startscan "C:\Users\Admin\AppData\Local\Temp\681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe"3⤵
- Adds Run key to start application
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3708
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 049B4DA87C19D78EC8CE5ABE0CBF79242⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4956
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 9725BABB2FF1548905F1BC2DC4ED2046 E Global\MSI00002⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3196
-
-
C:\Program Files (x86)\PC Privacy Shield\InstAct.exe"C:\Program Files (x86)\PC Privacy Shield\InstAct.exe" xtend2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1624
-
-
C:\Program Files (x86)\PC Privacy Shield\InstAct.exe"C:\Program Files (x86)\PC Privacy Shield\InstAct.exe" removeOld2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1364
-
-
C:\Program Files (x86)\PC Privacy Shield\InstAct.exe"C:\Program Files (x86)\PC Privacy Shield\InstAct.exe" createini2⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1628
-
-
C:\Program Files (x86)\PC Privacy Shield\InstAct.exe"C:\Program Files (x86)\PC Privacy Shield\InstAct.exe" install2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1272
-
-
C:\Program Files (x86)\PC Privacy Shield\InstAct.exe"C:\Program Files (x86)\PC Privacy Shield\InstAct.exe" installurl "C:\Users\Admin\AppData\Local\Temp\681b61911a4e840540afad0f05af5669140e86d7c9d8a1377d50483d4e5d2352.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://shieldapps.com/post-install/pc-privacy-shield-successful-installation/?lnT=PostInstall&ipA=181.215.176.83&mcA=AD783E16E695&osN=Microsoft+Windows+10+Pro&osV=10.0.19041.0&lng=en&bdV=4.9.8&scR=&lcA=&lcE=3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffce4dd46f8,0x7ffce4dd4708,0x7ffce4dd47184⤵PID:3024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,2729421613840842035,6852969941931544913,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:24⤵PID:684
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,2729421613840842035,6852969941931544913,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,2729421613840842035,6852969941931544913,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2456 /prefetch:84⤵PID:4288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2729421613840842035,6852969941931544913,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:14⤵PID:2000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2729421613840842035,6852969941931544913,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:14⤵PID:4116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2729421613840842035,6852969941931544913,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:14⤵PID:4044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,2729421613840842035,6852969941931544913,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 /prefetch:84⤵PID:3052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,2729421613840842035,6852969941931544913,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
PID:5092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2729421613840842035,6852969941931544913,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:14⤵PID:1484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2729421613840842035,6852969941931544913,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:14⤵PID:3540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2729421613840842035,6852969941931544913,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:14⤵PID:3628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2729421613840842035,6852969941931544913,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:14⤵PID:4372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,2729421613840842035,6852969941931544913,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2440 /prefetch:24⤵
- Suspicious behavior: EnumeratesProcesses
PID:6080
-
-
-
-
C:\Program Files (x86)\PC Privacy Shield\InstAct.exe"C:\Program Files (x86)\PC Privacy Shield\InstAct.exe" skipuac2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4552
-
-
C:\Program Files (x86)\PC Privacy Shield\InstAct.exe"C:\Program Files (x86)\PC Privacy Shield\InstAct.exe" popuptask2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2640
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}1⤵
- System Location Discovery: System Language Discovery
PID:3204
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4232
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3888
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.9MB
MD5ac804618f1acaac77f9dcda95a6d7687
SHA155cda3dcf5a9716ff1cfb19ac4722112594ae676
SHA2562928729c3c131baa7981ef81993fb615f551cf6a9604a1760012cedd3ce5608d
SHA5128ec2dac6f3ebaf1f4d942052040797402801034d8265e1208ff0905298fdd1b0486ee6c531c00863ac3786e07cb2b521af4fc98974cb99aaa23ed2bfa5d3889d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18E6B4A57A6BC7EC9B861CDF2D6D0D02_EF52C1EC85F21F31CC0157A5C8803013
Filesize765B
MD5dddec6ed6dd5aa88d23e86917284111e
SHA1d5c7727dcc1a2b5ef4b26d88e657b3b1efcde97e
SHA256db3327f7e90c9efeaa2fbac48b7664acc33bdc85fb8e8dfc55bac6dd64164add
SHA5125d9912f30a590b01be6d85d41fcfe14c3a969db19e1e6ada398e9bb5d0611d389b0f1571635bba38b6f3854465bccd568d61779a97fa4f00f52bc2489d24f0cc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3AA0DCD5A74331FBD6F344550EC48B87_D6CEC721F7D5F8E4CB1C4CC32CECA525
Filesize638B
MD575cca906494fcd2f080d64901ba9bafd
SHA10e43887190570fe90f0c990f606a55e47c31f0f7
SHA25658dda4ec6a75dd7777a75ceb7827bba9113bf36c71c094380933afad9fcf78b4
SHA51221fcc6698bbb4b4520eff377780230e012c350be4dc3af60a13074eeb788fe21731c7035f3737bb232118ae07d59e28328ba9e0c0c352050de702fd461c65b0f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F
Filesize1KB
MD5e532716b008a7bbb1bafc55896f5a310
SHA1bdca7a78b3bc1ea79e037e8220ea9564dccd8926
SHA2563b781d43b5e6c990375e908c4f57892d5b36ad6a28ee0425dff3df8d7a7b2ec2
SHA51266d01eea62c25693a4285826c89d2e320719d8b545eee83cce17cbddeb07f650194825ae130bb26134804767be9fd5ec10b8199ec9390593802b7b1238bfeb35
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18E6B4A57A6BC7EC9B861CDF2D6D0D02_EF52C1EC85F21F31CC0157A5C8803013
Filesize484B
MD54950da2f3bc29929f1d5388d43f885ce
SHA13e9e10292b2872401bee021a85afc4a56a709594
SHA2562a82702bc6672eded7f66f16b939b49e8af269920ba7124cc3e5d6e262a1828f
SHA5121ed2d49ecce12db511a4bb3dcd8050205b08b4f04372696711547e42229d18ab094227c06d0cd90dd3c6e7e7fad7939dba5fc48ccb5e9bdb5d0537bb6e13ffbf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3AA0DCD5A74331FBD6F344550EC48B87_D6CEC721F7D5F8E4CB1C4CC32CECA525
Filesize484B
MD50fa7045df2b9c657f9e0be9b24296e74
SHA183795426d436162b78b04db311b1e39a20c343ac
SHA256dc353a40053f09201c882dd5449378de99e0f2b42477c1b3853ca91fc02c8827
SHA5120516cf1612a1241c99f092b883a97945c411573891f1650c5eea45d249adf75f0862725d785fe6b3f80092237c659dec13fa95f4370c38e6b6dccbe96abf8214
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F
Filesize482B
MD5e1fbc996d7983e50ce032730bf6b83f3
SHA1237b5be5dc351627adca2e01db9ca105e5ce7adb
SHA256161f207f46fa702707b244ee747f9a0f9b237733b6fa06ebceb1958ad9d36d0e
SHA5120488e23952c5651582357120a4fd8512615811a3370526a4e880c90f3b4ab1b2b34f88f40a3639da18d4fec659b1094e37e34d66ed683ba6e6670c5a517792aa
-
Filesize
152B
MD5e443ee4336fcf13c698b8ab5f3c173d0
SHA19bf70b16f03820cbe3158e1f1396b07b8ac9d75a
SHA25679e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b
SHA512cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd
-
Filesize
152B
MD556a4f78e21616a6e19da57228569489b
SHA121bfabbfc294d5f2aa1da825c5590d760483bc76
SHA256d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb
SHA512c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\0f1494af-9e2c-4d2b-a912-55b2c6c97d4a.tmp
Filesize5KB
MD520d7e0420d3e54949c79d8774a47327a
SHA1049721ac7a51376def9bc32defff483dc2b19ed0
SHA2560efe0839e7f9664860a49d418fafe6f9611cbb864adddbef829cdb8f864f012b
SHA512e1dc9401e407f346a361bfe93bd9f0a06d596f78259445b3b050a2e4a2029a4614ad148766f4c9369bff4d36573d30ce9b84a44dd196b0de5cb4f1c09eef0056
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize312B
MD5e377613371223f39c71c7acbd1af2804
SHA18c3ea2a38dc0e7aa8b68be30dbf3ca4492d70d1a
SHA2569c7e9600b71b0a87af6142635e445540b45f27e07140424e7ab4140012ab64d6
SHA5126925af577406a2665628bde08648635df3c091c402395ed6db768c364bba7bd8fd114c1601095ace4bbf31f3d80fd6aff399df429f76076d17534460204d2b38
-
Filesize
1KB
MD5bce9104d2ae7440161dbc02b1b71ae22
SHA15d49320fbc78db63d7b2476548c8a0c0e43e61ae
SHA256514a32998534e9b395087d3b58e172e88266bb9aa70228d0d46468358b99a041
SHA5124dbfebd0a8269192082159f51c0aeadbc25e47d497db8d9ef96dc6cb4e7d7e9a28f776ed77073067e15758e915d6833883c2d79e298114969c8e48410558ed3c
-
Filesize
7KB
MD5aebe31066581e6eae06e0e1018a6eb0d
SHA15022a6cf707e67911453b1001706018b56bd35e4
SHA256d370e424947cf13ca2892a4b358344f3803aa336aac1e2fe0e03f467d3100cbf
SHA512c1f2c269aa1f35ced3a61007e22f8fb1558b6bc04acbb68b051a2e4e4065bc2b749db3af3f66ce3612016897a96f12d145c2c73a420db278b88d94bdf3858b9a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD5b390ef8cbebb90246c2ec1c971e85a17
SHA12164701ea145d8bc247826c9236045a5a74c1a19
SHA2560996a9be5549f1859e71b7ad6562dfa8b602fed110eb3e58056fd45411546b89
SHA5129af33ca5d591c29e2d2dab61fa1133e7bfa514ce7a177f4ed27f2a23d77cf942c34cd989ae8ba7aa847503960f6e21a0186f41dfc12a29e9423e8d887fce7c94
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5843ea.TMP
Filesize48B
MD58928644c0028e9e079b898ebc5c814be
SHA1a8d1c1333848aa886add74cebd36932a86205b7e
SHA256083be665eeb9024ee0ad98ffe9a8785f45ba50aab3f4c3ec889f0d8944091aa6
SHA512ce85b4af211dde84b9ba9af40648eb16dee4a20c98b97fa1fc17aaba8751f716b3053204ee6239183edd9d6b86405bf8373ff1cb224921e06362ad514f185d65
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD59f87f0a24fb627c6dba5316bd7a927b0
SHA15126919dc562fecdc1d84ffdac7b0b08851bab48
SHA2565eeb76a1d3096b6001afcaa7324c683e0e7eac8659d9a65611b4edf27d46a434
SHA5124a228b5ba5b6613e085fc44351efbaa6daefc84960044f5721ab11cb784a80cf4a6f75a490da1fa215ff77db982bf57074236507294c9af97afd5bce91ed2ebb
-
Filesize
1KB
MD5ec1e640acc82f091f18801d3d8d981ff
SHA1e74a9c5331307915cc4be1f6dddfd27f05d9f9b9
SHA256b94668cba38b270039bcd164d47f7b060071a0e3684dd5cc1224a3905a6abfde
SHA512ffbdc2198318078bdfbf123284dba09f0f45b774400d01cb015ad313d44ec822741ba1f9d2f5345063b4c5ebb673994c785498ed22418fb3a2c2ef67901c4771
-
Filesize
4KB
MD5462a056951d3ad9d5dea7d077f3b35a3
SHA14c88348f397f78012efbb414ec42659571801ac8
SHA25658f202bbdc2b5b1a8325ba5a458f4d5a6e65eadf595219cde7ee393721581634
SHA5125cc28d9ddfe5d42045f440cf8aa7fee41db319c57f21bb307210c428d18e0d4e4d1d593a10c8459d33b9e7b16b843584a5508fc9125a57773af48aa8f1e0dbb7
-
Filesize
4KB
MD556e8c40d00ece987db54fcb0e244f9c1
SHA1558b1cce633cddc633fbb703a62728f6784f64df
SHA256d6f69b3941705f9f74d52be80735c9f5e2bb3498391ecfd20fc6103b6969f16b
SHA51278361f0e9f4a045225765374e344afde304db1da0ceb6f9b4234e3049bcb235635922d6c8dc2b388ffe9671379d3f3d387837b59fb64e7128ceeb15c3745b996
-
Filesize
42KB
MD519bb33d641c013f9b0c7337fd94aafb7
SHA1e681f5c6ce2ec570ddea8dc132f895b39addda98
SHA256a7ee15ba3cbbf1407dfe300a7047576731d70b4750befd3b1eafc01293e5f34f
SHA512124473416bb5d84b2dcf5ec405111dbdf570e6ea190fff7d3557f154f3a34f88f8d20f1276be2c4c9a785055f7f108f6e570b824ce091b9a3a330521a701d256
-
Filesize
21KB
MD50d6f8dead3176ede325bff7eb8a058c6
SHA1adbb95bce1bd14fa965cfde7da029bacb4ec0187
SHA256e92c4948b7c3b67b7982a578fab230409e1a91fc97f44be7ea7144cd2283858f
SHA51214476bf75a301a37ef7b446a8f25d1c57738190cf0383f9fd0f95df0ac91a12ab90192810c57109a2272bac9864acf758ef6163cf5710e276efab2f3be63a297
-
Filesize
557KB
MD52c9c51ac508570303c6d46c0571ea3a1
SHA1e3e0fe08fa11a43c8bca533f212bdf0704c726d5
SHA256ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550
SHA512df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127
-
Filesize
1.1MB
MD57768d9d4634bf3dc159cebb6f3ea4718
SHA1a297e0e4dd61ee8f5e88916af1ee6596cd216f26
SHA256745de246181eb58f48224e6433c810ffbaa67fba330c616f03a7361fb1edb121
SHA512985bbf38667609f6a422a22af34d9382ae4112e7995f87b6053a683a0aaa647e17ba70a7a83b5e1309f201fc12a53db3c13ffd2b0fad44c1374fff6f07059cbf
-
Filesize
705KB
MD5e361f7bfaac80ff5bac709905d6b1a16
SHA1724d294983509fd37cf282403e25f26890fbfc8f
SHA25644cfe8ece8a14c06bc0c953176680623e802769b921f39b86647b541ef1eb06d
SHA51247b7d7beb22484b67f05a3dbf28f78e3c55f1ff07204eac613e6912f82c713e4e8622d5f40a6a04731f6a9e0e5ab15e05b132493a4b06f882532a470a4bddedf
-
C:\Users\Admin\AppData\Local\Temp\PCPrivacyShield.Util.Browser.Chrome..tmp
Filesize40KB
MD5a182561a527f929489bf4b8f74f65cd7
SHA18cd6866594759711ea1836e86a5b7ca64ee8911f
SHA25642aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA5129bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558
-
C:\Users\Admin\AppData\Local\Temp\PCPrivacyShield.Util.Browser.Chrome..tmp
Filesize114KB
MD5013b18b14247306181ec7ae01d24aa15
SHA15ce4cb396bf23585fbcae7a9733fe0f448646313
SHA256edb18b52159d693f30ba4621d1e7fd8d0076bfd062e6dda817601c29588bea44
SHA5122035c94569822378b045c0953659d9745b02d798ab08afc6120974b73dd9747bb696571ea83b4780f0590ca9772fc856f79bea29694fe463b1a388337da8bd94
-
C:\Users\Admin\AppData\Local\Temp\PCPrivacyShield.Util.Browser.Edge..tmp
Filesize116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
C:\Users\Admin\AppData\Local\Temp\PCPrivacyShield.Util.Browser.Edge..tmp
Filesize48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
Filesize
4.8MB
MD577d6c08c6448071b47f02b41fa18ed37
SHA1e7fdb62abdb6d4131c00398f92bc72a3b9b34668
SHA256047e2df9ccf0ce298508ee7f0db0abcb2ff9cff9916b6e8a1fbd806b7a9d064b
SHA512e1aeb8e8b441d755a119f45a465ca5660678f4131984322252bfb6d2cec52e7ee54d65a64b98429b23915eb5707b04b5cd62a85446c60de8842314130a926dbd
-
Filesize
61KB
MD5f669441971b6f7f145771b7591be0980
SHA151761f3b2f7514a1fdc31b3352c1670a92b55948
SHA256c1fea02e8e52119ced40d08a856908f346b631b26b1ac95c51c8ff46c0cd60c1
SHA512465320750f42c3f0aa62b47dfec475e51c9ee9c66799002b6fcd26394b4e0c0e81f58beef2b0fd0acc5569bb549d8853424333bec2048abbe00466578cb25703
-
C:\Users\Admin\AppData\Roaming\PC Privacy Shield\PC Privacy Shield 4.9.8\install\12F779E\Armt.exe.config
Filesize186B
MD5b51c130a957051ba9fb2245bf76fb6f6
SHA142181e5745daab2a0e8cf87693142828306f9bda
SHA2567921098e47e894412fdfd0cafe0f88cc68497740998eac17c68c00129069d803
SHA512fa2ac3eff5d51aea7acc9cf6aa018a77fae295d55c5bf808c9d7048c801baf4626568f00fb001a9f2780c46dce294482cfeb3045aabe139ddc557c0d3bc11640
-
C:\Users\Admin\AppData\Roaming\PC Privacy Shield\PC Privacy Shield 4.9.8\install\12F779E\BouncyCastle.Crypto.dll
Filesize2.4MB
MD5038ccd987fa6a35e08d43e03764bf4e2
SHA1d7dddc8a1c2b90deac2ce91d8e41a83f90ea2735
SHA256623d7c005753177930374d649c33742a8be69eac391af5764cf33048e87385f6
SHA5128fb2cf0943591be8c89cce3bcdb0d1250a26b2e0666b5b91ed7b0fadbc5cf6a014c4caefe43088c97da98eb54e23029f322cc4e09e74f7ca267a7c0ba3df3ce2
-
Filesize
24KB
MD507363cd395a7b7e1896d7cb5391132c5
SHA1662c89fd482e83681dd1f8ddb2ae507315f62f3d
SHA25694b28e1ac1e1467981226fdc36d894778c4b98f39285ee9005732b15666dee61
SHA512e44243ae7c5f820d51df72286ef3fa56aea06f1b4c1e929533ed6d642f6180743e72e0c43de8482674bae59b3ec26c376ae730b7aa97f0c5d5fa84179eb618c7
-
C:\Users\Admin\AppData\Roaming\PC Privacy Shield\PC Privacy Shield 4.9.8\install\12F779E\CaByp.CA.dll
Filesize2.4MB
MD53f0505139f9ae1bf6fdd30cc73b62728
SHA1a69efc6a9c0b7ac22c2f261585d7470cfb762db3
SHA256658c1d4dddf1afb8bb9f456db4780129905ab7ea90988dd36258de5c13450f2e
SHA512ee71d308b9684d3a175abbb05c7820d4781eec9179fb57ca9da9ddbb79e80f5b70dc5c27c9320b4807ddf909e5f6d52ad50002789a15d49c11206cb183cd0fd4
-
Filesize
282KB
MD55811d5410c62566a05d65cc6ba542fc4
SHA11b8a5383877f8e5bd691e53eaf494bb6a6c33e6f
SHA2564b960f91b789c6370a868a529fffbdcd89f19e4f324f61a493eba6d18a86a7e2
SHA51244229bfd23eb32635ebfd4f4925120fe4536d7569813dc3faed878f30b5c24af52f5e31f4bd45caf8789718705ee949faa8dc63fb8427b662fb7da2e0f20256a
-
C:\Users\Admin\AppData\Roaming\PC Privacy Shield\PC Privacy Shield 4.9.8\install\12F779E\InstAct.exe
Filesize94KB
MD5dc1153d77c40fe6977e0d4ac65866534
SHA1a3d9b20f81d90a22358d2123fbf06df9e5713b47
SHA256cc655807f733589215c29a27c03765579bd1c0a5fa0cfb2eb70e23d1848b3c14
SHA5127829e020caff3c2fae50607e8879a1379fc2b060c17f078540377ce7c1181d7a82faddf04c0c9645921b72e6d9d9e6476484da00ec54594ce2c745c84ba8ae04
-
C:\Users\Admin\AppData\Roaming\PC Privacy Shield\PC Privacy Shield 4.9.8\install\12F779E\PCPrivacyShield.exe
Filesize6.2MB
MD55b34516df5ab905bd334e908683a8084
SHA12f654634a23ff8fb79b18423b541e1f1acfd90dd
SHA25605b3a066ad986c66457c3c3beac5ebd7958d783a1369ed0a3d1aa741dad9456d
SHA512f4ebc0540515352c99f38e7ac25f1f359d1ab54f873b938f95fd40f9f6184b565e88764521cadce5541b301054cedaff78b5594e7b40693be979441d351d8ab5
-
C:\Users\Admin\AppData\Roaming\PC Privacy Shield\PC Privacy Shield 4.9.8\install\12F779E\PCPrivacyShield.msi
Filesize4.3MB
MD531cd604e8b53a5b1e43f18648e5256c2
SHA14d894bbfe66a49c3158d16f831da90295c2033e8
SHA2563f3b9a72910dff350291f95af927e33929e60c0c0daaead28801eb0710546b1d
SHA5125d0d4b13b24b55cb19f1f31c1125ffd351a54b63c702f3925e35f1adb01e330cc3738e8f4d54b95a22d4f6e71959f17d3a3598fa5a0cd7a0eb37d85c2171706c
-
C:\Users\Admin\AppData\Roaming\PC Privacy Shield\PC Privacy Shield 4.9.8\install\12F779E\de\OpacityGuide.resources.dll
Filesize33KB
MD5160cfb333b787b381c0292716f511677
SHA1f3e1935c009b35261dde2137ba2b85c665884991
SHA256b85e77dde7fd58a898355c02f53a2e1ecab6e3517b23d6b8fed5a941e864e056
SHA5124439e4663693c2d93c0531b83afd54ae79c1efc2cf6d7ab9cb75a2c75796a6567d48d0f1f663036f7ad44b79ff06f8264aa8b24b5baf7243d76c30b2606349e6
-
C:\Users\Admin\AppData\Roaming\PC Privacy Shield\PC Privacy Shield 4.9.8\install\12F779E\de\PCPrivacyShield.resources.dll
Filesize88KB
MD56088f7fdcbf2549ae50144bfeea6fc19
SHA1f82b7694e5d92048187cf3b9df44e02fd3a52406
SHA2560791e8335979c14d00f0d1ffba87dbc239b71d3e42f14b2a13f4a9bb0445aa7a
SHA512563f5ced1b98a213da08e1c24ea8edfe02b6a99af3981185341142ea1c8ec3b21e66b236bdf0852a45105e5a1302d8df4cd8d109975b7d0e48741e45be9242c9
-
C:\Users\Admin\AppData\Roaming\PC Privacy Shield\PC Privacy Shield 4.9.8\install\12F779E\de\Util.resources.dll
Filesize18KB
MD50ad01d8096f91f88042ef8366dcb0cc6
SHA1a19d926f47f41723bccc7687048b9f78385841ca
SHA256f833428c32d5f847955990de67e558672d7b563e3fdc47a71bfdb784a448ee41
SHA51266663e889ac0e730f5a5302705e9c72e6cc27ad58d5b5b2dc0719afb61bf22ca8f906ca535605e108668b174e86629154ae7c8cc151950e5acf444592769f55b
-
C:\Users\Admin\AppData\Roaming\PC Privacy Shield\PC Privacy Shield 4.9.8\install\12F779E\es\OpacityGuide.resources.dll
Filesize33KB
MD5d33dd56999b8470a3a402278ba653074
SHA17dc45bcd73409785790c37c6464c9755f63d3ac8
SHA256d6b7119f43a34d19d4f026954a737367248558fc7a6487b2b651203fca507ca4
SHA5121a7e16521d8f9c5e621f926d012b72ab4d26d6eca0f7dc35e06abc3f562a1366ca5e1a1535125be3e1d0490951e3598a63dc87ddf18b74b4b43625c03d9a6424
-
C:\Users\Admin\AppData\Roaming\PC Privacy Shield\PC Privacy Shield 4.9.8\install\12F779E\msvcp100.dll
Filesize411KB
MD5bc83108b18756547013ed443b8cdb31b
SHA179bcaad3714433e01c7f153b05b781f8d7cb318d
SHA256b2ad109c15eaa92079582787b7772ba0a2f034f7d075907ff87028df0eaea671
SHA5126e72b2d40e47567b3e506be474dafa7cacd0b53cd2c2d160c3b5384f2f461fc91bb5fdb614a351f628d4e516b3bbdabc2cc6d4cb4710970146d2938a687dd011
-
C:\Users\Admin\AppData\Roaming\PC Privacy Shield\PC Privacy Shield 4.9.8\install\12F779E\msvcp120.dll
Filesize444KB
MD58080160d77881130485100fbf51a619d
SHA1af7ef1f90af489423439713eecaaaa81bded2585
SHA256ac9ddd9f6132d5f05709bbe2cea3b3eabb2df8e4bd79365b336ac9ce7c2d8c3e
SHA5129c4d928898445b757908266efaa79d16e57df4fd1d3fe162c6b25d9a98e3b5e819a989b94286d923c90e99e50beeeed74a83f4b20f11021ed8db28dd6ca412e1
-
C:\Users\Admin\AppData\Roaming\PC Privacy Shield\PC Privacy Shield 4.9.8\install\12F779E\msvcp140.dll
Filesize612KB
MD52f443a41e00a370754a50cfc02c2e470
SHA10b812bdeebf71b2f8382fc115960dc83830201b5
SHA256bdf1d095d1419e9ce49e774590ee092b1b673ca259c0126f21afe595b3e661eb
SHA51215301c33835c67cdc0bd82e29d918411fb71df40ee073e43eeec96b85e94804e12df4354b02d73c185cca9b14349529a22d5aabd0feac41bbcbb9ae27273d039
-
C:\Users\Admin\AppData\Roaming\PC Privacy Shield\PC Privacy Shield 4.9.8\install\12F779E\msvcr100.dll
Filesize755KB
MD50e37fbfa79d349d672456923ec5fbbe3
SHA14e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA2568793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA5122bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630
-
C:\Users\Admin\AppData\Roaming\PC Privacy Shield\PC Privacy Shield 4.9.8\install\12F779E\msvcr120.dll
Filesize948KB
MD57f8da89204332df95cfc41f6e85dc515
SHA17e8d71e1f2f9729a52b2938bfdde69e56e6de488
SHA2561c8449f417566dd0fd69dc21ef77d46b9475fbaac731da35bdc71669f22242c8
SHA512d48b833cbc9db97d7be4e986be25ae097d1f55a33d591c5f554ec95d0d329f7cdc50687e16429289308a212cb00a8e2a640039ca7a056c5e03f58e21d3b27b33
-
C:\Users\Admin\AppData\Roaming\PC Privacy Shield\PC Privacy Shield 4.9.8\install\12F779E\updater.exe
Filesize626KB
MD518f240ec48ee7afa3214ea425e177983
SHA1186eb76cae15c56c54af8e24946ed9f70fde9dc7
SHA2562b58cd5f0f541fc5b540b47936d4a5806dad839bb4045b6680c1a825230b4346
SHA512591fd1325e9aec420d84f67c8edc5380db1be3a10e35efd1df7ceaee55553a082b58b23a0c5005117afb477bd826d70199173868330a8a09b7f7c4af0175d70c
-
C:\Users\Admin\AppData\Roaming\PC Privacy Shield\PC Privacy Shield 4.9.8\install\12F779E\vcruntime140.dll
Filesize83KB
MD5cafd6f3410af3b95968a1efb17ecee05
SHA17b4fe24321d2b108eda71ebce241da389c9a9158
SHA2560164b1bfdcedb07295eae14fa5dca88b46862bc91ec2d317ef8559bbec8128ba
SHA51279db866ed22d3671359915ceeb96741a13356258132772067a1b0e186c700c32c97ec14bfe83b09110a80dee61cc78ae85f8721184fbd4f1de5e7d8dfada82f4
-
Filesize
95KB
MD51c1057a2491653b026bd23a38665e3ff
SHA1708074473bad7f629500b7d4dabf4d8e0be61f8a
SHA256dd5332374d3046ac31089cc4dce95311adc60671eae2c3eec541a3327b5dca8d
SHA512dc5da9c6ad1ef34d57a2d0aeff2c2dcb35abcfda2123447997766bf51af41a292fec09ecf7383111b152fa6e86c1798f9c7f699485fb6530732b53c865d894e5
-
Filesize
152KB
MD53c1081ca714d2fa96d1019c1c84e2e70
SHA185879c13d575dff009bbf3af367420bd21b2dcf4
SHA256227c6f7d316a5a2018b857788e3c5255e4947e838a5518e5b8e123eff1baa7f0
SHA51224559bbc3ce903a6e8f38f1c38115d085069d9a51da8dbe500474fff95ac3e5426adf761a9c5a67ac0268f3dde93a0b08c5126439d5f9f1476d52d50b4269258
-
Filesize
721KB
MD59b81778929c658ea907b7618f483beb1
SHA1646e84b1ee486c071f5b2cf816c96443c8fa3979
SHA256a326781b82ae171a4c5615765e69d35339011cabd1bf028b78d5b86019035c73
SHA512d415bb350a5525486f8d814971611a69d5a4e2b223037e61867450427cb22e05b9aec26f3b01a5295df9e505e7e29a0ec45b6c79394a8c1e9e2f8db4c75dea1a
-
Filesize
331KB
MD5080cc38f68ddd4b9958338786baac5e3
SHA1567cbbe72be587aa5d4021240e0d1e76b81c098e
SHA256b164d00d5d2234625d979da0f1a4efef73d7b40000da5d493aaefd817ad086b1
SHA51255f7eb841fdc1051a9d2100f9e4620655ea9a4ca6fd50fb2840d39b1f4177281ba2d492bd6e107f1e6de7119a760192d62e5959ba27f7812de41425875f0c129