Analysis
-
max time kernel
4265891s -
max time network
489s -
platform
windows10-2004_x64 -
resource
win10v2004-ja-20220113 -
submitted
16-01-2022 18:03
Static task
static1
Behavioral task
behavioral1
Sample
8 Cores.msi
Resource
win7-ja-20211208
Behavioral task
behavioral2
Sample
8 Cores.msi
Resource
win10-ja-20211208
Behavioral task
behavioral3
Sample
8 Cores.msi
Resource
win10v2004-ja-20220113
General
-
Target
8 Cores.msi
-
Size
319KB
-
MD5
6047ee1af2d30ef7db95fabb788ec9f9
-
SHA1
2731a77f03f97aa03adcd2c7c6f4342d2fd1d515
-
SHA256
b3f5506d672e2ea0564c52413f1f8847c569542d2cd475937c6f21a443292728
-
SHA512
7d8de10cdf4399692da6b7e80c96d865ffc891292e1bf16adaf663f2cf087802ae61bde15057a9aa7c82d6dbd0930e623c3a4c947502c5c1129bbc66d8aa03e8
Malware Config
Signatures
-
Registers COM server for autorun 1 TTPs
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 2532 created 2148 2532 WerFault.exe backgroundTaskHost.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 6 IoCs
Processes:
Open____Setup__3456.exearmsvc.exeAdobeARM.exeMSI28CB.tmpRdrServicesUpdater.exearmsvc.exepid process 4740 Open____Setup__3456.exe 1688 armsvc.exe 4492 AdobeARM.exe 3712 MSI28CB.tmp 3044 RdrServicesUpdater.exe 2628 armsvc.exe -
Sets file execution options in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Open____Setup__3456.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Open____Setup__3456.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Open____Setup__3456.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Open____Setup__3456.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation Open____Setup__3456.exe -
Loads dropped DLL 48 IoCs
Processes:
MsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exepid process 5112 MsiExec.exe 4868 MsiExec.exe 4868 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3916 MsiExec.exe 3916 MsiExec.exe 3916 MsiExec.exe 3916 MsiExec.exe 3916 MsiExec.exe 3916 MsiExec.exe 3916 MsiExec.exe 3916 MsiExec.exe 3916 MsiExec.exe 3916 MsiExec.exe 3916 MsiExec.exe 3916 MsiExec.exe 3916 MsiExec.exe 3916 MsiExec.exe 3916 MsiExec.exe 3916 MsiExec.exe 3916 MsiExec.exe 3916 MsiExec.exe 3916 MsiExec.exe 3916 MsiExec.exe 3916 MsiExec.exe 3916 MsiExec.exe 3916 MsiExec.exe 3916 MsiExec.exe 3916 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe 3056 MsiExec.exe -
Processes:
resource yara_rule C:\Users\Admin\Downloads\Open____Setup__3456\Open____Setup__3456.exe themida C:\Users\Admin\Downloads\Open____Setup__3456\Open____Setup__3456.exe themida -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Processes:
Open____Setup__3456.exeAdobeARM.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Open____Setup__3456.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA AdobeARM.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Drops file in System32 directory 4 IoCs
Processes:
OfficeC2RClient.exeMsiExec.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db-wal OfficeC2RClient.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db-shm OfficeC2RClient.exe File created C:\Windows\SysWOW64\Elevation.tmp MsiExec.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db OfficeC2RClient.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Open____Setup__3456.exepid process 4740 Open____Setup__3456.exe -
Drops file in Program Files directory 64 IoCs
Processes:
msiexec.exeRdrServicesUpdater.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\AdobePDF417.pmp msiexec.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\scan-files\css\main-selector.css RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\walk-through\images\themes\dark\checkmark-2x.png RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-recent-files\js\selector.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\fss\img\faf_icons.png RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\fss\js\nls\tr-tr\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annots.api msiexec.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\themes\dark\s_download_pdf_18.svg RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\search-summary\js\nls\fi-fi\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover.png RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\reviews\js\nls\root\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\walk-through\css\main.css RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\themes\dark\Toast.svg RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\ob-preview\images\themeless\example_icons.png RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Light.pdf RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\app-center\js\nls\sv-se\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\pages-app\images\themes\dark\rhp_world_icon_2x.png RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-cn\AppStore_icon.svg RdrServicesUpdater.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\WindowsMedia.mpp msiexec.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\themes\dark\s_closereview_18.svg RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\sign-services-auth\js\nls\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\virgo-new-folder.svg RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-computer-select\js\nls\fr-fr\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\images\themeless\bg_get.svg RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\home\js\nls\sv-se\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\sign-services-auth\css\main-selector.css RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\aicuc\js\nls\ja-jp\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\images\themeless\pdf-ownership-variant2-2x.gif RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-files\js\nls\pl-pl\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-computer\js\nls\ja-jp\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\win-scrollbar\vscroll-thumb.png RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\reviews\images\themes\dark\cstm_brand_preview2x.png RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\digsig\js\nls\fr-fr\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\exportpdfupsell-app\js\nls\en-ae\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\images\themeless\Localized_images\es-es\PlayStore_icon.svg RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\combinepdf\js\nls\ui-strings.js RdrServicesUpdater.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\MoreTools.aapp msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt msiexec.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\unified-share\js\nls\en-gb\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\editpdf\js\nls\hr-hr\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\editpdf.svg RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\uss-search\js\nls\sk-sk\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\add-account\images\themes\dark\new_icons.png RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fr-ma\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\generic-rhp-app\images\rhp_world_icon.png RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\S_IlluDCFilesEmpty_180x180.svg RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_hover.png RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\send-for-sign\images\cloud_secured.png RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-recent-files\js\nls\da-dk\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\send-for-sign\js\nls\root\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\version.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\editpdf\images\rhp_world_icon.png RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\editpdf\js\nls\cs-cz\ui-strings.js RdrServicesUpdater.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Onix32.dll msiexec.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\ob-preview\images\themeless\measure_poster.jpg RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\my-computer\js\nls\sl-si\ui-strings.js RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\combinepdf\images\themes\dark\rhp_world_icon.png RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\on-boarding\images\themeless\close.svg RdrServicesUpdater.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\aicuc\js\plugins\convertpdf-tool-view.js RdrServicesUpdater.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\icudt40.dll msiexec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\ msiexec.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\images\themes\dark\s_move_18.svg RdrServicesUpdater.exe -
Drops file in Windows directory 64 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\MSI259B.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\f77763b.HDR msiexec.exe File opened for modification C:\Windows\Installer\f777655.HDR msiexec.exe File created C:\Windows\Installer\f777661.HDR msiexec.exe File created C:\Windows\Installer\f77766f.HDR msiexec.exe File created C:\Windows\Installer\f777681.HDR msiexec.exe File opened for modification C:\Windows\Installer\f777605.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIF1A5.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF1E4.tmp msiexec.exe File opened for modification C:\Windows\Installer\f777648.HDR msiexec.exe File opened for modification C:\Windows\Installer\f777673.HDR msiexec.exe File opened for modification C:\Windows\Installer\f777679.HDR msiexec.exe File opened for modification C:\Windows\Installer\f777613.HDR msiexec.exe File opened for modification C:\Windows\Installer\f77764a.HDR msiexec.exe File created C:\Windows\Installer\f777683.HDR msiexec.exe File created C:\Windows\Installer\f77768d.HDR msiexec.exe File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\SecStoreFile.ico msiexec.exe File created C:\Windows\Installer\f77761b.HDR msiexec.exe File opened for modification C:\Windows\Installer\f777668.HDR msiexec.exe File opened for modification C:\Windows\Installer\MSIAF31.tmp msiexec.exe File created C:\Windows\Installer\f777614.HDR msiexec.exe File opened for modification C:\Windows\Installer\f777617.HDR msiexec.exe File opened for modification C:\Windows\Installer\f777656.HDR msiexec.exe File created C:\Windows\Installer\f777668.HDR msiexec.exe File created C:\Windows\Installer\f777671.HDR msiexec.exe File opened for modification C:\Windows\Installer\f77761b.HDR msiexec.exe File opened for modification C:\Windows\Installer\f77762d.HDR msiexec.exe File created C:\Windows\Installer\f77764a.HDR msiexec.exe File opened for modification C:\Windows\Installer\f77766b.HDR msiexec.exe File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\SC_Reader.ico msiexec.exe File opened for modification C:\Windows\Installer\MSIA849.tmp msiexec.exe File created C:\Windows\Installer\f777639.HDR msiexec.exe File opened for modification C:\Windows\Installer\f777651.HDR msiexec.exe File opened for modification C:\Windows\Installer\f777665.HDR msiexec.exe File opened for modification C:\Windows\Installer\f77768f.HDR msiexec.exe File opened for modification C:\Windows\Installer\MSI637F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI96E6.tmp msiexec.exe File created C:\Windows\Installer\f777626.HDR msiexec.exe File created C:\Windows\Installer\f777629.HDR msiexec.exe File opened for modification C:\Windows\Installer\f77763a.HDR msiexec.exe File opened for modification C:\Windows\Installer\f777663.HDR msiexec.exe File created C:\Windows\Installer\f777664.HDR msiexec.exe File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\XDPFile_8.ico msiexec.exe File created C:\Windows\Installer\f777654.HDR msiexec.exe File created C:\Windows\Installer\f77767e.HDR msiexec.exe File opened for modification C:\Windows\Installer\f777680.HDR msiexec.exe File created C:\Windows\Installer\f77766e.HDR msiexec.exe File opened for modification C:\Windows\Installer\f777674.HDR msiexec.exe File opened for modification C:\Windows\Installer\f77768c.HDR msiexec.exe File opened for modification C:\Windows\Installer\MSI679C.tmp msiexec.exe File created C:\Windows\Installer\f777613.HDR msiexec.exe File created C:\Windows\Installer\f777615.HDR msiexec.exe File opened for modification C:\Windows\Installer\f77761f.HDR msiexec.exe File opened for modification C:\Windows\Installer\f77768a.HDR msiexec.exe File created C:\Windows\Installer\f77768e.HDR msiexec.exe File opened for modification C:\Windows\Installer\MSI63A0.tmp msiexec.exe File opened for modification C:\Windows\Installer\f777681.HDR msiexec.exe File opened for modification C:\Windows\Installer\f77768d.HDR msiexec.exe File created C:\Windows\Installer\f777621.HDR msiexec.exe File opened for modification C:\Windows\Installer\f77765a.HDR msiexec.exe File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\PDXFile_8.ico msiexec.exe File opened for modification C:\Windows\Installer\f777622.HDR msiexec.exe File opened for modification C:\Windows\Installer\f77762c.HDR msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4052 2148 WerFault.exe backgroundTaskHost.exe -
Checks SCSI registry key(s) 3 TTPs 8 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exetaskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000008a0185136d91714e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800008a0185130000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809008a018513000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008a01851300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008a01851300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
SDXHelper.exeOpen____Setup__3456.exeMusNotification.exeWerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 SDXHelper.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Open____Setup__3456.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Open____Setup__3456.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotification.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotification.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz SDXHelper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString SDXHelper.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1416 timeout.exe -
Enumerates system info in registry 2 TTPs 8 IoCs
Processes:
msedge.exeSDXHelper.exeWerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS SDXHelper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily SDXHelper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SDXHelper.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Processes:
msiexec.exeMsiExec.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C6A861C-B233-4994-AFB1-C158EE4FC578} msiexec.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility msiexec.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7AC06A6F-4C88-4707-8DEC-61017CB50E1E} msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B} msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B}\Policy = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7AC06A6F-4C88-4707-8DEC-61017CB50E1E}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7278BD0-7970-47D6-8954-99B2343EED88}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C6A861C-B233-4994-AFB1-C158EE4FC578}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{76E2369A-75BA-41F9-8B9E-16059E5CF9A6} msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{76E2369A-75BA-41F9-8B9E-16059E5CF9A6}\Policy = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{76E2369A-75BA-41F9-8B9E-16059E5CF9A6}\AppPath = "C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7AC06A6F-4C88-4707-8DEC-61017CB50E1E}\AppName = "AcroRd32.exe" msiexec.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\ msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B}\AppName = "AcroBroker.exe" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7278BD0-7970-47D6-8954-99B2343EED88}\AppName = "RdrCEF.exe" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C6A861C-B233-4994-AFB1-C158EE4FC578}\Policy = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7278BD0-7970-47D6-8954-99B2343EED88} msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B723F941-52A2-4392-B500-60F3889659B4}\Policy = "3" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C6A861C-B233-4994-AFB1-C158EE4FC578}\AppName = "AcroRd32.exe" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3}\Policy = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B723F941-52A2-4392-B500-60F3889659B4}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B723F941-52A2-4392-B500-60F3889659B4}\AppName = "AcroRd32.exe" MsiExec.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B723F941-52A2-4392-B500-60F3889659B4} MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7AC06A6F-4C88-4707-8DEC-61017CB50E1E}\Policy = "3" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BD57A9B2-4E7D-4892-9107-9F4106472DA4}\Compatibility Flags = "1024" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3}\AppPath = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3}\AppName = "AdobeCollabSync.exe" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{76E2369A-75BA-41F9-8B9E-16059E5CF9A6}\AppName = "AdobeARM.exe" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BD57A9B2-4E7D-4892-9107-9F4106472DA4} msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7278BD0-7970-47D6-8954-99B2343EED88}\Policy = "3" msiexec.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
msiexec.execompattelrunner.exeOfficeC2RClient.exedescription ioc process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1F msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.AppResolverUX_cw5n1h2txyewy%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.CallingShellApp_cw5n1h2txyewy%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.XboxGameCallableUI_cw5n1h2txyewy%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeC2RClient.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption" compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.FileExplorer_cw5n1h2txyewy%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.AccountsControl_cw5n1h2txyewy%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.People_10.1902.633.0_x64__8wekyb3d8bbwe%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe%5Cresources.pri compattelrunner.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe OfficeC2RClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe%5Cresources.pri compattelrunner.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2" OfficeC2RClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe OfficeC2RClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.FilePicker_cw5n1h2txyewy%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.AddSuggestedFoldersToLibraryDialog_cw5n1h2txyewy%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CShellExperienceHost_cw5n1h2txyewy%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CWindows.CBSPreview_cw5n1h2txyewy%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData OfficeC2RClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeC2RClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5Cmicrosoft.creddialoghost_cw5n1h2txyewy%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.LockApp_cw5n1h2txyewy%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe%5Cresources.pri compattelrunner.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)" compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.AAD.BrokerPlugin_cw5n1h2txyewy%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.ContentDeliveryManager_cw5n1h2txyewy%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5Cmicrosoft.windows.narratorquickstart_8wekyb3d8bbwe%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.Search_cw5n1h2txyewy%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CPrintDialog%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20\52C64B7E compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.AsyncTextService_8wekyb3d8bbwe%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeC2RClient.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,17110988,7153487,39965824,17962391,17962392,3702920,3462423,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeC2RClient.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,941 10,1329 15,941 15,941 6,1329 100,1329 6" OfficeC2RClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun OfficeC2RClient.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E msiexec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides OfficeC2RClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry OfficeC2RClient.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.BioEnrollment_cw5n1h2txyewy%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.AppRep.ChxApp_cw5n1h2txyewy%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CImmersiveControlPanel%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides OfficeC2RClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation OfficeC2RClient.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe\ULSMonitor OfficeC2RClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe\ULSMonitor OfficeC2RClient.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption" compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun OfficeC2RClient.exe -
Modifies registry class 64 IoCs
Processes:
MsiExec.exemsiexec.exeFileSyncConfig.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\MiscStatus\ = "0" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EE5A151A-AD2A-4CEE-AD65-228B59F5B4AD}\ = "IAcroFDFHandler" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\MIME\Database\Content Type\application/vnd.adobe.acrobat-security-settings msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.Document.DC\CLSID\ = "{B801CA65-A1FC-11D0-85AD-444553540000}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\MIME\Database\Content Type\application/vnd.adobe.pdfxml msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{F0B4F6AD-5E09-4CB1-B763-EC390CBDE51D}\InprocServer32 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.api\OpenWithProgids MsiExec.exe Key created \REGISTRY\MACHINE\Software\Classes\AcroExch.XDPDoc\DefaultIcon msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{9B4CD3F0-4981-101B-9CA8-9240CE2738AE}\ProxyStubClsid32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\.xdp\OpenWithProgids msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BE79C475-D632-4A57-91B3-DA044FA27CDA}\1.0\FLAGS\ = "0" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{9B4CD3EF-4981-101B-9CA8-9240CE2738AE}\ProxyStubClsid msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{46B89F5A-769D-4792-AD9A-E3755915CBC3} msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{03C2AEA5-BEFA-4C84-A187-C9245AC784F6} msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{5AAABB05-F91B-4bce-AB18-D8319DEDABA8} msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{566A7BC7-B295-41B7-A818-12F9E5CA46CA}\ProxyStubClsid32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\AcroExch.acrobatsecuritysettings\CurVer msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\68AB67CA408033019195008142136144\SourceList\PackageName = "Arm_001824311644_101667601813759803412044416713615803656.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3EC-4981-101B-9CA8-9240CE2738AE}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B813CE7-7C10-4F84-AD06-9DF76D97A9AA}\NumMethods\ = "7" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2CE4D4CF-B278-4126-AD1E-B622DA2E8339}\TypeLib\ = "{47A7A4B0-2723-41BA-865E-EBBB7081A602}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pdfxml\OpenWithList\AcroRd32.exe\ msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\ msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.secstore\OpenWithProgids\ msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{46B89F5A-769D-4792-AD9A-E3755915CBC3}\ = "IStatusEvents" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{673E8452-7646-11D1-B90B-00A0C9259304}\ProxyStubClsid msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F0B4F6AD-5E09-4CB1-B763-EC390CBDE51D}\Version\ = "1.0" msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\MIME\Database\Content Type\application/pdf\CLSID = "{CA8A9780-280D-11CF-A24D-444553540000}" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PDXFileType\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe\" \"%1\"" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\.acrobatsecuritysettings\OpenWithProgids msiexec.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance FileSyncConfig.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{F0B4F6AD-5E09-4CB1-B763-EC390CBDE51D}\Control msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA8A9780-280D-11CF-A24D-444553540000} MsiExec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{EE5A151A-AD2A-4CEE-AD65-228B59F5B4AD}\ProxyStubClsid msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\.pdfxml\OpenWithProgids msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.pdfxml\CurVer\ = "AcroExch.pdfxml.1" msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\Attributes = "4034920525" FileSyncConfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pdx\PDXFileType\ShellNew msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.XDPDoc\shell\Read\command msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "1" FileSyncConfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.adobe.xdp+xml\CLSID = "{CA8A9780-280D-11CF-A24D-444553540000}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{EE5A151A-AD2A-4CEE-AD65-228B59F5B4AD}\TypeLib msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{08A9E040-9A9C-4F42-B5F5-2029B8F17E1D}\TypeLib msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2CE4D4CF-B278-4126-AD1E-B622DA2E8339}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\.xfdf msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{C523F39F-9C83-11D3-9094-00104BD0D535}\VersionIndependentProgID msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{0F6D3808-7974-4B1A-94C2-3200767EACE8}\1.0\0\win32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\ProgID msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F0B4F6AD-5E09-4CB1-B763-EC390CBDE51D}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}\ MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe,0" FileSyncConfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3E7-4981-101B-9CA8-9240CE2738AE}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\Programmable\ msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{673E8454-7646-11D1-B90B-00A0C9259304}\TypeLib msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Adobe.Reader.HTMLPreview.1\ = "Adobe Reader HTML Preview Class" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7CD06992-50AA-11D1-B8F0-00A0C9259304}\1.0\FLAGS\ = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.acrobatsecuritysettings\OpenWithProgids MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\.secstore\OpenWithProgids\AcroExch.SecStore = "0" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}\DataFormats\GetSet\6\ = "3, 1, 32, 1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{03C2AEA5-BEFA-4C84-A187-C9245AC784F6}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{9B4CD3F1-4981-101B-9CA8-9240CE2738AE}\ProxyStubClsid32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74A13FDD-9BCF-4229-9CAB-0079A5E17A25}\ = "Adobe Acrobat Sharepoint OpenDocuments Component Implementation" msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe,0" FileSyncConfig.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{9B4CD3EB-4981-101B-9CA8-9240CE2738AE} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3ED-4981-101B-9CA8-9240CE2738AE}\ = "CAcroRect" msiexec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
WerFault.exemsedge.exemsedge.exemsiexec.exeidentity_helper.exemsedge.exeOpen____Setup__3456.exeAdobeARMHelper.exetaskmgr.exeMsiExec.exepid process 4052 WerFault.exe 4052 WerFault.exe 4220 msedge.exe 4220 msedge.exe 3164 msedge.exe 3164 msedge.exe 4016 msiexec.exe 4016 msiexec.exe 4352 identity_helper.exe 4352 identity_helper.exe 4236 msedge.exe 4236 msedge.exe 4740 Open____Setup__3456.exe 4740 Open____Setup__3456.exe 3448 AdobeARMHelper.exe 3448 AdobeARMHelper.exe 3448 AdobeARMHelper.exe 3448 AdobeARMHelper.exe 3448 AdobeARMHelper.exe 3448 AdobeARMHelper.exe 3448 AdobeARMHelper.exe 3448 AdobeARMHelper.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 3916 MsiExec.exe 3916 MsiExec.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 1304 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
msedge.exepid process 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exeMusNotification.exevssvc.exedescription pid process Token: SeShutdownPrivilege 3212 msiexec.exe Token: SeIncreaseQuotaPrivilege 3212 msiexec.exe Token: SeSecurityPrivilege 4016 msiexec.exe Token: SeCreateTokenPrivilege 3212 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3212 msiexec.exe Token: SeLockMemoryPrivilege 3212 msiexec.exe Token: SeIncreaseQuotaPrivilege 3212 msiexec.exe Token: SeMachineAccountPrivilege 3212 msiexec.exe Token: SeTcbPrivilege 3212 msiexec.exe Token: SeSecurityPrivilege 3212 msiexec.exe Token: SeTakeOwnershipPrivilege 3212 msiexec.exe Token: SeLoadDriverPrivilege 3212 msiexec.exe Token: SeSystemProfilePrivilege 3212 msiexec.exe Token: SeSystemtimePrivilege 3212 msiexec.exe Token: SeProfSingleProcessPrivilege 3212 msiexec.exe Token: SeIncBasePriorityPrivilege 3212 msiexec.exe Token: SeCreatePagefilePrivilege 3212 msiexec.exe Token: SeCreatePermanentPrivilege 3212 msiexec.exe Token: SeBackupPrivilege 3212 msiexec.exe Token: SeRestorePrivilege 3212 msiexec.exe Token: SeShutdownPrivilege 3212 msiexec.exe Token: SeDebugPrivilege 3212 msiexec.exe Token: SeAuditPrivilege 3212 msiexec.exe Token: SeSystemEnvironmentPrivilege 3212 msiexec.exe Token: SeChangeNotifyPrivilege 3212 msiexec.exe Token: SeRemoteShutdownPrivilege 3212 msiexec.exe Token: SeUndockPrivilege 3212 msiexec.exe Token: SeSyncAgentPrivilege 3212 msiexec.exe Token: SeEnableDelegationPrivilege 3212 msiexec.exe Token: SeManageVolumePrivilege 3212 msiexec.exe Token: SeImpersonatePrivilege 3212 msiexec.exe Token: SeCreateGlobalPrivilege 3212 msiexec.exe Token: SeShutdownPrivilege 3248 MusNotification.exe Token: SeCreatePagefilePrivilege 3248 MusNotification.exe Token: SeBackupPrivilege 2280 vssvc.exe Token: SeRestorePrivilege 2280 vssvc.exe Token: SeAuditPrivilege 2280 vssvc.exe Token: SeBackupPrivilege 4016 msiexec.exe Token: SeRestorePrivilege 4016 msiexec.exe Token: SeRestorePrivilege 4016 msiexec.exe Token: SeTakeOwnershipPrivilege 4016 msiexec.exe Token: SeRestorePrivilege 4016 msiexec.exe Token: SeTakeOwnershipPrivilege 4016 msiexec.exe Token: SeRestorePrivilege 4016 msiexec.exe Token: SeTakeOwnershipPrivilege 4016 msiexec.exe Token: SeRestorePrivilege 4016 msiexec.exe Token: SeTakeOwnershipPrivilege 4016 msiexec.exe Token: SeRestorePrivilege 4016 msiexec.exe Token: SeTakeOwnershipPrivilege 4016 msiexec.exe Token: SeRestorePrivilege 4016 msiexec.exe Token: SeTakeOwnershipPrivilege 4016 msiexec.exe Token: SeRestorePrivilege 4016 msiexec.exe Token: SeTakeOwnershipPrivilege 4016 msiexec.exe Token: SeRestorePrivilege 4016 msiexec.exe Token: SeTakeOwnershipPrivilege 4016 msiexec.exe Token: SeRestorePrivilege 4016 msiexec.exe Token: SeTakeOwnershipPrivilege 4016 msiexec.exe Token: SeRestorePrivilege 4016 msiexec.exe Token: SeTakeOwnershipPrivilege 4016 msiexec.exe Token: SeRestorePrivilege 4016 msiexec.exe Token: SeTakeOwnershipPrivilege 4016 msiexec.exe Token: SeRestorePrivilege 4016 msiexec.exe Token: SeTakeOwnershipPrivilege 4016 msiexec.exe Token: SeRestorePrivilege 4016 msiexec.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msiexec.exemsedge.exepid process 3212 msiexec.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3212 msiexec.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
msedge.exeAdobeARM.exetaskmgr.exepid process 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 4492 AdobeARM.exe 4492 AdobeARM.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
SDXHelper.exeAdobeARM.exeOfficeC2RClient.exepid process 2976 SDXHelper.exe 4492 AdobeARM.exe 4492 AdobeARM.exe 4492 AdobeARM.exe 3428 OfficeC2RClient.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
WerFault.exemsedge.exedescription pid process target process PID 2532 wrote to memory of 2148 2532 WerFault.exe backgroundTaskHost.exe PID 2532 wrote to memory of 2148 2532 WerFault.exe backgroundTaskHost.exe PID 3164 wrote to memory of 3180 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 3180 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 4196 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 4196 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 4196 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 4196 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 4196 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 4196 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 4196 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 4196 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 4196 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 4196 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 4196 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 4196 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 4196 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 4196 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 4196 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 4196 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 4196 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 4196 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 4196 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 4196 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 4196 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 4196 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 4196 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 4196 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 4196 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 4196 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 4196 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 4196 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 4196 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 4196 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 4196 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 4196 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 4196 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 4196 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 4196 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 4196 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 4196 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 4196 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 4196 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 4196 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 4220 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 4220 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 4268 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 4268 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 4268 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 4268 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 4268 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 4268 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 4268 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 4268 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 4268 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 4268 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 4268 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 4268 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 4268 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 4268 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 4268 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 4268 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 4268 3164 msedge.exe msedge.exe PID 3164 wrote to memory of 4268 3164 msedge.exe msedge.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\8 Cores.msi"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 9B177896811655380BD6FAB4860192102⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding B2A546942C7D68069A6435683609E260 E Global\MSI00002⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 005444E95BA3345A145F99AB3C8FC3D22⤵
- Loads dropped DLL
- Drops file in System32 directory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding E27B094C10245A07728E5C795FDF17F9 E Global\MSI00002⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Installer\MSI28CB.tmp"C:\Windows\Installer\MSI28CB.tmp" /b 2 120 02⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe" 19.010.20098 19.010.20069.02⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\system32\MusNotification.exeC:\Windows\system32\MusNotification.exe1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Microsoft Office\Root\Office16\SDXHelper.exe"C:\Program Files\Microsoft Office\Root\Office16\SDXHelper.exe" -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2148 -s 20922⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 452 -p 2148 -ip 21481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb1e3b46f8,0x7ffb1e3b4708,0x7ffb1e3b47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,1343212087971495223,13140043477701568378,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,1343212087971495223,13140043477701568378,131072 --lang=ja --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,1343212087971495223,13140043477701568378,131072 --lang=ja --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1343212087971495223,13140043477701568378,131072 --lang=ja --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3592 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1343212087971495223,13140043477701568378,131072 --lang=ja --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4252 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1343212087971495223,13140043477701568378,131072 --lang=ja --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4268 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2108,1343212087971495223,13140043477701568378,131072 --lang=ja --service-sandbox-type=service --mojo-platform-channel-handle=5156 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,1343212087971495223,13140043477701568378,131072 --lang=ja --service-sandbox-type=none --mojo-platform-channel-handle=5800 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,1343212087971495223,13140043477701568378,131072 --lang=ja --service-sandbox-type=none --mojo-platform-channel-handle=5800 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7a5205460,0x7ff7a5205470,0x7ff7a52054803⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1343212087971495223,13140043477701568378,131072 --disable-gpu-compositing --lang=ja --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1343212087971495223,13140043477701568378,131072 --disable-gpu-compositing --lang=ja --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1343212087971495223,13140043477701568378,131072 --disable-gpu-compositing --lang=ja --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1343212087971495223,13140043477701568378,131072 --disable-gpu-compositing --lang=ja --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1120 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1343212087971495223,13140043477701568378,131072 --disable-gpu-compositing --lang=ja --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,1343212087971495223,13140043477701568378,131072 --lang=ja --service-sandbox-type=collections --mojo-platform-channel-handle=1720 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1343212087971495223,13140043477701568378,131072 --disable-gpu-compositing --lang=ja --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,1343212087971495223,13140043477701568378,131072 --lang=ja --service-sandbox-type=none --mojo-platform-channel-handle=3936 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1343212087971495223,13140043477701568378,131072 --disable-gpu-compositing --lang=ja --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb1e3b46f8,0x7ffb1e3b4708,0x7ffb1e3b47182⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Open____Setup__3456\" -spe -an -ai#7zMap28488:100:7zEvent35671⤵
-
C:\Users\Admin\Downloads\Open____Setup__3456\Open____Setup__3456.exe"C:\Users\Admin\Downloads\Open____Setup__3456\Open____Setup__3456.exe"1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\TFiaaVxixaH & timeout 4 & del /f /q "C:\Users\Admin\Downloads\Open____Setup__3456\Open____Setup__3456.exe"2⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
-
C:\ProgramData\Adobe\ARM\S\11984\AdobeARMHelper.exe"C:\ProgramData\Adobe\ARM\S\11984\AdobeARMHelper.exe" /ArmUpdate /MSI FOLDER:"C:\ProgramData\Adobe\ARM\S\11984" /MODE:3 /PRODUCT:Reader /VERSION:19.0 /LANG:ENU1⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /ArmUpdate /MSI FOLDER:"C:\ProgramData\Adobe\ARM\S\11984" /MODE:3 /PRODUCT:Reader /VERSION:19.0 /LANG:ENU2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"1⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SDRSVC1⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.245.1128.0002\FileSyncConfig.exe"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.245.1128.0002\FileSyncConfig.exe"1⤵
- Modifies registry class
-
C:\Windows\system32\compattelrunner.exeC:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW1⤵
- Modifies data under HKEY_USERS
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /frequentupdate SCHEDULEDTASK displaylevel=False1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exeMD5
50b17d217f07d5968b34f42311638f74
SHA1de0c092e9e157288c661f3471301fc5ee1bddbb5
SHA2569ad7c8083743312c9742f5844f6eff38d9273c3e363ed872ec3640303764e74c
SHA5125dddf066ebaecdffda6a023704f86b53849d8ba2806b196a71eadb6e250fc77681cab009c1feec691d27aaf0049d0358ac38d17ffe4d73d7a8af5952c5a2c6fb
-
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exeMD5
50b17d217f07d5968b34f42311638f74
SHA1de0c092e9e157288c661f3471301fc5ee1bddbb5
SHA2569ad7c8083743312c9742f5844f6eff38d9273c3e363ed872ec3640303764e74c
SHA5125dddf066ebaecdffda6a023704f86b53849d8ba2806b196a71eadb6e250fc77681cab009c1feec691d27aaf0049d0358ac38d17ffe4d73d7a8af5952c5a2c6fb
-
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeMD5
fd59fc6011af0e430fdc63aa15b6de75
SHA1376a72f8ca10471b391d082e09d357a8a067e432
SHA25628bafddf4f7f85cca3551a3920012e59a6fc4f9334ba80b9f755b43e605f9899
SHA51211df7b783292f0d08df57eac67d25e1a2dac77010c2f3794dfc6895b532787a2cd2d57b7f72be04354db12a4082ed6760e322de766d6191c7b77c5e0f739c0b4
-
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Cache\Arm_001824311644_101667601813759803412044416713615803656.msiMD5
daef9610629678de57c4567339f6e52c
SHA13c2f60cce0d017c9f93fe0d09c80a7ca0dc63d0f
SHA2569aebffc9bb8192c5ba7e51bf7b47246d53837fab2b435d71ccaeaee1cd74c701
SHA5129a550ec8cb373b6ab488750aa9c679e419b8dfeddf3ccb02593c044553b5bb447516ceebc18e73db2b8c848b79f124ed6764484795b8f4a6d58d954b77f0b4a5
-
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeMD5
10a58da77ae2073d1baf4f13630ea516
SHA1aed9c3190f2a2508a150b2f03568f9aa0b4f00c0
SHA256cb914e1a70aa98cbaae25192df867d73605aa9ae5db4ef77c274c266c2d0b2d8
SHA512a83454e609d88111463e620f0ea2f2e066ec87136716ccc5146fab432a5fba8778335d9597cbf7bdf475207962194e0f6cf9c97ad8830c4694a23f5aa0a7766d
-
C:\ProgramData\Adobe\ARM\ArmReport.iniMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datMD5
0adc02645e50463568100625f5187640
SHA18be5d6aa14d9d3036448b534424780054be53665
SHA2567282369cf0e21e1081e208df3e7db913bf3db2daee0b0b0ae1ec417889369347
SHA512ce4d3286a37ee48053b3a1b06fd274095d04300ce497b1d8be1ca85b6ec9984c6886760c4a9812adf1bd4e305fc794e2866139e4c41186872615f89b258088d6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datMD5
0adc02645e50463568100625f5187640
SHA18be5d6aa14d9d3036448b534424780054be53665
SHA2567282369cf0e21e1081e208df3e7db913bf3db2daee0b0b0ae1ec417889369347
SHA512ce4d3286a37ee48053b3a1b06fd274095d04300ce497b1d8be1ca85b6ec9984c6886760c4a9812adf1bd4e305fc794e2866139e4c41186872615f89b258088d6
-
C:\Users\Admin\AppData\Local\Temp\AdobeARM.logMD5
44e3c4b67e78936bb7fd6ced7cb5e409
SHA1fa595ef80108c8632779a44dfa86253bb96a7925
SHA256c8565c3070aa0d9856c3e2e640aace7df98d8c07d5711c9ff3f9c32795741aa7
SHA5123ffbe298628437e5ca6e7b62093071c4fedf91cb7eee05fcdba2418e9a8ade1a1770f22213b3e75b2a9d95ca0310e84d6ab4460b548776c60986ecacd81f66b0
-
C:\Users\Admin\Downloads\Open____Setup__3456.rarMD5
2ef194ac76ead26ee7e0586304c9f06b
SHA11f7f1b61c182cc208220d613fd0637813186b92c
SHA256ac5038d68cec6ba391e34dee83c884dc2a033b3236d8e5e5500205b6c4497e52
SHA51252d285c9a73c0bf066768ffd4af2a7af0d4080e8e46ed6040397446c6ebfc3588363cef50f431e4639ef716738502a3ac916d078f7ad0d7047f89bf163b6e1c2
-
C:\Users\Admin\Downloads\Open____Setup__3456\Open____Setup__3456.exeMD5
91703c512b0e13bd27a44e5d0ccff957
SHA169fe37cdb07695f75454ef58e9990121df0d8a76
SHA256678ead97ae2d2699c1328f2eccad82ad56b9a1427c730ebc1eb511498b8a7844
SHA512ff1397072c547a72a7fa1e072638fd5cd7b65ba1e576b09bfdd244e2003ca8309248483cedd70cf2dcba5c729dd7f72a3988ddef75c77e05982172557a73c2de
-
C:\Users\Admin\Downloads\Open____Setup__3456\Open____Setup__3456.exeMD5
91703c512b0e13bd27a44e5d0ccff957
SHA169fe37cdb07695f75454ef58e9990121df0d8a76
SHA256678ead97ae2d2699c1328f2eccad82ad56b9a1427c730ebc1eb511498b8a7844
SHA512ff1397072c547a72a7fa1e072638fd5cd7b65ba1e576b09bfdd244e2003ca8309248483cedd70cf2dcba5c729dd7f72a3988ddef75c77e05982172557a73c2de
-
C:\Windows\Installer\MSIA849.tmpMD5
fadffef98d0f28368b843c6e9afd9782
SHA1578101fadf1034c4a928b978260b120b740cdfb9
SHA25673f7e51214b775421f6679acabc51ac1d34b4271116f5f3dd3426df50d214886
SHA512ba5ab56a7e5d2e54fc304d77c78a14b35b187fdd95a090d39193b3da6ab40ef1b38c3cd56b160edceded3d622c0b645376efaf3df8fc8c437f448f91587f3233
-
C:\Windows\Installer\MSIA849.tmpMD5
fadffef98d0f28368b843c6e9afd9782
SHA1578101fadf1034c4a928b978260b120b740cdfb9
SHA25673f7e51214b775421f6679acabc51ac1d34b4271116f5f3dd3426df50d214886
SHA512ba5ab56a7e5d2e54fc304d77c78a14b35b187fdd95a090d39193b3da6ab40ef1b38c3cd56b160edceded3d622c0b645376efaf3df8fc8c437f448f91587f3233
-
C:\Windows\Installer\MSIAF31.tmpMD5
4184a5369d3bd6592b1db5cd2ac465ef
SHA1be848190344933e38e0d40f0d56854594f113c42
SHA2565f7b6321625dbc7901a8c22fc70d1902654aef3e47499d9e243ad7c2f83a0ac5
SHA51249c10020c012cf89cfe27f31e51ca844c8ae0de9c21d3f491e5cab2b737693e1e09b37b4b8aeb1745524b0adce4a19ecc7d158b6eb97bcf2ba59c13569c200b1
-
C:\Windows\Installer\MSIAF31.tmpMD5
4184a5369d3bd6592b1db5cd2ac465ef
SHA1be848190344933e38e0d40f0d56854594f113c42
SHA2565f7b6321625dbc7901a8c22fc70d1902654aef3e47499d9e243ad7c2f83a0ac5
SHA51249c10020c012cf89cfe27f31e51ca844c8ae0de9c21d3f491e5cab2b737693e1e09b37b4b8aeb1745524b0adce4a19ecc7d158b6eb97bcf2ba59c13569c200b1
-
C:\Windows\Installer\MSIB0B8.tmpMD5
4184a5369d3bd6592b1db5cd2ac465ef
SHA1be848190344933e38e0d40f0d56854594f113c42
SHA2565f7b6321625dbc7901a8c22fc70d1902654aef3e47499d9e243ad7c2f83a0ac5
SHA51249c10020c012cf89cfe27f31e51ca844c8ae0de9c21d3f491e5cab2b737693e1e09b37b4b8aeb1745524b0adce4a19ecc7d158b6eb97bcf2ba59c13569c200b1
-
C:\Windows\Installer\MSIB0B8.tmpMD5
4184a5369d3bd6592b1db5cd2ac465ef
SHA1be848190344933e38e0d40f0d56854594f113c42
SHA2565f7b6321625dbc7901a8c22fc70d1902654aef3e47499d9e243ad7c2f83a0ac5
SHA51249c10020c012cf89cfe27f31e51ca844c8ae0de9c21d3f491e5cab2b737693e1e09b37b4b8aeb1745524b0adce4a19ecc7d158b6eb97bcf2ba59c13569c200b1
-
C:\Windows\Installer\MSIDC00.tmpMD5
c23d4d5a87e08f8a822ad5a8dbd69592
SHA1317df555bc309dace46ae5c5589bec53ea8f137e
SHA2566d149866246e79919bde5a0b45569ea41327c32ee250f37ad8216275a641bb27
SHA512fa584655ae241004af44774a1f43508e53e95028ce96b39f8b5c62742f38acdf2b1df8871b468ac70c6043ca0e7ae8241bad2db6bc4f700d78471f12bb809e6b
-
C:\Windows\Installer\MSIDC00.tmpMD5
c23d4d5a87e08f8a822ad5a8dbd69592
SHA1317df555bc309dace46ae5c5589bec53ea8f137e
SHA2566d149866246e79919bde5a0b45569ea41327c32ee250f37ad8216275a641bb27
SHA512fa584655ae241004af44774a1f43508e53e95028ce96b39f8b5c62742f38acdf2b1df8871b468ac70c6043ca0e7ae8241bad2db6bc4f700d78471f12bb809e6b
-
C:\Windows\Installer\MSIDEC0.tmpMD5
67f23a38c85856e8a20e815c548cd424
SHA116e8959c52f983e83f688f4cce3487364b1ffd10
SHA256f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA51241fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d
-
C:\Windows\Installer\MSIDEC0.tmpMD5
67f23a38c85856e8a20e815c548cd424
SHA116e8959c52f983e83f688f4cce3487364b1ffd10
SHA256f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA51241fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d
-
C:\Windows\Installer\MSIDF3E.tmpMD5
67f23a38c85856e8a20e815c548cd424
SHA116e8959c52f983e83f688f4cce3487364b1ffd10
SHA256f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA51241fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d
-
C:\Windows\Installer\MSIDF3E.tmpMD5
67f23a38c85856e8a20e815c548cd424
SHA116e8959c52f983e83f688f4cce3487364b1ffd10
SHA256f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA51241fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d
-
C:\Windows\Installer\MSIDFAC.tmpMD5
be0b6bea2e4e12bf5d966c6f74fa79b5
SHA18468ec23f0a30065eee6913bf8eba62dd79651ec
SHA2566bac226fb3b530c6d4b409dd1858e0b53735abb5344779b6dfe8859658b2e164
SHA512dddb9689ad4910cc6c40f5f343bd661bae23b986156f2a56ab32832ddb727af5c767c9f21f94eec3986023bae9a4f10f8d24a9af44fa6e8e7e8610d7b686867b
-
C:\Windows\Installer\MSIDFAC.tmpMD5
be0b6bea2e4e12bf5d966c6f74fa79b5
SHA18468ec23f0a30065eee6913bf8eba62dd79651ec
SHA2566bac226fb3b530c6d4b409dd1858e0b53735abb5344779b6dfe8859658b2e164
SHA512dddb9689ad4910cc6c40f5f343bd661bae23b986156f2a56ab32832ddb727af5c767c9f21f94eec3986023bae9a4f10f8d24a9af44fa6e8e7e8610d7b686867b
-
C:\Windows\Installer\MSIDFCC.tmpMD5
67f23a38c85856e8a20e815c548cd424
SHA116e8959c52f983e83f688f4cce3487364b1ffd10
SHA256f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA51241fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d
-
C:\Windows\Installer\MSIDFCC.tmpMD5
67f23a38c85856e8a20e815c548cd424
SHA116e8959c52f983e83f688f4cce3487364b1ffd10
SHA256f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA51241fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d
-
C:\Windows\Installer\MSIE05A.tmpMD5
0e91605ee2395145d077adb643609085
SHA1303263aa6889013ce889bd4ea0324acdf35f29f2
SHA2565472237b0947d129ab6ad89b71d8e007fd5c4624e97af28cd342919ba0d5f87b
SHA5123712c3645be47db804f08ef0f44465d0545cd0d435b4e6310c39966ccb85a801645adb98781b548472b2dfd532dd79520bf3ff98042a5457349f2380b52b45be
-
C:\Windows\Installer\MSIE05A.tmpMD5
0e91605ee2395145d077adb643609085
SHA1303263aa6889013ce889bd4ea0324acdf35f29f2
SHA2565472237b0947d129ab6ad89b71d8e007fd5c4624e97af28cd342919ba0d5f87b
SHA5123712c3645be47db804f08ef0f44465d0545cd0d435b4e6310c39966ccb85a801645adb98781b548472b2dfd532dd79520bf3ff98042a5457349f2380b52b45be
-
C:\Windows\Installer\MSIE4C0.tmpMD5
67f23a38c85856e8a20e815c548cd424
SHA116e8959c52f983e83f688f4cce3487364b1ffd10
SHA256f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA51241fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d
-
C:\Windows\Installer\MSIE4C0.tmpMD5
67f23a38c85856e8a20e815c548cd424
SHA116e8959c52f983e83f688f4cce3487364b1ffd10
SHA256f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA51241fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d
-
C:\Windows\Installer\MSIE54E.tmpMD5
67f23a38c85856e8a20e815c548cd424
SHA116e8959c52f983e83f688f4cce3487364b1ffd10
SHA256f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA51241fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d
-
C:\Windows\Installer\MSIE54E.tmpMD5
67f23a38c85856e8a20e815c548cd424
SHA116e8959c52f983e83f688f4cce3487364b1ffd10
SHA256f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA51241fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d
-
C:\Windows\Installer\MSIF135.tmpMD5
67f23a38c85856e8a20e815c548cd424
SHA116e8959c52f983e83f688f4cce3487364b1ffd10
SHA256f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA51241fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d
-
C:\Windows\Installer\MSIF135.tmpMD5
67f23a38c85856e8a20e815c548cd424
SHA116e8959c52f983e83f688f4cce3487364b1ffd10
SHA256f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA51241fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d
-
C:\Windows\Installer\MSIF194.tmpMD5
be0b6bea2e4e12bf5d966c6f74fa79b5
SHA18468ec23f0a30065eee6913bf8eba62dd79651ec
SHA2566bac226fb3b530c6d4b409dd1858e0b53735abb5344779b6dfe8859658b2e164
SHA512dddb9689ad4910cc6c40f5f343bd661bae23b986156f2a56ab32832ddb727af5c767c9f21f94eec3986023bae9a4f10f8d24a9af44fa6e8e7e8610d7b686867b
-
C:\Windows\Installer\MSIF194.tmpMD5
be0b6bea2e4e12bf5d966c6f74fa79b5
SHA18468ec23f0a30065eee6913bf8eba62dd79651ec
SHA2566bac226fb3b530c6d4b409dd1858e0b53735abb5344779b6dfe8859658b2e164
SHA512dddb9689ad4910cc6c40f5f343bd661bae23b986156f2a56ab32832ddb727af5c767c9f21f94eec3986023bae9a4f10f8d24a9af44fa6e8e7e8610d7b686867b
-
C:\Windows\Installer\MSIF1A5.tmpMD5
be0b6bea2e4e12bf5d966c6f74fa79b5
SHA18468ec23f0a30065eee6913bf8eba62dd79651ec
SHA2566bac226fb3b530c6d4b409dd1858e0b53735abb5344779b6dfe8859658b2e164
SHA512dddb9689ad4910cc6c40f5f343bd661bae23b986156f2a56ab32832ddb727af5c767c9f21f94eec3986023bae9a4f10f8d24a9af44fa6e8e7e8610d7b686867b
-
C:\Windows\Installer\MSIF1A5.tmpMD5
be0b6bea2e4e12bf5d966c6f74fa79b5
SHA18468ec23f0a30065eee6913bf8eba62dd79651ec
SHA2566bac226fb3b530c6d4b409dd1858e0b53735abb5344779b6dfe8859658b2e164
SHA512dddb9689ad4910cc6c40f5f343bd661bae23b986156f2a56ab32832ddb727af5c767c9f21f94eec3986023bae9a4f10f8d24a9af44fa6e8e7e8610d7b686867b
-
C:\Windows\Installer\MSIF1E4.tmpMD5
67f23a38c85856e8a20e815c548cd424
SHA116e8959c52f983e83f688f4cce3487364b1ffd10
SHA256f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA51241fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2MD5
dcdedc4446f376eb6ffdf8621cbb719b
SHA1a3582b26b8ebd1fadbe7f2e991d74170a052eb53
SHA2569525e1f6058931f8ac26f28d76ce3c1ee1ba47eef757035a314087d3ade41a68
SHA51207a235ccfc401ee2c323618b75ca9335d3cee5ae0800d5a755214568f7a3fcaa140f0165e596bea12477a4cf38575115e7134e762226a00a5fa72b945d1cabe3
-
\??\PIPE\wkssvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\Volume{1385018a-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{a66e6479-3ef3-4f16-bdd0-6fa06c3a2552}_OnDiskSnapshotPropMD5
2db5d14dc94851df5cd925623f99d657
SHA1a7ea3fcbcf0485ab37dc52dc39a7e2d270bacf3f
SHA2564e3a4e66fb48cc4d970995b767262db3d2cad71546eefbb810c7c29736651683
SHA5126af26e690660e842ae6cce0052f446de38f5016fc31dfb56e8849ba7c7ef4923db2e8303a36b2f55d4a8d2cf0e55ef7d0be7d333ddab3ce0f63985a4f236943f
-
\??\pipe\LOCAL\crashpad_3164_KAYLYSSYMDIHXGXCMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1416-278-0x0000000000000000-mapping.dmp
-
memory/2976-135-0x00007FFAFFCD0000-0x00007FFAFFCE0000-memory.dmpFilesize
64KB
-
memory/2976-136-0x00007FFAFFCD0000-0x00007FFAFFCE0000-memory.dmpFilesize
64KB
-
memory/2976-143-0x00007FFAFFCD0000-0x00007FFAFFCE0000-memory.dmpFilesize
64KB
-
memory/2976-142-0x00007FFAFFCD0000-0x00007FFAFFCE0000-memory.dmpFilesize
64KB
-
memory/2976-141-0x00000206A5CA0000-0x00000206A5CA2000-memory.dmpFilesize
8KB
-
memory/2976-134-0x00007FFAFFCD0000-0x00007FFAFFCE0000-memory.dmpFilesize
64KB
-
memory/2976-145-0x00007FFAFFCD0000-0x00007FFAFFCE0000-memory.dmpFilesize
64KB
-
memory/2976-144-0x00007FFAFFCD0000-0x00007FFAFFCE0000-memory.dmpFilesize
64KB
-
memory/2976-137-0x00007FFAFFCD0000-0x00007FFAFFCE0000-memory.dmpFilesize
64KB
-
memory/2976-138-0x00007FFAFFCD0000-0x00007FFAFFCE0000-memory.dmpFilesize
64KB
-
memory/2976-139-0x00000206A5CA0000-0x00000206A5CA2000-memory.dmpFilesize
8KB
-
memory/2976-140-0x00000206A5CA0000-0x00000206A5CA2000-memory.dmpFilesize
8KB
-
memory/3044-330-0x0000000000000000-mapping.dmp
-
memory/3056-300-0x0000000000000000-mapping.dmp
-
memory/3164-147-0x000002D8BEFE0000-0x000002D8BEFE2000-memory.dmpFilesize
8KB
-
memory/3164-146-0x000002D8BEFE0000-0x000002D8BEFE2000-memory.dmpFilesize
8KB
-
memory/3180-148-0x0000000000000000-mapping.dmp
-
memory/3180-149-0x0000023450840000-0x0000023450842000-memory.dmpFilesize
8KB
-
memory/3180-150-0x0000023450840000-0x0000023450842000-memory.dmpFilesize
8KB
-
memory/3212-130-0x000001EDCF7B0000-0x000001EDCF7B2000-memory.dmpFilesize
8KB
-
memory/3212-131-0x000001EDCF7B0000-0x000001EDCF7B2000-memory.dmpFilesize
8KB
-
memory/3456-194-0x000001D422490000-0x000001D422492000-memory.dmpFilesize
8KB
-
memory/3456-195-0x000001D422490000-0x000001D422492000-memory.dmpFilesize
8KB
-
memory/3712-329-0x0000000000000000-mapping.dmp
-
memory/3804-249-0x0000000000000000-mapping.dmp
-
memory/3916-326-0x0000000000000000-mapping.dmp
-
memory/3932-211-0x000001ADA4BD0000-0x000001ADA4BD2000-memory.dmpFilesize
8KB
-
memory/3932-210-0x0000000000000000-mapping.dmp
-
memory/4016-133-0x000002A4E3580000-0x000002A4E3582000-memory.dmpFilesize
8KB
-
memory/4016-132-0x000002A4E3580000-0x000002A4E3582000-memory.dmpFilesize
8KB
-
memory/4068-265-0x0000000000000000-mapping.dmp
-
memory/4100-228-0x0000000000000000-mapping.dmp
-
memory/4196-151-0x00000199E40E8000-0x00000199E40E9000-memory.dmpFilesize
4KB
-
memory/4196-166-0x00000199E41D0000-0x00000199E41D2000-memory.dmpFilesize
8KB
-
memory/4196-152-0x0000000000000000-mapping.dmp
-
memory/4196-156-0x00000199E41D0000-0x00000199E41D2000-memory.dmpFilesize
8KB
-
memory/4196-154-0x00007FFB3ED10000-0x00007FFB3ED11000-memory.dmpFilesize
4KB
-
memory/4196-158-0x00000199E41D0000-0x00000199E41D2000-memory.dmpFilesize
8KB
-
memory/4196-163-0x00000199E41D0000-0x00000199E41D2000-memory.dmpFilesize
8KB
-
memory/4196-162-0x00000199E41D0000-0x00000199E41D2000-memory.dmpFilesize
8KB
-
memory/4220-155-0x0000020BCEB70000-0x0000020BCEB72000-memory.dmpFilesize
8KB
-
memory/4220-157-0x0000020BCEB70000-0x0000020BCEB72000-memory.dmpFilesize
8KB
-
memory/4220-153-0x0000000000000000-mapping.dmp
-
memory/4236-258-0x0000000000000000-mapping.dmp
-
memory/4268-167-0x000001EEB39D0000-0x000001EEB39D2000-memory.dmpFilesize
8KB
-
memory/4268-165-0x000001EEB39D0000-0x000001EEB39D2000-memory.dmpFilesize
8KB
-
memory/4268-160-0x000001EEB39A9000-0x000001EEB39AA000-memory.dmpFilesize
4KB
-
memory/4268-161-0x0000000000000000-mapping.dmp
-
memory/4276-235-0x0000000000000000-mapping.dmp
-
memory/4328-198-0x000001DB88840000-0x000001DB88842000-memory.dmpFilesize
8KB
-
memory/4328-196-0x0000000000000000-mapping.dmp
-
memory/4328-197-0x000001DB88840000-0x000001DB88842000-memory.dmpFilesize
8KB
-
memory/4336-277-0x0000000000000000-mapping.dmp
-
memory/4352-204-0x0000000000000000-mapping.dmp
-
memory/4352-205-0x000001FEE0F40000-0x000001FEE0F42000-memory.dmpFilesize
8KB
-
memory/4352-206-0x000001FEE0F40000-0x000001FEE0F42000-memory.dmpFilesize
8KB
-
memory/4484-242-0x0000000000000000-mapping.dmp
-
memory/4492-294-0x0000000000000000-mapping.dmp
-
memory/4580-168-0x00000228C8D58000-0x00000228C8D59000-memory.dmpFilesize
4KB
-
memory/4580-171-0x00000228C8D80000-0x00000228C8D82000-memory.dmpFilesize
8KB
-
memory/4580-172-0x00000228C8D80000-0x00000228C8D82000-memory.dmpFilesize
8KB
-
memory/4580-169-0x0000000000000000-mapping.dmp
-
memory/4580-180-0x00000228C8D80000-0x00000228C8D82000-memory.dmpFilesize
8KB
-
memory/4580-173-0x00000228C8D80000-0x00000228C8D82000-memory.dmpFilesize
8KB
-
memory/4592-221-0x0000000000000000-mapping.dmp
-
memory/4620-214-0x0000000000000000-mapping.dmp
-
memory/4680-191-0x00000224E45E0000-0x00000224E45E2000-memory.dmpFilesize
8KB
-
memory/4680-179-0x00000224E45E0000-0x00000224E45E2000-memory.dmpFilesize
8KB
-
memory/4680-192-0x00000224E45E0000-0x00000224E45E2000-memory.dmpFilesize
8KB
-
memory/4680-193-0x00000224E45E0000-0x00000224E45E2000-memory.dmpFilesize
8KB
-
memory/4680-175-0x0000000000000000-mapping.dmp
-
memory/4688-201-0x0000000000000000-mapping.dmp
-
memory/4700-185-0x000001838F780000-0x000001838F782000-memory.dmpFilesize
8KB
-
memory/4700-184-0x000001838F780000-0x000001838F782000-memory.dmpFilesize
8KB
-
memory/4700-178-0x0000000000000000-mapping.dmp
-
memory/4700-182-0x000001838F780000-0x000001838F782000-memory.dmpFilesize
8KB
-
memory/4700-183-0x000001838F780000-0x000001838F782000-memory.dmpFilesize
8KB
-
memory/4868-285-0x0000000000000000-mapping.dmp
-
memory/4884-189-0x000001FF2DFD0000-0x000001FF2DFD2000-memory.dmpFilesize
8KB
-
memory/4884-190-0x000001FF2DFD0000-0x000001FF2DFD2000-memory.dmpFilesize
8KB
-
memory/4884-187-0x0000000000000000-mapping.dmp
-
memory/4884-186-0x000001FF2DFAA000-0x000001FF2DFAB000-memory.dmpFilesize
4KB
-
memory/4912-254-0x0000000000000000-mapping.dmp
-
memory/5072-209-0x000001D7D3340000-0x000001D7D3342000-memory.dmpFilesize
8KB
-
memory/5072-207-0x0000000000000000-mapping.dmp
-
memory/5072-208-0x000001D7D3340000-0x000001D7D3342000-memory.dmpFilesize
8KB
-
memory/5112-280-0x0000000000000000-mapping.dmp