Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
22/11/2022, 08:09
Static task
static1
Behavioral task
behavioral1
Sample
a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
26 signatures
150 seconds
General
-
Target
a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe
-
Size
21.1MB
-
MD5
70f9f9e4ab01d2e868a465766318b3a9
-
SHA1
1d27498c2196142eee3c903122ab5ba5b57e0c71
-
SHA256
a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625
-
SHA512
0c2fc046c8d7fd3e0579c53f1a1b14479dbbe22f608f32e6f31e6097768c0a543cbaa32b7ad258db72bad8e8b1597073c508698465ff4512100808965fbe440e
-
SSDEEP
393216:yZyv/E8B2FI3/VRn9zYlVCYKwnQJy4vcmgjZQGfaAWb3aaxbwDtz23bVKQ8n2iiB:LrBv39fzY+SnQJyagjZ5f2zwDJ2rp8nE
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 27 2924 msiexec.exe -
Executes dropped EXE 12 IoCs
pid Process 2624 MaintenanceService.exe 4176 NTFSWatcher.exe 4904 NTFSWatcher.exe 2108 MSI6219.tmp 1988 NsExtInstaller.exe 1464 MSI671B.tmp 4756 Nutstore.exe 4684 NutstoreClient.exe 3428 MaintenanceService.exe 2336 PostUpdater.exe 3668 Nutstore.RegistryModifier.exe 3164 nutstore_watchdog.exe -
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Registers COM server for autorun 1 TTPs 31 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5D652B62-B702-496A-92BC-92C308251FEA}\InprocServer32\ = "C:\\ProgramData\\Nutstore\\shellext\\NutstoreShell.dll" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{CA799F4D-4011-4142-83CA-42C71A61654C}\InprocServer32 msiexec.exe Key created \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000_Classes\CLSID\{863363a7-072b-a31e-be95-409b6d390ae8}\LocalServer32 NutstoreClient.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{5D652B65-B702-496A-92BC-92C308251FEA}\InprocServer32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{5D652B64-B702-496A-92BC-92C308251FEA}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5D652B66-B702-496A-92BC-92C308251FEA}\InprocServer32\ = "C:\\ProgramData\\Nutstore\\shellext\\NutstoreShell.dll" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5D652B67-B702-496A-92BC-92C308251FEA}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000_Classes\CLSID\{863363a7-072b-a31e-be95-409b6d390ae8}\LocalServer32\ = "\"C:\\Program Files\\Nutstore\\bin-6.3.1\\NutstoreClient.exe\" -ToastActivated" NutstoreClient.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{5D652B62-B702-496A-92BC-92C308251FEA}\InprocServer32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{5D652B66-B702-496A-92BC-92C308251FEA}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AF1464E-F6E9-4650-AE18-1BFC2505E769}\LocalServer32\ = "C:\\Program Files\\Nutstore\\bin-6.3.1\\\\Nutstore.COMLocalServer.exe" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5D652B62-B702-496A-92BC-92C308251FEA}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5D652B63-B702-496A-92BC-92C308251FEA}\InprocServer32\ = "C:\\ProgramData\\Nutstore\\shellext\\NutstoreShell.dll" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{5D652B67-B702-496A-92BC-92C308251FEA}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5D652B65-B702-496A-92BC-92C308251FEA}\InprocServer32\ = "C:\\ProgramData\\Nutstore\\shellext\\NutstoreShell.dll" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA799F4D-4011-4142-83CA-42C71A61654C}\InprocServer32\ = "C:\\ProgramData\\Nutstore\\shellext\\NutstoreShell.dll" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5D652B64-B702-496A-92BC-92C308251FEA}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5D652B67-B702-496A-92BC-92C308251FEA}\InprocServer32\ = "C:\\ProgramData\\Nutstore\\shellext\\NutstoreShell.dll" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{8AF1464E-F6E9-4650-AE18-1BFC2505E769}\LocalServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5D652B63-B702-496A-92BC-92C308251FEA}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5D652B64-B702-496A-92BC-92C308251FEA}\InprocServer32\ = "C:\\ProgramData\\Nutstore\\shellext\\NutstoreShell.dll" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5D652B66-B702-496A-92BC-92C308251FEA}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{7861E648-9771-4F39-A649-0DCEC644BCD6}\LocalServer32 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7861E648-9771-4F39-A649-0DCEC644BCD6}\LocalServer32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{77263D69-CC9F-4F04-A4CD-CACC9AE3D775}\LocalServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{863363a7-072b-a31e-be95-409b6d390ae8}\LocalServer32\ = "\"C:\\Program Files\\Nutstore\\bin-6.3.1\\NutstoreClient.exe\" -ToastActivated" NutstoreClient.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA799F4D-4011-4142-83CA-42C71A61654C}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{863363a7-072b-a31e-be95-409b6d390ae8}\LocalServer32 NutstoreClient.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5D652B65-B702-496A-92BC-92C308251FEA}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{5D652B63-B702-496A-92BC-92C308251FEA}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{77263D69-CC9F-4F04-A4CD-CACC9AE3D775}\LocalServer32\ = "C:\\Program Files\\Nutstore\\bin-6.3.1\\\\Nutstore.COMLocalServer.exe" msiexec.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation NutstoreClient.exe Key value queried \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation Nutstore.exe Key value queried \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe -
Loads dropped DLL 41 IoCs
pid Process 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe 3312 MsiExec.exe 3312 MsiExec.exe 3868 MsiExec.exe 3868 MsiExec.exe 3868 MsiExec.exe 3868 MsiExec.exe 3868 MsiExec.exe 3868 MsiExec.exe 3868 MsiExec.exe 3868 MsiExec.exe 3868 MsiExec.exe 3868 MsiExec.exe 3868 MsiExec.exe 3868 MsiExec.exe 3868 MsiExec.exe 3740 MsiExec.exe 3868 MsiExec.exe 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe 3740 MsiExec.exe 3740 MsiExec.exe 4728 rundll32.exe 4728 rundll32.exe 4728 rundll32.exe 4728 rundll32.exe 4728 rundll32.exe 3740 MsiExec.exe 2696 rundll32.exe 2696 rundll32.exe 2696 rundll32.exe 2696 rundll32.exe 2696 rundll32.exe 3868 MsiExec.exe 3740 MsiExec.exe 3740 MsiExec.exe 3868 MsiExec.exe 4060 explorer.exe 4684 NutstoreClient.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini MsiExec.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe File opened (read-only) \??\L: a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\K: a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\S: a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe File opened (read-only) \??\U: a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe File opened (read-only) \??\V: a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\N: a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\T: a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\W: a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe File opened (read-only) \??\F: a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\G: a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe File opened (read-only) \??\H: a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe File opened (read-only) \??\J: a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe File opened (read-only) \??\P: a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe File opened (read-only) \??\Y: a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\X: a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe File opened (read-only) \??\I: a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe File opened (read-only) \??\O: a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ResourceCleaner.pdb MsiExec.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\wntdll.pdb MsiExec.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F MaintenanceService.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F MaintenanceService.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB MaintenanceService.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB MaintenanceService.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AEACCDA8653DD8D7B2EA32F21D15D44F_96135F2B71D0564B6289D9D3E658EC8E MaintenanceService.exe File opened for modification C:\Windows\SysWOW64\tmp\ResourceCleaner.pdb MsiExec.exe File opened for modification C:\Windows\SysWOW64\symbols\tmp\ResourceCleaner.pdb MsiExec.exe File opened for modification C:\Windows\SysWOW64\wntdll.pdb MsiExec.exe File opened for modification C:\Windows\SysWOW64\dll\wntdll.pdb MsiExec.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AEACCDA8653DD8D7B2EA32F21D15D44F_96135F2B71D0564B6289D9D3E658EC8E MaintenanceService.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Nutstore.RegistryModifier.exe.log Nutstore.RegistryModifier.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Nutstore\bin-6.3.1\System.Diagnostics.TextWriterTraceListener.dll msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\System.Threading.Thread.dll msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\SQLite.Interop.dll msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\Newtonsoft.Json.dll msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\DotNetZip.dll msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\System.Diagnostics.Tracing.dll msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\System.Xml.XmlSerializer.dll msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\LogicNP.EZNamespaceExtensions.dll msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\Updater.exe.config msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\Prism.Wpf.dll msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\System.Memory.dll msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\Nutstore.Client.Wpf.Infrastructure.dll.config msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\System.Resources.ResourceManager.dll msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\Updater.exe msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\icons\toast\toast_error.png msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\netstandard.dll msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\System.Diagnostics.TraceSource.dll msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\System.Threading.Channels.dll msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\DriverInstaller.exe.config msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\System.AppContext.dll msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\UninstallCleaner.exe msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\zh-CN\Humanizer.resources.dll msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\System.Linq.Parallel.dll msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\System.Net.WebSockets.Client.dll msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\Nutstore.msix msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\Ookii.Dialogs.Wpf.dll msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\System.Runtime.Extensions.dll msiexec.exe File created C:\Program Files\Nutstore\Nutstore.exe msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\icons\bookmark.ico msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\System.Resources.Writer.dll msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\System.Threading.Timer.dll msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\zh-CN\Nutstore.Common.resources.dll msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\System.Runtime.Numerics.dll msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\RegisterExtensionDotNet40_x86.exe msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\Nutstore.RegistryModifier.exe.config msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\System.IO.Pipes.dll msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\resources.pri msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\System.ComponentModel.Primitives.dll msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\System.ObjectModel.dll msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\System.Reflection.Primitives.dll msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\Rdiff.dll msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\icons\overlay\NutstorePending.ico msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\System.Net.Requests.dll msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\System.Net.Sockets.dll msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\Prism.dll msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\Microsoft.Xaml.Behaviors.dll msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\System.Globalization.Calendars.dll msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\System.Numerics.Vectors.dll msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\System.Security.Cryptography.Encoding.dll msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\CommonServiceLocator.dll msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\zh-CN\NutstoreClient.Legacy.resources.dll msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\Sentry.PlatformAbstractions.dll msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\System.IO.MemoryMappedFiles.dll msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\CefSharp.Core.dll msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\Images\Square44x44Logo.altform-unplated_targetsize-48.png msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\Images\Square44x44Logo.targetsize-16.png msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\System.ComponentModel.TypeConverter.dll msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\System.Dynamic.Runtime.dll msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\System.Windows.Interactivity.dll msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\System.Linq.dll msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\System.Reflection.Extensions.dll msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\System.Resources.Reader.dll msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\System.Security.Cryptography.Csp.dll msiexec.exe File created C:\Program Files\Nutstore\bin-6.3.1\zh-CN\Nutstore.COMLocalServer.resources.dll msiexec.exe -
Drops file in Windows directory 43 IoCs
description ioc Process File opened for modification C:\Windows\Installer\{984C817A-FFEA-4A28-8DCE-C06C9D6FD8F3}\nutstore.exe msiexec.exe File created C:\Windows\Installer\{984C817A-FFEA-4A28-8DCE-C06C9D6FD8F3}\SystemFolder_msiexec.exe msiexec.exe File opened for modification C:\Windows\Installer\MSI469E.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSICB03.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSICDF2.tmp msiexec.exe File opened for modification C:\Windows\Installer\{984C817A-FFEA-4A28-8DCE-C06C9D6FD8F3}\SystemFolder_msiexec.exe msiexec.exe File opened for modification C:\Windows\Installer\MSIC428.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSICFD7.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6219.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI671B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC24B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC3B5.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC3E6.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5F97.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI69A0.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC394.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI46DE.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI46DE.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSIC90C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC96A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5F97.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI5F97.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSI67F7.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC3F7.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC765.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{984C817A-FFEA-4A28-8DCE-C06C9D6FD8F3} msiexec.exe File opened for modification C:\Windows\Installer\MSI6866.tmp msiexec.exe File created C:\Windows\Installer\{984C817A-FFEA-4A28-8DCE-C06C9D6FD8F3}\nutstore.exe msiexec.exe File opened for modification C:\Windows\Installer\MSI46DE.tmp-\NutstoreCustomAction.dll rundll32.exe File opened for modification C:\Windows\Installer\e56c076.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIC3D6.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIC407.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5F97.tmp-\NutstoreCustomAction.dll rundll32.exe File created C:\Windows\Installer\e56c076.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIC3A5.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6836.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6942.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSICA46.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI46DE.tmp msiexec.exe File created C:\Windows\Installer\e56c079.msi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 58 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchApp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchApp.exe -
Modifies Control Panel 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\Colors NutstoreClient.exe -
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{068500D5-753F-4F70-838D-BAAAD6444583} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{068500D5-753F-4F70-838D-BAAAD6444583}\AppName = "Nutstore.exe" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{068500D5-753F-4F70-838D-BAAAD6444583}\AppPath = "C:\\Program Files\\Nutstore\\" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{068500D5-753F-4F70-838D-BAAAD6444583}\Policy = "3" msiexec.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute\Nutstore msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\Nutstore\WarnOnOpen = "0" msiexec.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates MaintenanceService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust MaintenanceService.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs MaintenanceService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs MaintenanceService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust MaintenanceService.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs MaintenanceService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA MaintenanceService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates MaintenanceService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates MaintenanceService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs MaintenanceService.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing MaintenanceService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "4" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs MaintenanceService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs MaintenanceService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot MaintenanceService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople MaintenanceService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates MaintenanceService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs MaintenanceService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs MaintenanceService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed MaintenanceService.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" MSI6219.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs MaintenanceService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs MaintenanceService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root MaintenanceService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs MaintenanceService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{d2610efb-0000-0000-0000-d01200000000}\NukeOnDelete = "0" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs MaintenanceService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates MaintenanceService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs MaintenanceService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs MaintenanceService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs MaintenanceService.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" MSI6219.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates MaintenanceService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates MaintenanceService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs MaintenanceService.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1F msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs MaintenanceService.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" MSI6219.tmp Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{d2610efb-0000-0000-0000-d01200000000}\MaxCapacity = "15140" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople MaintenanceService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ MSI6219.tmp Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" MSI6219.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates MaintenanceService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs MaintenanceService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates MaintenanceService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs MaintenanceService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed MaintenanceService.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{d2610efb-0000-0000-0000-d01200000000} MsiExec.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com SearchApp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\NutstoreShellCopyHook\ = "{CA799F4D-4011-4142-83CA-42C71A61654C}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{77263D69-CC9F-4F04-A4CD-CACC9AE3D775}\ = "Nutstore.COMLocalServer.ShellServices.ThumbnailProvider" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000_Classes\CLSID NutstoreClient.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.md\ShellNew Nutstore.RegistryModifier.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A718C489AEFF82A4D8EC0CC6D9F68D3F\Language = "2052" msiexec.exe Set value (data) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com SearchApp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Nutstore.LightApp.nbmx\shell\open\command Nutstore.RegistryModifier.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A718C489AEFF82A4D8EC0CC6D9F68D3F\AdvertiseFlags = "388" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000_Classes\Local Settings\MuiCache StartMenuExperienceHost.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{8AF1464E-F6E9-4650-AE18-1BFC2505E769}\LocalServer32 msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchApp.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{5D652B65-B702-496A-92BC-92C308251FEA}\InprocServer32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{5D652B64-B702-496A-92BC-92C308251FEA} msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{5D652B62-B702-496A-92BC-92C308251FEA}\InprocServer32 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.md Nutstore.RegistryModifier.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{CA799F4D-4011-4142-83CA-42C71A61654C} msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000_Classes\CLSID\{863363a7-072b-a31e-be95-409b6d390ae8}\LocalServer32\ = "\"C:\\Program Files\\Nutstore\\bin-6.3.1\\NutstoreClient.exe\" -ToastActivated" NutstoreClient.exe Set value (int) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "129" SearchApp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.md\ = "Nutstore.LightApp.md" Nutstore.RegistryModifier.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Nutstore.LightApp.nol\shell\open\command Nutstore.RegistryModifier.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{77263D69-CC9F-4F04-A4CD-CACC9AE3D775}\ProgId msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A718C489AEFF82A4D8EC0CC6D9F68D3F\AI64BitFiles msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{863363a7-072b-a31e-be95-409b6d390ae8}\LocalServer32\ = "\"C:\\Program Files\\Nutstore\\bin-6.3.1\\NutstoreClient.exe\" -ToastActivated" NutstoreClient.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AF1464E-F6E9-4650-AE18-1BFC2505E769}\ProgId\ = "Nutstore.COMLocalServer.ShellServices.CustomStateProvider" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Nutstore.LightApp.nbmx\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Roaming\\Nutstore\\icons\\nbmx.ico" Nutstore.RegistryModifier.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Nutstore msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A718C489AEFF82A4D8EC0CC6D9F68D3F\MainFeature msiexec.exe Key created \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "162" SearchApp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.md\OpenWithProgids Nutstore.RegistryModifier.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Nutstore\URL Protocol msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5D652B66-B702-496A-92BC-92C308251FEA}\ = "NutstoreExt" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NutstoreLink\shellex\IconHandler msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "8157" SearchApp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A718C489AEFF82A4D8EC0CC6D9F68D3F\SourceList\Media\1 = ";" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Nutstore.LightApp.ngm\DefaultIcon Nutstore.RegistryModifier.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Nutstore.LightApp.nbmx\DefaultIcon Nutstore.RegistryModifier.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5D652B65-B702-496A-92BC-92C308251FEA}\ = "NutstoreExt" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5D652B64-B702-496A-92BC-92C308251FEA}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A718C489AEFF82A4D8EC0CC6D9F68D3F\ProductName = "Nutstore" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ NutstoreExt\ = "{5D652B62-B702-496A-92BC-92C308251FEA}" msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "2212" SearchApp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{863363a7-072b-a31e-be95-409b6d390ae8}\AppId = "{863363a7-072b-a31e-be95-409b6d390ae8}" NutstoreClient.exe Set value (str) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000_Classes\AppUserModelId\{6D809377-6AF0-444B-8957-A3773F02200E}/Nutstore/bin-6.3.1/NutstoreClient.exe\CustomActivator = "{863363a7-072b-a31e-be95-409b6d390ae8}" NutstoreClient.exe Set value (str) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN" SearchApp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.nol\ShellNew Nutstore.RegistryModifier.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{7861E648-9771-4F39-A649-0DCEC644BCD6}\LocalServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5D652B64-B702-496A-92BC-92C308251FEA}\ = "NutstoreExt" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000_Classes\AppUserModelId\{6D809377-6AF0-444B-8957-A3773F02200E}/Nutstore/bin-6.3.1/NutstoreClient.exe\Has7.0.1Fix = "1" NutstoreClient.exe Key created \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com SearchApp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Nutstore.LightApp.nol\shell Nutstore.RegistryModifier.exe Set value (int) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "129" SearchApp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.nol Nutstore.RegistryModifier.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Nutstore.LightApp.ngm\shell\open\command\ = "\"C:\\Program Files\\Nutstore\\Nutstore.exe\" --nutstore-lightapp \"%1\"" Nutstore.RegistryModifier.exe Set value (int) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "9980" SearchApp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CA799F4D-4011-4142-83CA-42C71A61654C}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\D02B1311F008A3A4784648246BBD2007 msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchApp.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{8A7E484F-BA87-4E2B-BB9B-DE2085763500}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5D652B62-B702-496A-92BC-92C308251FEA}\ = "NutstoreExt" msiexec.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0400000001000000100000001bfe69d191b71933a372a80fe155e5b50300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000190000000100000010000000ea6089055218053dd01e37e1d806eedf0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0400000001000000100000001bfe69d191b71933a372a80fe155e5b52000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 3868 MsiExec.exe 3868 MsiExec.exe 3868 MsiExec.exe 3868 MsiExec.exe 3868 MsiExec.exe 3868 MsiExec.exe 4852 msiexec.exe 4852 msiexec.exe 3740 MsiExec.exe 3740 MsiExec.exe 4756 Nutstore.exe 4756 Nutstore.exe 3868 MsiExec.exe 3868 MsiExec.exe 4756 Nutstore.exe 4756 Nutstore.exe 3428 MaintenanceService.exe 3428 MaintenanceService.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeSecurityPrivilege 4852 msiexec.exe Token: SeCreateTokenPrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeAssignPrimaryTokenPrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeLockMemoryPrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeIncreaseQuotaPrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeMachineAccountPrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeTcbPrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeSecurityPrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeTakeOwnershipPrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeLoadDriverPrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeSystemProfilePrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeSystemtimePrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeProfSingleProcessPrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeIncBasePriorityPrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeCreatePagefilePrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeCreatePermanentPrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeBackupPrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeRestorePrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeShutdownPrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeDebugPrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeAuditPrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeSystemEnvironmentPrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeChangeNotifyPrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeRemoteShutdownPrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeUndockPrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeSyncAgentPrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeEnableDelegationPrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeManageVolumePrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeImpersonatePrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeCreateGlobalPrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeCreateTokenPrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeAssignPrimaryTokenPrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeLockMemoryPrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeIncreaseQuotaPrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeMachineAccountPrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeTcbPrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeSecurityPrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeTakeOwnershipPrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeLoadDriverPrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeSystemProfilePrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeSystemtimePrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeProfSingleProcessPrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeIncBasePriorityPrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeCreatePagefilePrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeCreatePermanentPrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeBackupPrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeRestorePrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeShutdownPrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeDebugPrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeAuditPrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeSystemEnvironmentPrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeChangeNotifyPrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeRemoteShutdownPrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeUndockPrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeSyncAgentPrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeEnableDelegationPrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeManageVolumePrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeImpersonatePrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeCreateGlobalPrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeCreateTokenPrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeAssignPrimaryTokenPrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeLockMemoryPrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeIncreaseQuotaPrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe Token: SeMachineAccountPrivilege 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe 2924 msiexec.exe 2924 msiexec.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4684 NutstoreClient.exe 4060 explorer.exe 4060 explorer.exe 4684 NutstoreClient.exe 4684 NutstoreClient.exe 4684 NutstoreClient.exe 4060 explorer.exe -
Suspicious use of SendNotifyMessage 31 IoCs
pid Process 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4060 explorer.exe 4684 NutstoreClient.exe 4684 NutstoreClient.exe 4684 NutstoreClient.exe 4684 NutstoreClient.exe 4060 explorer.exe 4060 explorer.exe 4684 NutstoreClient.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3728 StartMenuExperienceHost.exe 4060 explorer.exe 1844 SearchApp.exe 4060 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4852 wrote to memory of 3312 4852 msiexec.exe 86 PID 4852 wrote to memory of 3312 4852 msiexec.exe 86 PID 4852 wrote to memory of 3312 4852 msiexec.exe 86 PID 1484 wrote to memory of 2924 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe 87 PID 1484 wrote to memory of 2924 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe 87 PID 1484 wrote to memory of 2924 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe 87 PID 4852 wrote to memory of 3868 4852 msiexec.exe 88 PID 4852 wrote to memory of 3868 4852 msiexec.exe 88 PID 4852 wrote to memory of 3868 4852 msiexec.exe 88 PID 4852 wrote to memory of 3740 4852 msiexec.exe 89 PID 4852 wrote to memory of 3740 4852 msiexec.exe 89 PID 4852 wrote to memory of 3740 4852 msiexec.exe 89 PID 3740 wrote to memory of 976 3740 MsiExec.exe 90 PID 3740 wrote to memory of 976 3740 MsiExec.exe 90 PID 3740 wrote to memory of 976 3740 MsiExec.exe 90 PID 976 wrote to memory of 2584 976 cmd.exe 92 PID 976 wrote to memory of 2584 976 cmd.exe 92 PID 976 wrote to memory of 2584 976 cmd.exe 92 PID 3740 wrote to memory of 3700 3740 MsiExec.exe 93 PID 3740 wrote to memory of 3700 3740 MsiExec.exe 93 PID 3740 wrote to memory of 3700 3740 MsiExec.exe 93 PID 3740 wrote to memory of 4544 3740 MsiExec.exe 95 PID 3740 wrote to memory of 4544 3740 MsiExec.exe 95 PID 3740 wrote to memory of 4544 3740 MsiExec.exe 95 PID 3740 wrote to memory of 4728 3740 MsiExec.exe 101 PID 3740 wrote to memory of 4728 3740 MsiExec.exe 101 PID 3740 wrote to memory of 4728 3740 MsiExec.exe 101 PID 4728 wrote to memory of 2624 4728 rundll32.exe 106 PID 4728 wrote to memory of 2624 4728 rundll32.exe 106 PID 3740 wrote to memory of 2696 3740 MsiExec.exe 109 PID 3740 wrote to memory of 2696 3740 MsiExec.exe 109 PID 3740 wrote to memory of 2696 3740 MsiExec.exe 109 PID 2696 wrote to memory of 4176 2696 rundll32.exe 110 PID 2696 wrote to memory of 4176 2696 rundll32.exe 110 PID 4852 wrote to memory of 2108 4852 msiexec.exe 113 PID 4852 wrote to memory of 2108 4852 msiexec.exe 113 PID 4852 wrote to memory of 2108 4852 msiexec.exe 113 PID 2108 wrote to memory of 1988 2108 MSI6219.tmp 115 PID 2108 wrote to memory of 1988 2108 MSI6219.tmp 115 PID 4852 wrote to memory of 1464 4852 msiexec.exe 117 PID 4852 wrote to memory of 1464 4852 msiexec.exe 117 PID 4852 wrote to memory of 1464 4852 msiexec.exe 117 PID 4756 wrote to memory of 4684 4756 Nutstore.exe 120 PID 4756 wrote to memory of 4684 4756 Nutstore.exe 120 PID 1484 wrote to memory of 4328 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe 124 PID 1484 wrote to memory of 4328 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe 124 PID 1484 wrote to memory of 4328 1484 a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe 124 PID 4328 wrote to memory of 4924 4328 cmd.exe 127 PID 4328 wrote to memory of 4924 4328 cmd.exe 127 PID 4328 wrote to memory of 4924 4328 cmd.exe 127 PID 4328 wrote to memory of 1328 4328 cmd.exe 128 PID 4328 wrote to memory of 1328 4328 cmd.exe 128 PID 4328 wrote to memory of 1328 4328 cmd.exe 128 PID 4328 wrote to memory of 4248 4328 cmd.exe 129 PID 4328 wrote to memory of 4248 4328 cmd.exe 129 PID 4328 wrote to memory of 4248 4328 cmd.exe 129 PID 4328 wrote to memory of 3828 4328 cmd.exe 130 PID 4328 wrote to memory of 3828 4328 cmd.exe 130 PID 4328 wrote to memory of 3828 4328 cmd.exe 130 PID 4684 wrote to memory of 2336 4684 NutstoreClient.exe 138 PID 4684 wrote to memory of 2336 4684 NutstoreClient.exe 138 PID 3428 wrote to memory of 3668 3428 MaintenanceService.exe 140 PID 3428 wrote to memory of 3668 3428 MaintenanceService.exe 140 PID 4684 wrote to memory of 3164 4684 NutstoreClient.exe 143 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 4924 attrib.exe 1328 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe"C:\Users\Admin\AppData\Local\Temp\a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i C:\Users\Admin\AppData\Roaming\NutstoreClient\install\6D47603\Nutstore.x64.msi TRANSFORMS=:1033 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\a01b28949f0d3748fab82f68e37f78684db560e7fafa9d83c38263e733223625.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1668867623 " AI_BOOTSTRAPPERLANG="1033"2⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:2924
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXE6CE8.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Windows\SysWOW64\attrib.exeC:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Local\Temp\AIE6EEB.tmp"3⤵
- Views/modifies file attributes
PID:4924
-
-
C:\Windows\SysWOW64\attrib.exeC:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Local\Temp\EXE6CE8.bat"3⤵
- Views/modifies file attributes
PID:1328
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXE6CE8.bat" "3⤵PID:4248
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" cls"3⤵PID:3828
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Registers COM server for autorun
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding CCD2F145687A5DB439835C03A18A0A66 C2⤵
- Loads dropped DLL
PID:3312
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding D20493FAF6CA888C4C37C3591F141F5D2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3868
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 1C2C10150C0296473183ED1E4A8CE9A1 E Global\MSI00002⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Windows\SysWOW64\cmd.exe/C "C:\Users\Admin\AppData\Local\Temp\{215118F2-7B2F-4EEF-844C-E84D43675603}.bat"3⤵
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:2584
-
-
-
C:\Windows\SysWOW64\cmd.exe/C "C:\Users\Admin\AppData\Local\Temp\{215118F2-7B2F-4EEF-844C-E84D43675603}.bat"3⤵PID:3700
-
-
C:\Windows\SysWOW64\cmd.exe/C "C:\Users\Admin\AppData\Local\Temp\{215118F2-7B2F-4EEF-844C-E84D43675603}.bat"3⤵PID:4544
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSI46DE.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240600796 303 NutstoreCustomAction!NutstoreCustomAction.CustomActions.RunWithoutGUI3⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\ProgramData\Nutstore\service\MaintenanceService.exe"C:\ProgramData\Nutstore\service\MaintenanceService.exe" install4⤵
- Executes dropped EXE
PID:2624
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSI5F97.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240607125 309 NutstoreCustomAction!NutstoreCustomAction.CustomActions.RunWithoutGUI3⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\ProgramData\Nutstore\service\NTFSWatcher.exe"C:\ProgramData\Nutstore\service\NTFSWatcher.exe" install4⤵
- Executes dropped EXE
PID:4176
-
-
-
-
C:\Windows\Installer\MSI6219.tmp"C:\Windows\Installer\MSI6219.tmp" /RunAsAdmin /HideWindow "C:\Program Files\Nutstore\bin-6.3.1\NsExtInstaller.exe" install "C:\Program Files\Nutstore\bin-6.3.1\"2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Program Files\Nutstore\bin-6.3.1\NsExtInstaller.exe"C:\Program Files\Nutstore\bin-6.3.1\NsExtInstaller.exe" install "C:\Program Files\Nutstore\bin-6.3.1\"3⤵
- Executes dropped EXE
PID:1988
-
-
-
C:\Windows\Installer\MSI671B.tmp"C:\Windows\Installer\MSI671B.tmp" /DontWait "C:\Program Files\Nutstore\Nutstore.exe"2⤵
- Executes dropped EXE
PID:1464
-
-
C:\ProgramData\Nutstore\service\NTFSWatcher.exeC:\ProgramData\Nutstore\service\NTFSWatcher.exe1⤵
- Executes dropped EXE
PID:4904
-
C:\Program Files\Nutstore\Nutstore.exe"C:\Program Files\Nutstore\Nutstore.exe"1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Program Files\Nutstore\bin-6.3.1\NutstoreClient.exe"C:\Program Files\Nutstore\bin-6.3.1\NutstoreClient.exe"2⤵
- Executes dropped EXE
- Registers COM server for autorun
- Checks computer location settings
- Loads dropped DLL
- Modifies Control Panel
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Program Files\Nutstore\bin-6.3.1\PostUpdater.exe"C:\Program Files\Nutstore\bin-6.3.1\PostUpdater.exe" --ADD_FIREWALL_RULE NutstoreDesktopClient "C:\Program Files\Nutstore\bin-6.3.1\NutstoreClient.exe"3⤵
- Executes dropped EXE
PID:2336
-
-
C:\Program Files\Nutstore\bin-6.3.1\nutstore_watchdog.exe"C:\Program Files\Nutstore\bin-6.3.1\nutstore_watchdog.exe"3⤵
- Executes dropped EXE
PID:3164
-
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Loads dropped DLL
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4060
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3728
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1844
-
C:\ProgramData\Nutstore\service\MaintenanceService.exeC:\ProgramData\Nutstore\service\MaintenanceService.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Program Files\Nutstore\bin-6.3.1\Nutstore.RegistryModifier.exe"C:\Program Files\Nutstore\bin-6.3.1\Nutstore.RegistryModifier.exe" --file-path=\"C:\Users\Admin\AppData\Local\Temp\tmp7937.tmp\" --placeholder=\"{{AppData}}:C:\Users\Admin\AppData\Roaming\" "--placeholder=\"{{AppDir}}:C:\Program Files\Nutstore\"" --placeholder=\"{{AllUsersProFile}}:C:\ProgramData\"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3668
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB
Filesize765B
MD5d2efa97c96c5b5469b52aff7acd1cbbe
SHA1106f2e994e0a2caa856d2883b7d5b6f2c0edda9a
SHA256793e789dced347b0be2f0032916602407b50f7e9f1e1660b6136d26c8ca21d4c
SHA512a83d2f26a48cd1668a083dd8e3c2aa187134bac939d2f234b46655f67a7dd1440aa04e7cfa21dffed7614b632dfef79917653e3eabdb46b56e19d60d969e1941
-
Filesize
50KB
MD59d169d4a9da2527dbb8145bf1fce1a50
SHA13498515db4562d4579a276347a2cf61efa3607c9
SHA2568ee3c19ed1e9849fdeb8743034127b61f3800b357fa2b3abb12ad956993af72e
SHA512db9a1c5e2f66ca9340521db5fdbcc5a9071a86cff58b8a27226703e5505ae7ce60523248230d7f8bbcd5307cf2e881ef6977851583b07954251ea0aaa320961e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F
Filesize1KB
MD56bc47c7447a65b6a7f892f611704d8ff
SHA160aecc9a195719d6a053cc3ec2b5867814f2ac4f
SHA256835d473e490c4d2c61a0d9ce2d557ba843eb483f8669bdb9cdc2a16f125876b0
SHA5125a1e6c1acfb120e1b0e0aec6133dd28d5e8c63deb8040799b1f94ee450a95e9376fe2c7812c800533fbb9b76246291363ef6e453e716bbece0f6fde97ef4a31b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB
Filesize484B
MD5718271b428c83a32becaa24debb834f3
SHA16f6fc205b78a2a2293eb470353b9f96c208fbdde
SHA25672e6dd4294acc77aae51bb1dc95e983f15d0ef1d9b4ed041ca58f7627ab8e2e2
SHA5127617aa0648275fc567241891091fb29fe90ef83d757e7a60f381939f57b50b88735f6abf97607c1e73eeb27c40469a7230d3662136ee92f5e649b72bafe532c7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\43B41D246473AA455DCC6019A9AF9545
Filesize262B
MD5278e630328906c6c9ef5b4f0e93ceb80
SHA19151721929795e4c78f2fcbe1b5d7a65afe274ea
SHA2562ca56616451e36bcf708355c7c0192a79ec821aba61dd9c6bf7ed33289c2907c
SHA51286435267da7c6e28e04e37dc9b7ef6d2fb80931bdf72d88072943e32687b690ad23382830873709861cce8b9e879a48c6704a3f800369f1b63b36989145ea12a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F
Filesize482B
MD5a0cd5d8b375d2a3728d9441845740247
SHA15097282d58f634086d159a66df61cb87f02062f3
SHA256246c7ce1c808b69ca3b1018afa07979c317fb3555c33819309408913f154d50e
SHA5124677bb45f7e40e83a875c1f8b75a00cdd998a018e7fa84b590e01537f8f04f987979874136cce933a05f1d35a9799240c6889d5aba84890328fda947b44d19a2
-
Filesize
61KB
MD5f37eb40ef051aa7fb0ea17338010bf2f
SHA1e6a4df05189e2b458e204ebd0eda09995e3452fc
SHA256cd310f46517a750bb12cd167abba7cecb2532b01d3a2370dc869f6b6a9309538
SHA51296cb7effc368ff97bb5f10a6e4288fd36f00399394ded3e63676aa718174ed54b8bb5ae92b248ce0cfa480d20e6c81ae52cdd602f642deb0f8f9e51d5558a201
-
Filesize
379KB
MD546563628970b87c0ae9710d8da84ee1e
SHA15dd411e309b28ecfc0894b0c51d4055f44adf025
SHA256b2572663cc77a33e8b59db4c62973242682b8ddbada4bdc281fad5c74e17862d
SHA512a1d2037b4fb16bc30a777ea890e81b0529e26a7e5b1164f88f3c5560faf80f8cafd181f0fd5a60779f6ec5de7d82231322cd5e674ea4b90a5a395266436a191c
-
Filesize
379KB
MD546563628970b87c0ae9710d8da84ee1e
SHA15dd411e309b28ecfc0894b0c51d4055f44adf025
SHA256b2572663cc77a33e8b59db4c62973242682b8ddbada4bdc281fad5c74e17862d
SHA512a1d2037b4fb16bc30a777ea890e81b0529e26a7e5b1164f88f3c5560faf80f8cafd181f0fd5a60779f6ec5de7d82231322cd5e674ea4b90a5a395266436a191c
-
Filesize
824KB
MD5d3a99e1cb791ec417341786ced4fe265
SHA12a0fa45c8233d7a1a5efda8561ef3a69b31ec64e
SHA2569ff8ec467603ceed2d42f84bf96bf5f80770b6954e0ac0b482012f6b09c514dc
SHA512fb1346045fc711f7426e668ef8503313a4ea96ee6877e4ff2812bd583238bd11e94685cc7da00c653ba3bb25a201bccdecf9aefe49c6208e9e09bad8e3e3418b
-
Filesize
824KB
MD5d3a99e1cb791ec417341786ced4fe265
SHA12a0fa45c8233d7a1a5efda8561ef3a69b31ec64e
SHA2569ff8ec467603ceed2d42f84bf96bf5f80770b6954e0ac0b482012f6b09c514dc
SHA512fb1346045fc711f7426e668ef8503313a4ea96ee6877e4ff2812bd583238bd11e94685cc7da00c653ba3bb25a201bccdecf9aefe49c6208e9e09bad8e3e3418b
-
Filesize
104B
MD50a5b63c577c1432bce35a7ac86bfa7b7
SHA1d434489ac66691f8df9c5cd21f7fcd944e42ff7b
SHA256fd6c703cce9f1a29ba92011f5cd9394976105cd4dff910a90a795ff3148aaec3
SHA51293feb2c8a649413edd39cb03f533ba05b5711cf9817160e0a8ce0c6647cb5dd3033d8d7592dafc651975f0c4a9b9eb5e17691614d2f8b1df8cbd0540621610d9
-
Filesize
78KB
MD5ce06cc60d7ac6ad016c57bccf8caf339
SHA1c3b8c462c94717bd8f673aadc3e97c15ef59142d
SHA256ee39225b250e034fa194eea165fd6d88d81aa2fe92417f343c10c71d668dca97
SHA512ee4555de4b69927ea3fc13097faa11ebbe4091c6884bf5985e73b74189f63113db8866d2199c4df58fdf1eb41d7bbc2561701dd91455210c4f9550854850a119
-
Filesize
78KB
MD5ce06cc60d7ac6ad016c57bccf8caf339
SHA1c3b8c462c94717bd8f673aadc3e97c15ef59142d
SHA256ee39225b250e034fa194eea165fd6d88d81aa2fe92417f343c10c71d668dca97
SHA512ee4555de4b69927ea3fc13097faa11ebbe4091c6884bf5985e73b74189f63113db8866d2199c4df58fdf1eb41d7bbc2561701dd91455210c4f9550854850a119
-
C:\Users\Admin\AppData\Roaming\NutstoreClient\install\6D47603\AppDataFolder\Nutstore\icons\nutstore.ico
Filesize65KB
MD56bca7c583cde04ba15f31628c6eb4c8e
SHA13ccbafffdd4231d0e56069f6c570793e46809be4
SHA256abae8a80bd8874edbbdd022534f18b82dc3225f2158623d824b3c6b65a49ee52
SHA512e6e9494c961a7cdc5782c64f8115d4d39aa0dd29a3f642980cbe171cd95a5c330228fdc31f110abf9cb4dfbbc124a4a004ddf9bff468648bb1cffa80546dc9c6
-
C:\Users\Admin\AppData\Roaming\NutstoreClient\install\6D47603\AppDataFolder\Nutstore\icons\overlay\NutstorePending.ico
Filesize25KB
MD5c7e2d3d4709825efb4784491f31cb541
SHA17fdf68a79f4d5465e70888cdbfacb21983f515dd
SHA2566011e20a5d7928a712575557e59c87515c5f6695456944ff483d3453bcd4106f
SHA512f086e20c05804db382c717ca5658e5beae4656bf3f9fb7ddac81f19ae3a6b11e1ae857ba54c8c1c17059667f67858cf464b7fe8a5e9c6c9aaf51e01a22235bc4
-
C:\Users\Admin\AppData\Roaming\NutstoreClient\install\6D47603\AppDataFolder\Nutstore\icons\overlay\NutstoreReadonly.ico
Filesize19KB
MD54586a560170d0eec42c8845d8d3a69f4
SHA12c9e45c337b842ce3f3d9de8067142db2eee7bc3
SHA256f4bba0a775bd26828350796d513ac1c7918e48a65cca2b8efb2b8cdcb69b7022
SHA512ee61d058b53832686d0ccd372ac1b716f53db27d5d6506c3a384a3058b50f25294bacddc2cb27bb097d90b77feb9dc64784ca5f447705a6955c4f1b0aa212671
-
C:\Users\Admin\AppData\Roaming\NutstoreClient\install\6D47603\AppDataFolder\Nutstore\icons\overlay\NutstoreSyncing.ico
Filesize33KB
MD5b3f2aebd019d3ab0654d051137aa2533
SHA118e0fdb292901bb4a8b0f1e0afb111a5d21dd055
SHA256bef235ac62f6d52109e188183f8ab718f48964be60f88fba068d3a3f3622ac3b
SHA5122f8703e783696979737438412da3c9ac6256ac4e4035027bfbdeddb3c7aab2874916f8e4a43ee2b95dc612230f56997afa8ea4fb85057a9689ab8cd08f5df42b
-
C:\Users\Admin\AppData\Roaming\NutstoreClient\install\6D47603\AppDataFolder\Nutstore\icons\overlay\NutstoreUpToDate.ico
Filesize33KB
MD5b1c1dcc5f3972b1a208c63fb7fcebf33
SHA14e6c24c375e8738b18a305aabb2efa96a4061a68
SHA256d41c73196afac3a9ef65d535a83a971aa41fb91428821c5f80c8abb41d97143c
SHA51297ee8e33c944c2e3fef2f83d573019c0a52dc97c027eb31c685cab0def02c8c87a71d21ab298ebae06bd0bb73916645c42871492623fbc44ebff22a43fd76994
-
C:\Users\Admin\AppData\Roaming\NutstoreClient\install\6D47603\CommonAppDataFolder\Nutstore\service\x64\MaintenanceService.exe
Filesize205KB
MD5dcdc4b5e2f19d64e7f73b79d0ca1d335
SHA199096aa07fb1a6d7218b8466c86fe5f46ceb6a81
SHA2566ffa913fe7a35736b2874945be4ac5b608547edc9838275b46271a4bcba7da23
SHA512bf85b49a1069077581cfe0ad53e77f31f772c580de52cab636aadf5aff289db89a9d07e547e14f913e736bd378b05728d6c0c64d1b9776e35c85260239d0966b
-
C:\Users\Admin\AppData\Roaming\NutstoreClient\install\6D47603\CommonAppDataFolder\Nutstore\service\x64\NTFSWatcher.exe
Filesize405KB
MD502eb9926511ca71cf5799c4a1a060c6e
SHA1a8ce09535f3117c817fcf62c00422767f8124a39
SHA256227c3b707ed933a0de59740258d1299b400295e6313d2fae69c1bdbf3f18d43d
SHA51208699fc4d377599c44b8fd88aa056901c3ec67e5b34bc6b1ce24b12919e39e712c8c3aa63dc16eb68ad2a318e59695c5b4a38b82d45983990a461a02b0e0438a
-
C:\Users\Admin\AppData\Roaming\NutstoreClient\install\6D47603\CommonAppDataFolder\Nutstore\shellext\x64\NutstoreShell.dll
Filesize1.3MB
MD51de403db49fb28922c661cebfa019f93
SHA1e32d90c8d6786bde617546e7a1412ed1f6c5995e
SHA256530f64d7a6b901a420fc966f05ec6ac2a4b4d13dead60ea460a7b01f28c139de
SHA5127f77a3ccb13e1b8616b4de61d6e236c2312473ef53e080811aced751c4bbc9fd75b9e68cf00b1a17599427e2d6adb750776929466c9477f373537c2e9fa7a538
-
Filesize
3.6MB
MD5cd45afd8394697b298c902cb80b7a717
SHA1f6f0db17168ef6419e7cf7ff3a61237105042c14
SHA25696df20882dd05138b557e827447d76780955db720d885f445789dcd28fb331e2
SHA512141ee87ae6c5206050f671742c319ecc40c2a8caac6f9583add19fbc5556df4fc89c3e8554c4163afe4785b788ffa5022d48ddb1110ab12429e32963afa5295c
-
Filesize
8.3MB
MD55a6ebcd894de936b9af72bcab751b1b9
SHA1419f0f632047bc6b7b926d476cecf5f5a646b2ea
SHA2566d116173bc6c6eec2bdd2958f24fbf23c6bdccf8edb5f072f39ff686aa1ebbda
SHA5124f2bcf17c43fea0692c50c7c9c16eae46d0d399b426ab7cc40b5087845f416866a185fabf2126eb83c86379ba2848b0834350b305c7255619adaaf040e402b86
-
Filesize
6KB
MD5b734de483d3ebe268fe0fd2a37d21295
SHA18e578029bab7c8ea6992769397e9d610b6705232
SHA256445cd08805b81039dbb881f60772642ffa6dc707019cc8319e3d63a2aa348f39
SHA51296fef55551a7edaf8c1405cde302dae74b0461617865ee08d56c2af6c04b61b65cdc0f4ef42aad87cc6159bd9b04dd0f3c1aec25bac8e0644f4cba531ea582f1
-
Filesize
2KB
MD58347f8377bafdf3ede516442ce483890
SHA1e1cf16da325d52422aa05f594ee068a593053268
SHA256f58cea1607b05acd94c74fe63140a77f0d1a4ea567b8a3368c4a8df3be7451b4
SHA51287689f7c15e21f1875e40e36d45c5dcdeba70b67bc4f225b0b454280bff882391b3a140c8669949ab381a8f01aa2eda3176833bb0214ec5c90cabbc88e5c6cd7
-
Filesize
8KB
MD5514124dca08deb03a0816a2209b2568e
SHA120692d5f4cb9bd59d531f5592e783b9ca6866478
SHA256928c898d3f0bcff0b3817d57908fc2c5a1a087aabed57c6a1a68fd40f180a404
SHA5128c19625c1158ac26242999675d58468067ab48fe0496b27c71bd922860777c24a952cd7cddd488472d92c6cfdf39a85ca4b80d5ccc6164d71bec72a2ca8ee5fb
-
Filesize
9KB
MD59ffe111bb8ed707bdf1975d064b86f29
SHA1d8ca20dc6b86727f9d2c7f82ec262239ac370d3b
SHA2569dcfb54870d9b96a5adc55aebc5f29d45ebf41f8610fab20f1ae8d1fe36d468c
SHA512ee7b2adb1ecacc9f9e63e2e93e50bf0f9b0e6104a87d2e71649db338d67bf0d0bae15244c86c865bd0e33e7145195c52778208222c16ae06b2d8b448513f947f
-
Filesize
1.7MB
MD51288823e8e1fca09bb490ce46988188d
SHA1b07fe4a5d032296e3a7d0727216af8c1d2166e91
SHA2566514973856d1767ccb375dcb253400e710fb4f91feb758041d8defe92b1886c5
SHA51288967f64116951092a54118055eab462082f16676ea7565f42515e88765813b53cdfbba5181318e73b668e04ddd030a0bfcf5cf47936772f68df85488b865acd
-
Filesize
142KB
MD55bb472a6c7ee007d8145be9bd92efe5f
SHA12414e1ab2a8bdfaa57e734cd723ba75d1826b6e1
SHA256421611b58fc2fcfd9011ff10fe17c3476ac939d4989525174e7abfe54ed8d5a8
SHA512a43b026a2331ab663fd7b95d3cba39158db1ca6e29de0ca9937441bd36b874cf164e8203ac441148a4c68f0d0355d67c7ecb5763356acee28a9019256deea930
-
Filesize
473KB
MD5888e9c0aa75ddda1ea6363c6ed63dd1c
SHA1f1e0f349ad9070faf7be65f13455c997d5be9310
SHA2562c18e8b48b44d76d85e400ac22916f27787b11c5a97ea28877855e71293ab080
SHA512693e1db4cae82d65ce29cc567f6e233df6291dcb565fc26bb04cfcaa8c0d4242b71a0758ed0237f41b6291e17af8b5c5ac30882c57e79f2a8d818c696f427ea6
-
Filesize
182KB
MD5840bc325982bb8f88f09f672cc6caca2
SHA167f0e2da0c10a589fe17483fecf9763ff5dcfbeb
SHA2568401c8b1d587896bd21d37bde8b7134fba8c7c849b7db2257e7426203afab815
SHA5123375c90d7c28d8005f4c6b3734d29e28db695311d3a38a0a192856c85ca48f0caefad412fd3ede40eb7c55f8961c8caa98987cd9b98dd6ab7394bd541ad7951d
-
Filesize
182KB
MD5840bc325982bb8f88f09f672cc6caca2
SHA167f0e2da0c10a589fe17483fecf9763ff5dcfbeb
SHA2568401c8b1d587896bd21d37bde8b7134fba8c7c849b7db2257e7426203afab815
SHA5123375c90d7c28d8005f4c6b3734d29e28db695311d3a38a0a192856c85ca48f0caefad412fd3ede40eb7c55f8961c8caa98987cd9b98dd6ab7394bd541ad7951d
-
Filesize
182KB
MD5840bc325982bb8f88f09f672cc6caca2
SHA167f0e2da0c10a589fe17483fecf9763ff5dcfbeb
SHA2568401c8b1d587896bd21d37bde8b7134fba8c7c849b7db2257e7426203afab815
SHA5123375c90d7c28d8005f4c6b3734d29e28db695311d3a38a0a192856c85ca48f0caefad412fd3ede40eb7c55f8961c8caa98987cd9b98dd6ab7394bd541ad7951d
-
Filesize
379KB
MD546563628970b87c0ae9710d8da84ee1e
SHA15dd411e309b28ecfc0894b0c51d4055f44adf025
SHA256b2572663cc77a33e8b59db4c62973242682b8ddbada4bdc281fad5c74e17862d
SHA512a1d2037b4fb16bc30a777ea890e81b0529e26a7e5b1164f88f3c5560faf80f8cafd181f0fd5a60779f6ec5de7d82231322cd5e674ea4b90a5a395266436a191c
-
Filesize
379KB
MD546563628970b87c0ae9710d8da84ee1e
SHA15dd411e309b28ecfc0894b0c51d4055f44adf025
SHA256b2572663cc77a33e8b59db4c62973242682b8ddbada4bdc281fad5c74e17862d
SHA512a1d2037b4fb16bc30a777ea890e81b0529e26a7e5b1164f88f3c5560faf80f8cafd181f0fd5a60779f6ec5de7d82231322cd5e674ea4b90a5a395266436a191c
-
Filesize
379KB
MD546563628970b87c0ae9710d8da84ee1e
SHA15dd411e309b28ecfc0894b0c51d4055f44adf025
SHA256b2572663cc77a33e8b59db4c62973242682b8ddbada4bdc281fad5c74e17862d
SHA512a1d2037b4fb16bc30a777ea890e81b0529e26a7e5b1164f88f3c5560faf80f8cafd181f0fd5a60779f6ec5de7d82231322cd5e674ea4b90a5a395266436a191c
-
Filesize
379KB
MD546563628970b87c0ae9710d8da84ee1e
SHA15dd411e309b28ecfc0894b0c51d4055f44adf025
SHA256b2572663cc77a33e8b59db4c62973242682b8ddbada4bdc281fad5c74e17862d
SHA512a1d2037b4fb16bc30a777ea890e81b0529e26a7e5b1164f88f3c5560faf80f8cafd181f0fd5a60779f6ec5de7d82231322cd5e674ea4b90a5a395266436a191c
-
Filesize
379KB
MD546563628970b87c0ae9710d8da84ee1e
SHA15dd411e309b28ecfc0894b0c51d4055f44adf025
SHA256b2572663cc77a33e8b59db4c62973242682b8ddbada4bdc281fad5c74e17862d
SHA512a1d2037b4fb16bc30a777ea890e81b0529e26a7e5b1164f88f3c5560faf80f8cafd181f0fd5a60779f6ec5de7d82231322cd5e674ea4b90a5a395266436a191c
-
Filesize
379KB
MD546563628970b87c0ae9710d8da84ee1e
SHA15dd411e309b28ecfc0894b0c51d4055f44adf025
SHA256b2572663cc77a33e8b59db4c62973242682b8ddbada4bdc281fad5c74e17862d
SHA512a1d2037b4fb16bc30a777ea890e81b0529e26a7e5b1164f88f3c5560faf80f8cafd181f0fd5a60779f6ec5de7d82231322cd5e674ea4b90a5a395266436a191c
-
Filesize
379KB
MD546563628970b87c0ae9710d8da84ee1e
SHA15dd411e309b28ecfc0894b0c51d4055f44adf025
SHA256b2572663cc77a33e8b59db4c62973242682b8ddbada4bdc281fad5c74e17862d
SHA512a1d2037b4fb16bc30a777ea890e81b0529e26a7e5b1164f88f3c5560faf80f8cafd181f0fd5a60779f6ec5de7d82231322cd5e674ea4b90a5a395266436a191c
-
Filesize
379KB
MD546563628970b87c0ae9710d8da84ee1e
SHA15dd411e309b28ecfc0894b0c51d4055f44adf025
SHA256b2572663cc77a33e8b59db4c62973242682b8ddbada4bdc281fad5c74e17862d
SHA512a1d2037b4fb16bc30a777ea890e81b0529e26a7e5b1164f88f3c5560faf80f8cafd181f0fd5a60779f6ec5de7d82231322cd5e674ea4b90a5a395266436a191c
-
Filesize
379KB
MD546563628970b87c0ae9710d8da84ee1e
SHA15dd411e309b28ecfc0894b0c51d4055f44adf025
SHA256b2572663cc77a33e8b59db4c62973242682b8ddbada4bdc281fad5c74e17862d
SHA512a1d2037b4fb16bc30a777ea890e81b0529e26a7e5b1164f88f3c5560faf80f8cafd181f0fd5a60779f6ec5de7d82231322cd5e674ea4b90a5a395266436a191c
-
Filesize
379KB
MD546563628970b87c0ae9710d8da84ee1e
SHA15dd411e309b28ecfc0894b0c51d4055f44adf025
SHA256b2572663cc77a33e8b59db4c62973242682b8ddbada4bdc281fad5c74e17862d
SHA512a1d2037b4fb16bc30a777ea890e81b0529e26a7e5b1164f88f3c5560faf80f8cafd181f0fd5a60779f6ec5de7d82231322cd5e674ea4b90a5a395266436a191c
-
Filesize
379KB
MD546563628970b87c0ae9710d8da84ee1e
SHA15dd411e309b28ecfc0894b0c51d4055f44adf025
SHA256b2572663cc77a33e8b59db4c62973242682b8ddbada4bdc281fad5c74e17862d
SHA512a1d2037b4fb16bc30a777ea890e81b0529e26a7e5b1164f88f3c5560faf80f8cafd181f0fd5a60779f6ec5de7d82231322cd5e674ea4b90a5a395266436a191c
-
Filesize
379KB
MD546563628970b87c0ae9710d8da84ee1e
SHA15dd411e309b28ecfc0894b0c51d4055f44adf025
SHA256b2572663cc77a33e8b59db4c62973242682b8ddbada4bdc281fad5c74e17862d
SHA512a1d2037b4fb16bc30a777ea890e81b0529e26a7e5b1164f88f3c5560faf80f8cafd181f0fd5a60779f6ec5de7d82231322cd5e674ea4b90a5a395266436a191c
-
Filesize
537KB
MD55567921a4297e132bc3969463e8e441d
SHA104ca7637e95739b3a00483e728826b56cb528500
SHA25606b2b422be2e1f35daec93cb6e08d6aed6339a51e864ba29fa105e9a274e8eb2
SHA5120e271f90003441b25faecb6d09a12e8d91bb90243afdef9e02a7af993b2574d7dca9803b998879982ec65db7e588dbb102d2aea5d730f91a1b0c3bd1bb6ec983
-
Filesize
537KB
MD55567921a4297e132bc3969463e8e441d
SHA104ca7637e95739b3a00483e728826b56cb528500
SHA25606b2b422be2e1f35daec93cb6e08d6aed6339a51e864ba29fa105e9a274e8eb2
SHA5120e271f90003441b25faecb6d09a12e8d91bb90243afdef9e02a7af993b2574d7dca9803b998879982ec65db7e588dbb102d2aea5d730f91a1b0c3bd1bb6ec983
-
Filesize
824KB
MD5d3a99e1cb791ec417341786ced4fe265
SHA12a0fa45c8233d7a1a5efda8561ef3a69b31ec64e
SHA2569ff8ec467603ceed2d42f84bf96bf5f80770b6954e0ac0b482012f6b09c514dc
SHA512fb1346045fc711f7426e668ef8503313a4ea96ee6877e4ff2812bd583238bd11e94685cc7da00c653ba3bb25a201bccdecf9aefe49c6208e9e09bad8e3e3418b
-
Filesize
824KB
MD5d3a99e1cb791ec417341786ced4fe265
SHA12a0fa45c8233d7a1a5efda8561ef3a69b31ec64e
SHA2569ff8ec467603ceed2d42f84bf96bf5f80770b6954e0ac0b482012f6b09c514dc
SHA512fb1346045fc711f7426e668ef8503313a4ea96ee6877e4ff2812bd583238bd11e94685cc7da00c653ba3bb25a201bccdecf9aefe49c6208e9e09bad8e3e3418b
-
Filesize
379KB
MD546563628970b87c0ae9710d8da84ee1e
SHA15dd411e309b28ecfc0894b0c51d4055f44adf025
SHA256b2572663cc77a33e8b59db4c62973242682b8ddbada4bdc281fad5c74e17862d
SHA512a1d2037b4fb16bc30a777ea890e81b0529e26a7e5b1164f88f3c5560faf80f8cafd181f0fd5a60779f6ec5de7d82231322cd5e674ea4b90a5a395266436a191c
-
Filesize
379KB
MD546563628970b87c0ae9710d8da84ee1e
SHA15dd411e309b28ecfc0894b0c51d4055f44adf025
SHA256b2572663cc77a33e8b59db4c62973242682b8ddbada4bdc281fad5c74e17862d
SHA512a1d2037b4fb16bc30a777ea890e81b0529e26a7e5b1164f88f3c5560faf80f8cafd181f0fd5a60779f6ec5de7d82231322cd5e674ea4b90a5a395266436a191c
-
Filesize
852KB
MD5856a3e0ed10dabcbcfd335c19b302f1e
SHA1dddf7cda84b89f98182d095bc542f654aa7160fa
SHA2564ac53ff22c414141e7afdf44f069e7cbe36152c352005248becb2ed9067346ad
SHA5124c976797341a08b72f6a81dfbdea22cf994f9bd37a6bcd196620e2360ce9f87c6b25361b306721ebac4e734697e56fac5b5b9b8c45b9f66fdcbeed457bed09b5
-
Filesize
852KB
MD5856a3e0ed10dabcbcfd335c19b302f1e
SHA1dddf7cda84b89f98182d095bc542f654aa7160fa
SHA2564ac53ff22c414141e7afdf44f069e7cbe36152c352005248becb2ed9067346ad
SHA5124c976797341a08b72f6a81dfbdea22cf994f9bd37a6bcd196620e2360ce9f87c6b25361b306721ebac4e734697e56fac5b5b9b8c45b9f66fdcbeed457bed09b5
-
Filesize
852KB
MD5856a3e0ed10dabcbcfd335c19b302f1e
SHA1dddf7cda84b89f98182d095bc542f654aa7160fa
SHA2564ac53ff22c414141e7afdf44f069e7cbe36152c352005248becb2ed9067346ad
SHA5124c976797341a08b72f6a81dfbdea22cf994f9bd37a6bcd196620e2360ce9f87c6b25361b306721ebac4e734697e56fac5b5b9b8c45b9f66fdcbeed457bed09b5
-
Filesize
852KB
MD5856a3e0ed10dabcbcfd335c19b302f1e
SHA1dddf7cda84b89f98182d095bc542f654aa7160fa
SHA2564ac53ff22c414141e7afdf44f069e7cbe36152c352005248becb2ed9067346ad
SHA5124c976797341a08b72f6a81dfbdea22cf994f9bd37a6bcd196620e2360ce9f87c6b25361b306721ebac4e734697e56fac5b5b9b8c45b9f66fdcbeed457bed09b5
-
Filesize
852KB
MD5856a3e0ed10dabcbcfd335c19b302f1e
SHA1dddf7cda84b89f98182d095bc542f654aa7160fa
SHA2564ac53ff22c414141e7afdf44f069e7cbe36152c352005248becb2ed9067346ad
SHA5124c976797341a08b72f6a81dfbdea22cf994f9bd37a6bcd196620e2360ce9f87c6b25361b306721ebac4e734697e56fac5b5b9b8c45b9f66fdcbeed457bed09b5
-
Filesize
852KB
MD5856a3e0ed10dabcbcfd335c19b302f1e
SHA1dddf7cda84b89f98182d095bc542f654aa7160fa
SHA2564ac53ff22c414141e7afdf44f069e7cbe36152c352005248becb2ed9067346ad
SHA5124c976797341a08b72f6a81dfbdea22cf994f9bd37a6bcd196620e2360ce9f87c6b25361b306721ebac4e734697e56fac5b5b9b8c45b9f66fdcbeed457bed09b5
-
Filesize
537KB
MD55567921a4297e132bc3969463e8e441d
SHA104ca7637e95739b3a00483e728826b56cb528500
SHA25606b2b422be2e1f35daec93cb6e08d6aed6339a51e864ba29fa105e9a274e8eb2
SHA5120e271f90003441b25faecb6d09a12e8d91bb90243afdef9e02a7af993b2574d7dca9803b998879982ec65db7e588dbb102d2aea5d730f91a1b0c3bd1bb6ec983
-
Filesize
537KB
MD55567921a4297e132bc3969463e8e441d
SHA104ca7637e95739b3a00483e728826b56cb528500
SHA25606b2b422be2e1f35daec93cb6e08d6aed6339a51e864ba29fa105e9a274e8eb2
SHA5120e271f90003441b25faecb6d09a12e8d91bb90243afdef9e02a7af993b2574d7dca9803b998879982ec65db7e588dbb102d2aea5d730f91a1b0c3bd1bb6ec983
-
Filesize
852KB
MD5856a3e0ed10dabcbcfd335c19b302f1e
SHA1dddf7cda84b89f98182d095bc542f654aa7160fa
SHA2564ac53ff22c414141e7afdf44f069e7cbe36152c352005248becb2ed9067346ad
SHA5124c976797341a08b72f6a81dfbdea22cf994f9bd37a6bcd196620e2360ce9f87c6b25361b306721ebac4e734697e56fac5b5b9b8c45b9f66fdcbeed457bed09b5
-
Filesize
852KB
MD5856a3e0ed10dabcbcfd335c19b302f1e
SHA1dddf7cda84b89f98182d095bc542f654aa7160fa
SHA2564ac53ff22c414141e7afdf44f069e7cbe36152c352005248becb2ed9067346ad
SHA5124c976797341a08b72f6a81dfbdea22cf994f9bd37a6bcd196620e2360ce9f87c6b25361b306721ebac4e734697e56fac5b5b9b8c45b9f66fdcbeed457bed09b5
-
Filesize
537KB
MD55567921a4297e132bc3969463e8e441d
SHA104ca7637e95739b3a00483e728826b56cb528500
SHA25606b2b422be2e1f35daec93cb6e08d6aed6339a51e864ba29fa105e9a274e8eb2
SHA5120e271f90003441b25faecb6d09a12e8d91bb90243afdef9e02a7af993b2574d7dca9803b998879982ec65db7e588dbb102d2aea5d730f91a1b0c3bd1bb6ec983
-
Filesize
537KB
MD55567921a4297e132bc3969463e8e441d
SHA104ca7637e95739b3a00483e728826b56cb528500
SHA25606b2b422be2e1f35daec93cb6e08d6aed6339a51e864ba29fa105e9a274e8eb2
SHA5120e271f90003441b25faecb6d09a12e8d91bb90243afdef9e02a7af993b2574d7dca9803b998879982ec65db7e588dbb102d2aea5d730f91a1b0c3bd1bb6ec983