e2f4ac2297fd71094aeb931c4591a232154ac669f71586fbd8ec5e1df5b0fd01

Resubmissions

09/01/2023, 16:39

230109-t5zyzaad2s 8

09/01/2023, 16:35

230109-t31gqaac9w 8

Analysis

max time kernel
252s
max time network
175s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
09/01/2023, 16:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Wazuh Install.ps1
Size

296B
MD5

3f99c05d4b660bac5a9b6d8deecd88a2
SHA1

1e03681fd9d31ad38884f71ef2580ffac66f4f6e
SHA256

e2f4ac2297fd71094aeb931c4591a232154ac669f71586fbd8ec5e1df5b0fd01
SHA512

4051931263429a11906a74b284c786459ec15e26095b9e7a6535df04bf8791d4107b23dd1cd5fc21e02fb7d1ac58a63d363d6fc7ae5b6cecb115a8283d256ac8

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
2	2016	powershell.exe
5	4828	msiexec.exe
7	4828	msiexec.exe

Executes dropped EXE 3 IoCs

pid	Process
3928	win32ui.exe
632	wazuh-agent.exe
1448	win32ui.exe

Loads dropped DLL 13 IoCs

pid	Process
384	MsiExec.exe
384	MsiExec.exe
384	MsiExec.exe
5100	MsiExec.exe
5100	MsiExec.exe
3928	win32ui.exe
3928	win32ui.exe
632	wazuh-agent.exe
632	wazuh-agent.exe
632	wazuh-agent.exe
632	wazuh-agent.exe
1448	win32ui.exe
1448	win32ui.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3412	icacls.exe
1952	icacls.exe
656	icacls.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in Program Files directory 38 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ossec-agent\dbsync.dll	msiexec.exe
File created	C:\Program Files (x86)\ossec-agent\libwazuhext.dll	msiexec.exe
File created	C:\Program Files (x86)\ossec-agent\libwazuhshared.dll	msiexec.exe
File created	C:\Program Files (x86)\ossec-agent\rsync.dll	msiexec.exe
File created	C:\Program Files (x86)\ossec-agent\shared\win_applications_rcl.txt	msiexec.exe
File created	C:\Program Files (x86)\ossec-agent\win32ui.exe.manifest	msiexec.exe
File created	C:\Program Files (x86)\ossec-agent\libgcc_s_sjlj-1.dll	msiexec.exe
File created	C:\Program Files (x86)\ossec-agent\active-response\bin\route-null.exe	msiexec.exe
File created	C:\Program Files (x86)\ossec-agent\wazuh-agent.exe	msiexec.exe
File created	C:\Program Files (x86)\ossec-agent\agent-auth.exe.manifest	msiexec.exe
File created	C:\Program Files (x86)\ossec-agent\manage_agents.exe	msiexec.exe
File created	C:\Program Files (x86)\ossec-agent\shared\rootkit_files.txt	msiexec.exe
File created	C:\Program Files (x86)\ossec-agent\queue\syscollector\norm_config.json	msiexec.exe
File created	C:\Program Files (x86)\ossec-agent\sysinfo.dll	msiexec.exe
File created	C:\Program Files (x86)\ossec-agent\active-response\active-responses.log	msiexec.exe
File created	C:\Program Files (x86)\ossec-agent\libwinpthread-1.dll	msiexec.exe
File created	C:\Program Files (x86)\ossec-agent\syscollector.dll	msiexec.exe
File created	C:\Program Files (x86)\ossec-agent\shared\win_audit_rcl.txt	msiexec.exe
File created	C:\Program Files (x86)\ossec-agent\local_internal_options.conf	msiexec.exe
File created	C:\Program Files (x86)\ossec-agent\active-response\bin\netsh.exe	msiexec.exe
File created	C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win10_enterprise.yml	msiexec.exe
File created	C:\Program Files (x86)\ossec-agent\vista_sec.txt	msiexec.exe
File created	C:\Program Files (x86)\ossec-agent\client.keys	MsiExec.exe
File created	C:\Program Files (x86)\ossec-agent\LICENSE.txt	msiexec.exe
File created	C:\Program Files (x86)\ossec-agent\REVISION	msiexec.exe
File created	C:\Program Files (x86)\ossec-agent\profile.template	msiexec.exe
File created	C:\Program Files (x86)\ossec-agent\win32ui.exe	msiexec.exe
File created	C:\Program Files (x86)\ossec-agent\internal_options.conf	msiexec.exe
File created	C:\Program Files (x86)\ossec-agent\ossec.conf	msiexec.exe
File created	C:\Program Files (x86)\ossec-agent\active-response\bin\restart-wazuh.exe	msiexec.exe
File created	C:\Program Files (x86)\ossec-agent\shared\rootkit_trojans.txt	msiexec.exe
File opened for modification	C:\Program Files (x86)\ossec-agent\ossec.log	wazuh-agent.exe
File created	C:\Program Files (x86)\ossec-agent\agent-auth.exe	msiexec.exe
File created	C:\Program Files (x86)\ossec-agent\help.txt	msiexec.exe
File created	C:\Program Files (x86)\ossec-agent\VERSION	msiexec.exe
File created	C:\Program Files (x86)\ossec-agent\shared\win_malware_rcl.txt	msiexec.exe
File created	C:\Program Files (x86)\ossec-agent\wpk_root.pem	msiexec.exe
File opened for modification	C:\Program Files (x86)\ossec-agent\ossec.conf	MsiExec.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI303E.tmp	msiexec.exe
File created	C:\Windows\Installer\e56e1ad.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e56e1aa.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI19B2.tmp	msiexec.exe
File created	C:\Windows\Installer\{C50019C4-068F-4D30-ACB2-574C8FFE21C8}\icon.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI238B.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1A01.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1CC1.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1FA1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C50019C4-068F-4D30-ACB2-574C8FFE21C8}\icon.ico	msiexec.exe
File created	C:\Windows\Installer\e56e1aa.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C50019C4-068F-4D30-ACB2-574C8FFE21C8}	msiexec.exe

Modifies data under HKEY_USERS 22 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice\ProgId = "AppX90nv6nhay5n6a98fnetv7tpk64pp35es"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_https = "1"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice\Hash = "THG97ZoIHbc="	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe

Modifies registry class 23 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4C91005CF86003D4CA2B75C4F8EF128C\PackageCode = "0ED5571178668F4439479D66BF35B946"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\75CA594FEDB7B4C4298DBD4EA0A95A0A	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\75CA594FEDB7B4C4298DBD4EA0A95A0A\4C91005CF86003D4CA2B75C4F8EF128C	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4C91005CF86003D4CA2B75C4F8EF128C\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4C91005CF86003D4CA2B75C4F8EF128C\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4C91005CF86003D4CA2B75C4F8EF128C\MainFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4C91005CF86003D4CA2B75C4F8EF128C	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4C91005CF86003D4CA2B75C4F8EF128C\ProductName = "Wazuh Agent"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4C91005CF86003D4CA2B75C4F8EF128C\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4C91005CF86003D4CA2B75C4F8EF128C\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4C91005CF86003D4CA2B75C4F8EF128C\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4C91005CF86003D4CA2B75C4F8EF128C\SourceList\PackageName = "wazuh-agent-4.3.9.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4C91005CF86003D4CA2B75C4F8EF128C\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4C91005CF86003D4CA2B75C4F8EF128C	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4C91005CF86003D4CA2B75C4F8EF128C\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4C91005CF86003D4CA2B75C4F8EF128C\Version = "67305481"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4C91005CF86003D4CA2B75C4F8EF128C\ProductIcon = "C:\\Windows\\Installer\\{C50019C4-068F-4D30-ACB2-574C8FFE21C8}\\icon.ico"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4C91005CF86003D4CA2B75C4F8EF128C\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4C91005CF86003D4CA2B75C4F8EF128C\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4C91005CF86003D4CA2B75C4F8EF128C\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4C91005CF86003D4CA2B75C4F8EF128C\SourceList\Media	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4C91005CF86003D4CA2B75C4F8EF128C\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4C91005CF86003D4CA2B75C4F8EF128C\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2016	powershell.exe
2016	powershell.exe
2016	powershell.exe
4828	msiexec.exe
4828	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeShutdownPrivilege	3700	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3700	msiexec.exe
Token: SeSecurityPrivilege	4828	msiexec.exe
Token: SeCreateTokenPrivilege	3700	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3700	msiexec.exe
Token: SeLockMemoryPrivilege	3700	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3700	msiexec.exe
Token: SeMachineAccountPrivilege	3700	msiexec.exe
Token: SeTcbPrivilege	3700	msiexec.exe
Token: SeSecurityPrivilege	3700	msiexec.exe
Token: SeTakeOwnershipPrivilege	3700	msiexec.exe
Token: SeLoadDriverPrivilege	3700	msiexec.exe
Token: SeSystemProfilePrivilege	3700	msiexec.exe
Token: SeSystemtimePrivilege	3700	msiexec.exe
Token: SeProfSingleProcessPrivilege	3700	msiexec.exe
Token: SeIncBasePriorityPrivilege	3700	msiexec.exe
Token: SeCreatePagefilePrivilege	3700	msiexec.exe
Token: SeCreatePermanentPrivilege	3700	msiexec.exe
Token: SeBackupPrivilege	3700	msiexec.exe
Token: SeRestorePrivilege	3700	msiexec.exe
Token: SeShutdownPrivilege	3700	msiexec.exe
Token: SeDebugPrivilege	3700	msiexec.exe
Token: SeAuditPrivilege	3700	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3700	msiexec.exe
Token: SeChangeNotifyPrivilege	3700	msiexec.exe
Token: SeRemoteShutdownPrivilege	3700	msiexec.exe
Token: SeUndockPrivilege	3700	msiexec.exe
Token: SeSyncAgentPrivilege	3700	msiexec.exe
Token: SeEnableDelegationPrivilege	3700	msiexec.exe
Token: SeManageVolumePrivilege	3700	msiexec.exe
Token: SeImpersonatePrivilege	3700	msiexec.exe
Token: SeCreateGlobalPrivilege	3700	msiexec.exe
Token: SeRestorePrivilege	4828	msiexec.exe
Token: SeTakeOwnershipPrivilege	4828	msiexec.exe
Token: SeRestorePrivilege	4828	msiexec.exe
Token: SeTakeOwnershipPrivilege	4828	msiexec.exe
Token: SeRestorePrivilege	4828	msiexec.exe
Token: SeTakeOwnershipPrivilege	4828	msiexec.exe
Token: SeRestorePrivilege	4828	msiexec.exe
Token: SeTakeOwnershipPrivilege	4828	msiexec.exe
Token: SeRestorePrivilege	4828	msiexec.exe
Token: SeTakeOwnershipPrivilege	4828	msiexec.exe
Token: SeRestorePrivilege	4828	msiexec.exe
Token: SeTakeOwnershipPrivilege	4828	msiexec.exe
Token: SeRestorePrivilege	4828	msiexec.exe
Token: SeTakeOwnershipPrivilege	4828	msiexec.exe
Token: SeRestorePrivilege	4828	msiexec.exe
Token: SeTakeOwnershipPrivilege	4828	msiexec.exe
Token: SeRestorePrivilege	4828	msiexec.exe
Token: SeTakeOwnershipPrivilege	4828	msiexec.exe
Token: SeRestorePrivilege	4828	msiexec.exe
Token: SeTakeOwnershipPrivilege	4828	msiexec.exe
Token: SeRestorePrivilege	4828	msiexec.exe
Token: SeTakeOwnershipPrivilege	4828	msiexec.exe
Token: SeRestorePrivilege	4828	msiexec.exe
Token: SeTakeOwnershipPrivilege	4828	msiexec.exe
Token: SeRestorePrivilege	4828	msiexec.exe
Token: SeTakeOwnershipPrivilege	4828	msiexec.exe
Token: SeRestorePrivilege	4828	msiexec.exe
Token: SeTakeOwnershipPrivilege	4828	msiexec.exe
Token: SeRestorePrivilege	4828	msiexec.exe
Token: SeTakeOwnershipPrivilege	4828	msiexec.exe
Token: SeRestorePrivilege	4828	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3928	win32ui.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 3700	2016	powershell.exe	67
PID 2016 wrote to memory of 3700	2016	powershell.exe	67
PID 4828 wrote to memory of 384	4828	msiexec.exe	70
PID 4828 wrote to memory of 384	4828	msiexec.exe	70
PID 4828 wrote to memory of 384	4828	msiexec.exe	70
PID 4828 wrote to memory of 5100	4828	msiexec.exe	72
PID 4828 wrote to memory of 5100	4828	msiexec.exe	72
PID 4828 wrote to memory of 5100	4828	msiexec.exe	72
PID 5100 wrote to memory of 1952	5100	MsiExec.exe	77
PID 5100 wrote to memory of 1952	5100	MsiExec.exe	77
PID 5100 wrote to memory of 1952	5100	MsiExec.exe	77
PID 5100 wrote to memory of 656	5100	MsiExec.exe	79
PID 5100 wrote to memory of 656	5100	MsiExec.exe	79
PID 5100 wrote to memory of 656	5100	MsiExec.exe	79
PID 5100 wrote to memory of 3412	5100	MsiExec.exe	82
PID 5100 wrote to memory of 3412	5100	MsiExec.exe	82
PID 5100 wrote to memory of 3412	5100	MsiExec.exe	82

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\Wazuh Install.ps1"
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\system32\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i C:\Users\Admin\AppData\Local\Temp\wazuh-agent-4.3.9.msi /q WAZUH_MANAGER=https://15.223.54.214 WAZUH_REGISTRATION_SERVER=https://15.223.54.214 WAZUH_AGENT_GROUP=default
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  PID:3700

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5E72917A5399E6828550D203532617BA
  2⤵
  - Loads dropped DLL
  PID:384
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8737E2EBB4419D7BED002F3A0AAC050B E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:5100
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\SysWOW64\icacls.exe" "C:\Program Files (x86)\ossec-agent" /inheritancelevel:d /q
    3⤵
    - Modifies file permissions
    PID:1952
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\SysWOW64\icacls.exe" "C:\Program Files (x86)\ossec-agent" /remove *S-1-5-32-545 /q
    3⤵
    - Modifies file permissions
    PID:656
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\SysWOW64\icacls.exe" "C:\Program Files (x86)\ossec-agent\ossec.conf" /remove *S-1-1-0 /q
    3⤵
    - Modifies file permissions
    PID:3412

C:\Program Files (x86)\ossec-agent\win32ui.exe
"C:\Program Files (x86)\ossec-agent\win32ui.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3928

C:\Program Files (x86)\ossec-agent\wazuh-agent.exe
"C:\Program Files (x86)\ossec-agent\wazuh-agent.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:632

C:\Program Files (x86)\ossec-agent\win32ui.exe
"C:\Program Files (x86)\ossec-agent\win32ui.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ossec-agent\LICENSE.txt

Filesize
24KB

MD5
5e00009dd32973aba7edcf6f5fd74686

SHA1
71869a9dbd25b9c49c40acc430c92ed2d704a9b5

SHA256
627f7ee4bcbcb7d4379bb07ea6153c85d4071db6849234acb60f4e2713e4b57c

SHA512
d600ac8ab4969cbfa0c0669ccf1c03574bf899bc88e94b30f1c30a49ec14acd5683ad17a81ba1182afb4a31f0b17f6eae84ae819c1213604968c683fa4df70bc

Download Submit
C:\Program Files (x86)\ossec-agent\REVISION

Filesize
7B

MD5
01fba00624f21927c53f3f1faee3bd07

SHA1
9be7eeabef10c890c74192bc88e4997e9cceb33c

SHA256
29099c956797412330a6142fc31173ec0623821a8873cee9deadc1cd55fce2b6

SHA512
55a3cdbb964c20fe2d404ef3e046b622213a632844ad76244aee3c1fdff375eef4a46fdf4644073233e3c1694f8d5692a01207a40154412fc3e6ce6982978b44

Download Submit
C:\Program Files (x86)\ossec-agent\VERSION

Filesize
8B

MD5
d86f8cab676d51ea3db979bbb5b6e069

SHA1
5ad425ae7438b71027c7a724f9a6125f577b9d51

SHA256
2f00155f83e6494814d46ac965d64a7e86e8c2636145af308417f2f64b663b6a

SHA512
1d2f9c5cb5c6ba66a5bd51a91d394db39f1a0c38accb0ced0786f75a34499c5c833fcdc50fcf825332002de9639679a309fcbe23f87993b570a9284ce22c7437

Download Submit
C:\Program Files (x86)\ossec-agent\active-response\bin\netsh.exe

Filesize
51KB

MD5
9ec751519a4b477f709cc2d9fd26ca67

SHA1
2cc011eb3e2501a653a62f78eea91fe5196aa6c8

SHA256
abf9328aae3de17f78743beefe8cb40a621ce41e07e801e4ab60625c7a7d0151

SHA512
8b958755033a41ffcb5e8a00dfc8fbaddd412d9f8cdd9713ef543b91d373dd302b79d22fe651799480d5a17a810c756010b18640a6ed89f19d04a6913489ccd3

Download Submit
C:\Program Files (x86)\ossec-agent\active-response\bin\restart-wazuh.exe

Filesize
49KB

MD5
211c7305b39db2348694dca810725851

SHA1
50a3c54f1ec4ff37870ec451340fdb335473d615

SHA256
05e72cfe48967edd8528484d31b5b9251c0df99ae830a676a7e19332732eb745

SHA512
e8db17880c42cfeba445aea0fcfca4da8fb839d9753d5f8b345cc3e056dfc778cbb4ff197f0bd0b08fa632bdaeef37d0d86cbe9d98ba8a9d82cda5b756bf3567

Download Submit
C:\Program Files (x86)\ossec-agent\active-response\bin\route-null.exe

Filesize
51KB

MD5
95bd8302c1100fe0a5e75ed29603d2d6

SHA1
5dfc5ad09ff155a01a5b78df1c15969fd20011cf

SHA256
1a7423592285d6509afa344c962576f2e5d224f2ec47f645221d990ec68904f3

SHA512
2700832f601d963c48f778a98eef378c6a88179a14350f31ab8796968e80dbfa5375fcbe5cce4d5c0afdc63f9b412053ca421cbc73a7e36fb206e120f7fc815e

Download Submit
C:\Program Files (x86)\ossec-agent\agent-auth.exe

Filesize
984KB

MD5
cc8fa7fd682b155a2e12be4a90475662

SHA1
b1cbd3e7a50ad1db06dbb1f6574e28888d0d17f3

SHA256
5da7ce40580a6dff9178315b388ccbb6c7abd088462e359e6a41a3b385a78e98

SHA512
6c3c80849e0e1d162801793538714a41ee8b02efa044565dab165cdc7447bfaef2dfafd938984545fb1fd6e0b51663d550242ead08a32553879f9d83a9407daf

Download Submit
C:\Program Files (x86)\ossec-agent\agent-auth.exe.manifest

Filesize
362B

MD5
117d2609541bd8c1bf1406361a7ad5b6

SHA1
47e4dfd693d5a25cfce8667fd1174a2456b8e5c7

SHA256
99faa2a656f93acde5ae69324adcdbe36d11f62d57ce6e44845e5c3375442700

SHA512
c3184e345dcbdd923074daa6f436ece1101e9bbe165d62c8b003ce540cb435bd117011429772a2e2d1ac729f736741aa5275e6eba650905051bb0a891a431699

Download Submit
C:\Program Files (x86)\ossec-agent\dbsync.dll

Filesize
1.3MB

MD5
21ff681d01cc5c03966c51c149772f26

SHA1
ac8bd676c49554603e15fc3ea62b52703ee662d6

SHA256
f73b906f49733b4a81d29e53091333ae784091d0359d5000f84131fc7ac87823

SHA512
408719451f3ed161699a99ae9a5364d8793af23609e0545b6bf4b7022f8ca3e49bc54108b2f3fc1c39bfaf2a5825dc8b58132651d90ebf60d02e980ca6516723

Download Submit
C:\Program Files (x86)\ossec-agent\help.txt

Filesize
1KB

MD5
a26c339bd82408d825014df029cc5c38

SHA1
1dc6da0952ab677e1211973922c26f5e94fdf057

SHA256
52a0231adc9929645a8e03b206709e236c9c2a3c25514efa258205f482974e7e

SHA512
2940ced7b5c51f045a6204613aeffbe368fe601bbed891da61b045436b03e95d9eaec81705c9bc27226b40fbd816b30cac97ddf4b6fbaf09ae259bf1f0bb9b2b

Download Submit
C:\Program Files (x86)\ossec-agent\internal_options.conf

Filesize
13KB

MD5
a2128996f348bf1af12ee888b270b013

SHA1
e60a706520839d538e41a3cc6f10bbb1100830f5

SHA256
e5a063be29f8ee0240a282801a877daa9c1663f161ce51d5fe19fddb51bf391f

SHA512
c266026a7d726e9dda2bd5ee173f9ed4593d5088857cb2cb4ce1a9b21913f8dee4930d9aa001951b7759235ec1b7d4b4a08f75fab917d91a0e0e3bb646dcac17

Download Submit
C:\Program Files (x86)\ossec-agent\libgcc_s_sjlj-1.dll

Filesize
1.1MB

MD5
286eb682e1f12dec3f3f87f28549b4d9

SHA1
698f502ac4e0cb9e7f4d1c33f3ed2f94bf4bc9be

SHA256
0272903695816b7e0a38b58c2fbb2bcf7e2160d086708949ba8320e6d128d250

SHA512
fa31cfd03127a4a0c0d63ca160d5eacc11bd610fb12929bf913a543dfdb0a4fd21c40b2753cc160f9c80a0c0866bba422195d08f283c94a7f2a1ab40d62ce01f

Download Submit
C:\Program Files (x86)\ossec-agent\libwazuhext.dll

Filesize
5.8MB

MD5
cc44f1c90deff94e74176917849049c3

SHA1
f0549781ff5790103b6caf367a47883a0cb02275

SHA256
b3158684506ad2ffabf92204cb43802e87500c0157ed2088ff9a98f4b303661b

SHA512
e59d315986cb41f7554bab5ddb0b3827b97ea487af5cc4eef614a53e4b6521d630dce816db7a59b195af016556844685e5b9ab143af13d5f62f5fc86eefef652

Download Submit
C:\Program Files (x86)\ossec-agent\libwazuhshared.dll

Filesize
821KB

MD5
ddaaea7f370db9355730a0f3281abe07

SHA1
986b9b3140f737fe2177ec131b35c45e2dde7db9

SHA256
ba1aaf0c8ffc089e8baa5eb76b62149f90f1a892e877404d75a384d300c9cb55

SHA512
75922958d57ec09a6052f3f79b3d118e9bf1c40fd9abc48db7d911df5dea6cc897df92303ef19f085487d217e238a4de6cf364b2fede871e13e544a7ed279dde

Download Submit
C:\Program Files (x86)\ossec-agent\libwinpthread-1.dll

Filesize
521KB

MD5
53ce6172f0599ba89f1304648c369538

SHA1
d3bcd248fe7d885049d38998db5ccd015c35ce83

SHA256
7629e55349b088efd49e31545cf5a403a945fbb342500525e2fab3c46505b069

SHA512
c127644955afdf598345eb7a5c9966e9a2a53da2854d180cd112c762b98911de3edeaf0dbfa6ceec81930be4ec92cabfab17811bf0cf04b4d432e86b5ba93841

Download Submit
C:\Program Files (x86)\ossec-agent\local_internal_options.conf

Filesize
383B

MD5
53dd192b3c0cfbd6607af8cc38bd5740

SHA1
ab367952ca2d929fc303554fb507fe842810fb58

SHA256
c82f2c775d00615ce7a7c9ef0078b30f3e25c9fef1c334206fb15ec0e9a5d643

SHA512
04ff7d01881bac42a05b701eafe7695e57a30cd8ac8971d6de3a8f8ceb8bbe69f2d88125bec42e4adfa29c63c1fbc1f97e864f3639b6f217fd0c2154b0318252

Download Submit
C:\Program Files (x86)\ossec-agent\manage_agents.exe

Filesize
981KB

MD5
bf04ae56ebe1ea970e6d7aa3826fdc94

SHA1
3670cbb4720b983149a990a21b7072f45c11b98c

SHA256
3a037249ad76841016e48b77032c3662eb87afc893c41899ff440e4fcf9dbe1b

SHA512
7b8d50d038e723e59696eed7f0305e982a27e6fbb3fe38469f585d9bb970f85029605410ae96895d93f9dd45b346cf9d81514203d92fe84ba7718e0575b060bb

Download Submit
C:\Program Files (x86)\ossec-agent\ossec.conf

Filesize
9KB

MD5
6e78dd8a4c637a7827689b36bf31b9df

SHA1
a32c9c8680645928509d3664eff7c2d922c9f123

SHA256
f524ee493b9b4876cce9844fdb4dfa8fd30330f575a6c9faa57895e840d12cae

SHA512
0867925886ba91b2ac064a0c08fd84ef4989e5e874558864f75e0e6e02305f4b323ad9c40416601c86e5128f645c94ae916bd1d5fa8f11f3b5198a82bca33500

Download Submit
C:\Program Files (x86)\ossec-agent\ossec.conf

Filesize
9KB

MD5
194e2bd9249251c9e37d3051f51e7026

SHA1
fa3da52d04dd67025ff9dd4ace0d4337d7c80646

SHA256
bdc37fd062573ff274e02cd74eb2cefcf9dfd11d6336730812130e01179b0899

SHA512
81b0e45171eb8fe53c08ed35fce76649f04c4db1ad78dcaa6885ce72430feaa790cc9ff87ed258550d1f6c4d213e3e14d50e20686e5530d2200eae6f82308292

Download Submit
C:\Program Files (x86)\ossec-agent\profile.template

Filesize
51B

MD5
fd477606674c58e501eed0cb78dd3205

SHA1
0f2a28a2f20ae3a1d5b2cbe338b8808416733b63

SHA256
7369c283566c010bf8b4aaafacf8e4339907a90a247f1956e2575e251a37971c

SHA512
d4d1bc4411823aececd61550eaf0240bfe28b5e183fce48103ed91de0e6128a85d23486cb68bfc9f442bc7719ffc95cdb481fa8551d660cb4735a9797ff3a9fb

Download Submit
C:\Program Files (x86)\ossec-agent\queue\syscollector\norm_config.json

Filesize
4KB

MD5
d619e8d5dfab6cbec9c7751bf59254a3

SHA1
d8b3f36b740fbda34101358aea01279715f3a719

SHA256
c1bed0e93ed291b533ac6a4739c5f4618668c8690c243248ed9ace6a553e1499

SHA512
d7b271d901e7b8a226318d2c4a9dfea5d940a247f9c324c7dc6ac913463eabafe442b40912f9e3c801b60628ab7a18512c1d91c7f255eb42e70d992f6970a36c

Download Submit
C:\Program Files (x86)\ossec-agent\rsync.dll

Filesize
1.1MB

MD5
31d451667bed530c8ea3d873a9e288ba

SHA1
c75c358c0ac2a341b9a30bb561a0faccc8421381

SHA256
ee5087fa080d1513a84e875e36b48a875b358fc05977ce6e1cfc1764376dc403

SHA512
63e1693b3f56b454a09c1dfea1a9a233b7ea2cc6d0282599ed5b43966a79f1798d4d73d5897afd3107c2c06d6b0c7768b7909d2edbb72b2734f2e164ec4763f6

Download Submit
C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win10_enterprise.yml

Filesize
665KB

MD5
18a3ae2b5903f6eecbd7012ae138bd3b

SHA1
1e571f1946a60c3e60416b782f83c0e993380f50

SHA256
0b4f03cd759c81045fdab3ea741071e378e42bf8bb3734b572ef6c23e6af7272

SHA512
1adc028c506e1926b10773358345202516b6c815d58c96b277b9324ed962f7304f6f841b0dac0cc17f8215c7e266007d48af84ce7dd4c595cc05d7cfe5c6f9f4

Download Submit
C:\Program Files (x86)\ossec-agent\shared\rootkit_files.txt

Filesize
15KB

MD5
6943964a87d768d8434fffbaceda89f2

SHA1
e2630ad90fb9a23a7146e18d96cb1343d585d17f

SHA256
a823bf4677d27a5e0d88afebc31b059460010db6645aa95ab7137d8445501789

SHA512
6b68fbc74aee2ed3d2bc47a8e09490b11b73cd7ad096a27488f3f2d0646213869e5ef45aa2041fef08036943677803186f44d5201588242d3166c85a1e67a3b0

Download Submit
C:\Program Files (x86)\ossec-agent\shared\rootkit_trojans.txt

Filesize
5KB

MD5
0f4ccc3a78b7989644d0d85b2a888a6b

SHA1
af73b2c29cc49b2930682de82374fcfae8e3b9e9

SHA256
40066a05f25605cc2893235a84866df07ee03e7d05dbdab2f6cb8e87bebc1513

SHA512
eb80389e6fd30582a822e20a0fca7a47dac5ac34ad80a77a8fb24829d3ab1871a7b88bf84ee53b87ed3b7d2fe0edad8791dc9a26920fd2393248fd1cde35d3a7

Download Submit
C:\Program Files (x86)\ossec-agent\shared\win_applications_rcl.txt

Filesize
5KB

MD5
ea5686ce6eafe5268bdba42ea367ec17

SHA1
33089b929d414cdd8cad7132ff96b1f83af205f3

SHA256
e6eac64d84b9684646b49bede4a8cff0b8d8254932490bea520257a17b136f23

SHA512
27629d5faad380fe20a56b1872664b1fd7bbf5cf7b1f47a1c8b603df86af6f1071588b689d6af15dd9f46ff044ebf8fb30a7093989c7903a4bfb800a996d12d6

Download Submit
C:\Program Files (x86)\ossec-agent\shared\win_audit_rcl.txt

Filesize
4KB

MD5
7081a34961d9d0244a0238d4000b9821

SHA1
8bf8eceee41eb5302765b3d238e2381f678207da

SHA256
6e7f3a7b7a8577d4d52871e2a925d849441f0a3bc5a03dd2f253aeac5fce513f

SHA512
b5777dd5e74693b6438cada901f0e8e2dcab6a41d42f66e7735281476ca4c34544f4cab08ec8343b82aca2444129205b18a68fcfbe9b4a7960f2a567ff82afdf

Download Submit
C:\Program Files (x86)\ossec-agent\shared\win_malware_rcl.txt

Filesize
7KB

MD5
dce0fd97a51f6a03ee2529c9a7c78fc0

SHA1
d363dbc08c6f029eeff207e01b48d53205c5dc93

SHA256
eae12dfc34c127aae18916c6c5868343503e32667e094c0db1990fa180f8d95a

SHA512
c70636bc330b8d191ee66ab1b95b130fd22ba35b6a5c82508d94c5b73d5da306d1bbccfdadc3abf2939961e2f4e1b2e42a83519c182a2cf9f4bb0c445ae0cb95

Download Submit
C:\Program Files (x86)\ossec-agent\syscollector.dll

Filesize
1.3MB

MD5
4743505679190aa444ad78269d710268

SHA1
54bb1f453b18a82e15347b071dfb819df1b5fa0a

SHA256
d0abcc327c08c822be477102abad0c95f263d0fface6043fd985e00b5b14d747

SHA512
1ee1b722447f1827c5bf2364a2570333e1b8e901df300c929baa275bc996b0bfdc917d1db20640cfd549fc5360784a61a06d7b7216d3feac4bac0efa8e44e861

Download Submit
C:\Program Files (x86)\ossec-agent\sysinfo.dll

Filesize
1.2MB

MD5
77ae19002f0f8d06b2b633cb32b6dab1

SHA1
fe81e9a39a1feef7c7a067ac95147ff4e251cd04

SHA256
48eeb374ccf840e2da3dfb719e2544cde0bdb4e5bfe7e26bc2a11c5c73f7db35

SHA512
1d9087e89462ab64872f7f5ea303290a605c8d85bcb7d6f4437b38f779c8c4ddfeebbe38c85f16dd6b3656b061cf9b522b51d9775999fddf854b93dd0f00012a

Download Submit
C:\Program Files (x86)\ossec-agent\vista_sec.txt

Filesize
91KB

MD5
23ef377d75222d3bb2478da1b4dd10db

SHA1
f47aa59efbf95cc4805b9a67283587b89748eb86

SHA256
959e24695bd8f39fe6c5882d43e7a08c9c69a0a7a92a6b8673c3ca25e2d2b57c

SHA512
540b710acc378e6ad294314fe6f4968043f459fec6428a4a67a19b66a6630ebfbb56257080491fd1c9a5d5a4c07e62ed20157cebe0faebee39ab8cb4cd7592e3

Download Submit
C:\Program Files (x86)\ossec-agent\wazuh-agent.exe

Filesize
1.8MB

MD5
7aa6d050f002d4adec1f5ca80df64374

SHA1
282ab70695f0311b12705dd24f5312d160a9aec9

SHA256
ecc7023195f3e430f73be8351e30e7c79437905668c2f24b7d23c246567279b9

SHA512
65247439b0d6ad73376065a8ca393a4c1b65481e6a5e763dcc5a17c41934ef01cc9ee6291ec2121fef6084b6a74f5cecc24efa130307590131be2f5bce3a3ad6

Download Submit
C:\Program Files (x86)\ossec-agent\wazuh-agent.exe

Filesize
1.8MB

MD5
7aa6d050f002d4adec1f5ca80df64374

SHA1
282ab70695f0311b12705dd24f5312d160a9aec9

SHA256
ecc7023195f3e430f73be8351e30e7c79437905668c2f24b7d23c246567279b9

SHA512
65247439b0d6ad73376065a8ca393a4c1b65481e6a5e763dcc5a17c41934ef01cc9ee6291ec2121fef6084b6a74f5cecc24efa130307590131be2f5bce3a3ad6

Download Submit
C:\Program Files (x86)\ossec-agent\win32ui.exe

Filesize
911KB

MD5
6ac5400542a8725406587b6afb3c13ff

SHA1
99587a88bd8d7967745dfa9326e69196e2a1341d

SHA256
e9c996f397e46cdbf98f192d22bd538fb62e20c49bcdcb24785b95ff7dc2ee92

SHA512
c70a01d44d7b2e5590c929e88bd137085a12e85764e3debbb1adc2d7707e9d6a41ff830f5a8aa5026fe1dcb63753924d9b6fdd82441ec8ddfea37685ec08f030

Download Submit
C:\Program Files (x86)\ossec-agent\win32ui.exe

Filesize
911KB

MD5
6ac5400542a8725406587b6afb3c13ff

SHA1
99587a88bd8d7967745dfa9326e69196e2a1341d

SHA256
e9c996f397e46cdbf98f192d22bd538fb62e20c49bcdcb24785b95ff7dc2ee92

SHA512
c70a01d44d7b2e5590c929e88bd137085a12e85764e3debbb1adc2d7707e9d6a41ff830f5a8aa5026fe1dcb63753924d9b6fdd82441ec8ddfea37685ec08f030

Download Submit
C:\Program Files (x86)\ossec-agent\win32ui.exe

Filesize
911KB

MD5
6ac5400542a8725406587b6afb3c13ff

SHA1
99587a88bd8d7967745dfa9326e69196e2a1341d

SHA256
e9c996f397e46cdbf98f192d22bd538fb62e20c49bcdcb24785b95ff7dc2ee92

SHA512
c70a01d44d7b2e5590c929e88bd137085a12e85764e3debbb1adc2d7707e9d6a41ff830f5a8aa5026fe1dcb63753924d9b6fdd82441ec8ddfea37685ec08f030

Download Submit
C:\Program Files (x86)\ossec-agent\win32ui.exe.manifest

Filesize
367B

MD5
4b6dbd6486edd37fb791e04533270dcc

SHA1
3ee348a29185d56aea59daba238e9c77b558809e

SHA256
f740b5c7299642b74dce544a08ea2f2c1cc11c2d2b2c992c1ae4a75b5e1ca034

SHA512
2925acdcc1e5448bac04eda12d4601b85c8ab8ad19227825d181d84da7b3ea353cd4a83e61cc80a7815adc7bf1ccc3a65bc74917723172dff2b964e5077e23c1

Download Submit
C:\Program Files (x86)\ossec-agent\wpk_root.pem

Filesize
1KB

MD5
62a376c2059a97b26415040cf51ffed9

SHA1
111074da00b3f24ae85b1e02de2292ede3a104db

SHA256
800f3895f18a10e88387305d0dd2bc4aba15759562772cacb3599aaf2b9c5a54

SHA512
f5ceb6acd50f65f063cb8499dbfd52b6eb0cbe89a9a6b61ebd197cd45301f3bd29cc9971bb84f9ca8c21cf788e1703038e1b827afe68e294e43bbf5076630981

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6df97.LOG

Filesize
1KB

MD5
187fac1ba351f4d79cf24f3a56e2101b

SHA1
2ceecf915100770d99935474b8fc5033c8d0d1d7

SHA256
a0e7f5cd00be2e7fbe11eda10bb4634b4e9b06243d07033d47d4a33638283b1a

SHA512
50eb02837ea670f5583588bca06f06c4bb6d94722284a4381ff77a660f826fc8dfaf7874b2d6972f8a8def892e952bf1629b06391bb83ff5e11cbc3985d3b68a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wazuh-agent-4.3.9.msi

Filesize
5.6MB

MD5
eee54087d25a42ceb27ecf8ad562143f

SHA1
42f1ef8e72e30e99a887f95f0f7d078fd27e9e0f

SHA256
e4c29173e660e4023b1b00492f968af04e6fe1d1b202f7c3c32d393c63b842b1

SHA512
33dd62d84b5b39bd3936b0b6dd84e284ea244822dcf995aa4e59444c82e22e4ace1ecda2aff3bd0149387e5422dd0c69811f3fabe734969f52f0da0299a1f3ab

Download Submit
C:\Windows\Installer\MSI1A01.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Windows\Installer\MSI1CC1.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Windows\Installer\MSI1FA1.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Windows\Installer\MSI238B.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Windows\Installer\MSI303E.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
\Program Files (x86)\ossec-agent\libgcc_s_sjlj-1.dll

Filesize
1.1MB

MD5
286eb682e1f12dec3f3f87f28549b4d9

SHA1
698f502ac4e0cb9e7f4d1c33f3ed2f94bf4bc9be

SHA256
0272903695816b7e0a38b58c2fbb2bcf7e2160d086708949ba8320e6d128d250

SHA512
fa31cfd03127a4a0c0d63ca160d5eacc11bd610fb12929bf913a543dfdb0a4fd21c40b2753cc160f9c80a0c0866bba422195d08f283c94a7f2a1ab40d62ce01f

Download Submit
\Program Files (x86)\ossec-agent\libwazuhext.dll

Filesize
5.8MB

MD5
cc44f1c90deff94e74176917849049c3

SHA1
f0549781ff5790103b6caf367a47883a0cb02275

SHA256
b3158684506ad2ffabf92204cb43802e87500c0157ed2088ff9a98f4b303661b

SHA512
e59d315986cb41f7554bab5ddb0b3827b97ea487af5cc4eef614a53e4b6521d630dce816db7a59b195af016556844685e5b9ab143af13d5f62f5fc86eefef652

Download Submit
\Program Files (x86)\ossec-agent\libwazuhext.dll

Filesize
5.8MB

MD5
cc44f1c90deff94e74176917849049c3

SHA1
f0549781ff5790103b6caf367a47883a0cb02275

SHA256
b3158684506ad2ffabf92204cb43802e87500c0157ed2088ff9a98f4b303661b

SHA512
e59d315986cb41f7554bab5ddb0b3827b97ea487af5cc4eef614a53e4b6521d630dce816db7a59b195af016556844685e5b9ab143af13d5f62f5fc86eefef652

Download Submit
\Program Files (x86)\ossec-agent\libwazuhext.dll

Filesize
5.8MB

MD5
cc44f1c90deff94e74176917849049c3

SHA1
f0549781ff5790103b6caf367a47883a0cb02275

SHA256
b3158684506ad2ffabf92204cb43802e87500c0157ed2088ff9a98f4b303661b

SHA512
e59d315986cb41f7554bab5ddb0b3827b97ea487af5cc4eef614a53e4b6521d630dce816db7a59b195af016556844685e5b9ab143af13d5f62f5fc86eefef652

Download Submit
\Program Files (x86)\ossec-agent\libwinpthread-1.dll

Filesize
521KB

MD5
53ce6172f0599ba89f1304648c369538

SHA1
d3bcd248fe7d885049d38998db5ccd015c35ce83

SHA256
7629e55349b088efd49e31545cf5a403a945fbb342500525e2fab3c46505b069

SHA512
c127644955afdf598345eb7a5c9966e9a2a53da2854d180cd112c762b98911de3edeaf0dbfa6ceec81930be4ec92cabfab17811bf0cf04b4d432e86b5ba93841

Download Submit
\Program Files (x86)\ossec-agent\libwinpthread-1.dll

Filesize
521KB

MD5
53ce6172f0599ba89f1304648c369538

SHA1
d3bcd248fe7d885049d38998db5ccd015c35ce83

SHA256
7629e55349b088efd49e31545cf5a403a945fbb342500525e2fab3c46505b069

SHA512
c127644955afdf598345eb7a5c9966e9a2a53da2854d180cd112c762b98911de3edeaf0dbfa6ceec81930be4ec92cabfab17811bf0cf04b4d432e86b5ba93841

Download Submit
\Program Files (x86)\ossec-agent\libwinpthread-1.dll

Filesize
521KB

MD5
53ce6172f0599ba89f1304648c369538

SHA1
d3bcd248fe7d885049d38998db5ccd015c35ce83

SHA256
7629e55349b088efd49e31545cf5a403a945fbb342500525e2fab3c46505b069

SHA512
c127644955afdf598345eb7a5c9966e9a2a53da2854d180cd112c762b98911de3edeaf0dbfa6ceec81930be4ec92cabfab17811bf0cf04b4d432e86b5ba93841

Download Submit
\Program Files (x86)\ossec-agent\sysinfo.dll

Filesize
1.2MB

MD5
77ae19002f0f8d06b2b633cb32b6dab1

SHA1
fe81e9a39a1feef7c7a067ac95147ff4e251cd04

SHA256
48eeb374ccf840e2da3dfb719e2544cde0bdb4e5bfe7e26bc2a11c5c73f7db35

SHA512
1d9087e89462ab64872f7f5ea303290a605c8d85bcb7d6f4437b38f779c8c4ddfeebbe38c85f16dd6b3656b061cf9b522b51d9775999fddf854b93dd0f00012a

Download Submit
\Windows\Installer\MSI1A01.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
\Windows\Installer\MSI1CC1.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
\Windows\Installer\MSI1FA1.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
\Windows\Installer\MSI238B.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
\Windows\Installer\MSI303E.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
memory/384-177-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-182-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-205-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-206-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-207-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-208-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-209-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-203-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-202-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-212-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-213-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-214-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-215-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-216-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-201-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-200-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-199-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-198-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-197-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-196-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-195-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-194-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-193-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-192-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-149-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-191-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-190-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-189-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-188-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-187-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-186-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-185-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-184-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-183-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-204-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-181-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-180-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-179-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-178-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-150-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-176-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-175-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-174-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-151-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-173-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-172-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-171-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-170-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-169-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-168-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-167-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-166-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-165-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-164-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-163-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-162-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-161-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-160-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-159-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-152-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-158-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-157-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-155-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/384-154-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2016-125-0x0000026BB6600000-0x0000026BB6622000-memory.dmp

Filesize
136KB

Download
memory/2016-130-0x0000026BD2540000-0x0000026BD25B6000-memory.dmp

Filesize
472KB

Download