Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
478s -
max time network
447s -
platform
windows11-21h2_x64 -
resource
win11-20240319-en -
resource tags
arch:x64arch:x86image:win11-20240319-enlocale:en-usos:windows11-21h2-x64system -
submitted
03/04/2024, 19:45
Static task
static1
Behavioral task
behavioral1
Sample
TruCheck_v3.03.70_b3647_Updater.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral2
Sample
TruCheck_v3.03.70_b3647_Updater.exe
Resource
win11-20240319-en
General
-
Target
TruCheck_v3.03.70_b3647_Updater.exe
-
Size
195.7MB
-
MD5
719e9af110e7527608b8006f6290a29c
-
SHA1
74a0684bffc141503c55572c12eecba2a3d9e5a1
-
SHA256
29dc4464ba770c14edd38234dc1a26fc6a983212831ed653b50945be99153c12
-
SHA512
140e648a28ac5e7a3180f7f311f84ee0a393146f066d3d800d25efff9e5f278d97445117b10c28a382b45c5b345183bdf11fc5227d6e687dedbfc3b8372d87ae
-
SSDEEP
3145728:caSFaGTMXZ+IasZ4AR/gh6O6gx7AFaTzT6B7jdsOL9Nf0iVbSJNTRK:2aGwJ+TO496nU/nO7jdnky
Malware Config
Signatures
-
Drops file in Drivers directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\Drivers\pcidaqlib.sys msiexec.exe File created C:\Windows\SysWOW64\Drivers\cbul32.sys msiexec.exe File created C:\Windows\SysWOW64\Drivers\cbulwdm.sys msiexec.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\CBUL32\ImagePath = "System32\\Drivers\\cbul32.sys" msiexec.exe -
Executes dropped EXE 2 IoCs
pid Process 2144 UpdateTool.exe 3900 TruCheckSetup.exe -
Loads dropped DLL 9 IoCs
pid Process 3880 MsiExec.exe 3880 MsiExec.exe 5100 MsiExec.exe 5100 MsiExec.exe 3164 MsiExec.exe 3164 MsiExec.exe 3164 MsiExec.exe 3164 MsiExec.exe 3164 MsiExec.exe -
Blocklisted process makes network request 2 IoCs
flow pid Process 16 2824 msiexec.exe 17 2824 msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\tcusbld\tcusbld.spt msiexec.exe File created C:\Windows\SysWOW64\cbw32.dll msiexec.exe File created C:\Windows\SysWOW64\DaqLib.dll msiexec.exe File created C:\Windows\SysWOW64\cb.cfg msiexec.exe File created C:\Windows\SysWOW64\cbercode.txt msiexec.exe File created C:\Windows\SysWOW64\ulprops.txt msiexec.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\x64\uEye_usb.sys msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\AcroPDF.dll msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Sleepstates_Tool.exe msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\TruCheck.exe msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Legacy\x64\uEye_usb.sys msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Legacy\x86\tcusbld.sys msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Microsoft.Office.Interop.Excel.DLL msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Legacy\x86\PGRUSBCam.sys msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Legacy\x86\W32Install.exe msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\WPFToolkit.DLL msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\zh-CN\TruCheck.resources.dll msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Microsoft.Vbe.Interop.DLL msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\CyUSB.DLL msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\x86\DIFxAPI.dll msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\de\TruCheck.resources.dll msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Firmware\usb3_addon\usb3_cp_no_ddr_3v3_lvds_cmosis.fwc msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Firmware\usb3_addon\usb3_ml_le_1v8_parallel.fwc msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\x64\StUSB.sys msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Firmware\usb3_addon\usb3_cp_3v3_lvds_cmosis.fwc msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Legacy\x64\StUSB.sys msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Firmware\usb3_addon\usb3_ml_le_3v3_parallel.fwc msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\x64\cyusb.sys msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\en-US\TruCheckCoreManaged.resources.dll msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\x86\devcon.exe msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Firmware\usb3_addon\usb3_le2_3v3_lvds_onsemi.fwc msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Firmware\usb3_addon\usb3_cp_no_ddr_1v8_lvds_aptina_2phy.fwc msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\TruCheckDataTypes.DLL msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Legacy\tcusbld.spt msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Firmware\usb3_addon\usb2_se_3v3_parallel.fwc msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\x86\uEye_boot.sys msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Firmware\usb3_addon\usb3_cp_1v8_parallel.fwc msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\x64\devcon.exe msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\faq.rtf msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Legacy\x86\uEye_usb.sys msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\System.Windows.Controls.DataVisualization.Toolkit.DLL msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Firmware\usb3\fx3_firmware.fwc msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\zh-CN\TruCheckCoreManaged.resources.dll msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Legacy\x86\ds2490.sys msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Legacy\x64\WdfCoInstaller01009.dll msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Legacy\Sleepstates_Tool.exe msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Firmware\usb3_addon\usb3_cp_ddr_3v3_lvds_cmosis.fwc msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Legacy\x64\cyusb.sys msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\ja\TruCheck.resources.dll msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\TruCheckCore.dll msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Legacy\InstallDriver.InstallState msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Interop.AcroPDFLib.DLL msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Legacy\x86\WdfCoInstaller01009.dll msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\msvcr71.dll msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Firmware\usb3_addon\usb3_cp_ddr_1v8_lvds_sony.fwc msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\fr\TruCheck.resources.dll msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Firmware\usb3_addon\usb3_cp_ddr_1v8_parallel.fwc msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Firmware\usb3_addon\usb3_cp_1v8_lvds_sony.fwc msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Firmware\usb3_addon\usb3_cp_no_ddr_3v3_parallel.fwc msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\tcusbld.spt msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Legacy\x86\uEye_boot.sys msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\TruCheckRemote.DLL msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\en-US\TruCheck.resources.dll msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Firmware\usb3_addon\usb3_cp_no_ddr_1v8_lvds_sony.fwc msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\x64\PGRUSBCam.sys msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Legacy\x86\DIFxAPI.dll msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\StTrgApi.dll msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Firmware\usb3_addon\usb3_cp_ddr_1v8_lvds_aptina_2phy.fwc msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\x64\W64Install.exe msiexec.exe File created C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\Firmware\usb3_addon\usb3_le2_1v8_lvds_aptina_2phy.fwc msiexec.exe -
Drops file in Windows directory 40 IoCs
description ioc Process File created C:\Windows\WinSxS\InstallTemp\20240403194834728.0\msvcr90.dll msiexec.exe File opened for modification C:\Windows\Installer\{3F408034-3680-483F-A303-286D629038CA}\_6FEFF9B68218417F98F549.exe msiexec.exe File opened for modification C:\Windows\Installer\{3F408034-3680-483F-A303-286D629038CA}\_0E37E41083FECCF3667319.exe msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240403194836400.0 msiexec.exe File opened for modification C:\Windows\Installer\MSI1E4C.tmp msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240403194836400.0\9.0.21022.8.policy msiexec.exe File created C:\Windows\Inf\cbicom.inf msiexec.exe File opened for modification C:\Windows\Installer\{3F408034-3680-483F-A303-286D629038CA}\_7AEE8AE8AD14D0F56F77BB.exe msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240403194834728.0\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375.cat msiexec.exe File created C:\Windows\Installer\{3F408034-3680-483F-A303-286D629038CA}\_B5F8CC6E4F9FA1A6023003.exe msiexec.exe File opened for modification C:\Windows\Installer\MSI3C66.tmp msiexec.exe File created C:\Windows\Installer\e5914e8.msi msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240403194834728.0 msiexec.exe File created C:\Windows\SystemTemp\~DF37B4EA987803C706.TMP msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI1EF9.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF3B5E823DEF725CDF.TMP msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240403194834728.0\msvcp90.dll msiexec.exe File created C:\Windows\Inf\cbi95.inf msiexec.exe File opened for modification C:\Windows\Installer\{3F408034-3680-483F-A303-286D629038CA}\_9F6C3D26641EA137EC70B4.exe msiexec.exe File opened for modification C:\Windows\Installer\{3F408034-3680-483F-A303-286D629038CA}\_B5F8CC6E4F9FA1A6023003.exe msiexec.exe File created C:\Windows\SystemTemp\~DF70CDF627276B0B40.TMP msiexec.exe File created C:\Windows\Installer\e5914e6.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\SystemTemp\~DFE946B97A4BBF1216.TMP msiexec.exe File created C:\Windows\Installer\{3F408034-3680-483F-A303-286D629038CA}\_B3A921879F719C288BE06C.exe msiexec.exe File opened for modification C:\Windows\Installer\{3F408034-3680-483F-A303-286D629038CA}\_B3A921879F719C288BE06C.exe msiexec.exe File opened for modification C:\Windows\Installer\e5914e6.msi msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240403194834728.0\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375.manifest msiexec.exe File created C:\Windows\Installer\{3F408034-3680-483F-A303-286D629038CA}\_0E37E41083FECCF3667319.exe msiexec.exe File created C:\Windows\Installer\{3F408034-3680-483F-A303-286D629038CA}\_7AEE8AE8AD14D0F56F77BB.exe msiexec.exe File opened for modification C:\Windows\Installer\MSI70A1.tmp msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240403194834728.0\msvcm90.dll msiexec.exe File created C:\Windows\Installer\{3F408034-3680-483F-A303-286D629038CA}\_6FEFF9B68218417F98F549.exe msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240403194836400.0\9.0.21022.8.cat msiexec.exe File opened for modification C:\Windows\Installer\MSI2756.tmp msiexec.exe File created C:\Windows\Inf\daqlib.inf msiexec.exe File created C:\Windows\Installer\{3F408034-3680-483F-A303-286D629038CA}\_9F6C3D26641EA137EC70B4.exe msiexec.exe File created C:\Windows\Installer\SourceHash{3F408034-3680-483F-A303-286D629038CA} msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000d7c5157aa3afd7f30000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000d7c5157a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900d7c5157a000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dd7c5157a000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000d7c5157a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23 msiexec.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|RawPrinterHelper.DLL msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\430804F30863F3843A3082D6260983AC\SourceList\Media msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|Microsoft.Vbe.Interop.DLL msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|FlyCapture2Managed_v90.DLL msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|TruCheckDataTypes.DLL msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|Drivers|InstallDriver.dll msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|en-US|TruCheck.resources.dll\TruCheck.resources,Version="3.3.70.3647",Culture="en-US",ProcessorArchitecture="x86" = 5d0068007b004300380067002400650036003f006500530025002a004b00740051004e007e0069003e006800340068007000420058005100550064004e00530031006b0054002c004b0057002b005100330000000000 msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|PdfSharp.DLL msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|Ionic.Zip.Reduced.DLL msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|TruCheckCoreManaged.DLL\TruCheckCoreManaged,Version="3.3.70.0",Culture="neutral",ProcessorArchitecture="x86",PublicKeyToken="32ED4FAA5501C8FD" = 5d0068007b004300380067002400650036003f006500530025002a004b00740051004e007e0069003e0031006d005f00560030006200680056005f005000520065006c00790070007e0035002e007200390000000000 msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\E63AB5B7BB2916C4CA7EEE2F065A6A5C msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|de|TruCheck.resources.dll\TruCheck.resources,Version="3.3.68.3617",Culture="de",ProcessorArchitecture="MSIL" = 5d0068007b004300380067002400650036003f006500530025002a004b00740051004e007e0069003e004e007000630042004b003200560027007d00570055005f004d003f002e00280059006b0078004a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|CyUSB.DLL msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|en-US|TruCheckCoreManaged.resources.dll\TruCheckCoreManaged.resources,Version="3.3.70.0",Culture="en-US",ProcessorArchitecture="MSIL",PublicKeyToken="32ED4F = 5d0068007b004300380067002400650036003f006500530025002a004b00740051004e007e0069003e006a005f006b002d0053005a00380074007500520021004f0067002100490079006a004f006c00300000000000 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Products\430804F30863F3843A3082D6260983AC\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|Drivers|HardwareWizard.exe\HardwareWizard,Version="1.0.4114.16721",Culture="neutral",ProcessorArchitecture="x86" = 5d0068007b004300380067002400650036003f006500530025002a004b00740051004e007e0069003e0066006d0031005300590047005e004b0073004200510076007a0071004b004e00600030007100260000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|TruCheck.exe msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\E63AB5B7BB2916C4CA7EEE2F065A6A5C msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.9.0.Microsoft.VC90.CRT,version="9.0.21022.8",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32-policy" = 5d0068007b004300380067002400650036003f006500530025002a004b00740051004e007e0069003e00690063003f00670029004f0026005200530034002500710035005d0056004c00510072005b00530000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\430804F30863F3843A3082D6260983AC\DefaultFeature msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|PdfSharp.DLL msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|Microsoft.Office.Interop.Excel.DLL msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|WPFToolkit.DLL msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|ja|TruCheck.resources.dll\TruCheck.resources,Version="3.3.68.3617",Culture="ja",ProcessorArchitecture="MSIL" = 5d0068007b004300380067002400650036003f006500530025002a004b00740051004e007e0069003e002c007d004f00540040002800770065005d0024005100300049004e0034005a00300064006400260000000000 msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|TruCheckRemote.DLL msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|Fonet.DLL msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\430804F30863F3843A3082D6260983AC\SourceList\Media msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|es|TruCheckCoreManaged.resources.dll\TruCheckCoreManaged.resources,Version="3.3.70.0",Culture="es",ProcessorArchitecture="MSIL",PublicKeyToken="32ED4FAA5501 = 5d0068007b004300380067002400650036003f006500530025002a004b00740051004e007e0069003e0021004e00470036002800500053007300510044005d0040006a003f005e0034004500620066004c0000000000 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\430804F30863F3843A3082D6260983AC\Version = "50528326" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\430804F30863F3843A3082D6260983AC\Clients = 3a0000000000 msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\430804F30863F3843A3082D6260983AC msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|TruCheckDataTypes.DLL msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|de|TruCheck.resources.dll msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|Drivers|Legacy|InstallDriver.dll\InstallDriver,Version="1.0.4421.41005",Culture="neutral",ProcessorArchitecture="x86" = 5d0068007b004300380067002400650036003f006500530025002a004b00740051004e007e0069003e005e005b005b00650043005300630027002800570074004f006400700070005e005b0039006c00510000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|WPFToolkit.DLL msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|WPFToolkit.DLL\WPFToolkit,Version="3.5.40128.1",Culture="neutral",ProcessorArchitecture="MSIL",PublicKeyToken="31BF3856AD364E35" = 5d0068007b004300380067002400650036003f006500530025002a004b00740051004e007e0069003e0041006100760054002d0060007900320043003f00460069006700730060004600700070004200240000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|TruCheckDataTypes.DLL\TruCheckDataTypes,Version="3.3.70.3647",Culture="neutral",ProcessorArchitecture="x86",PublicKeyToken="32ED4FAA5501C8FD" = 5d0068007b004300380067002400650036003f006500530025002a004b00740051004e007e0069003e002c002c007e007600500064007a005b007a00360069002400650063003300780057005f0075006d0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|en-US|TruCheckCoreManaged.resources.dll msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\430804F30863F3843A3082D6260983AC\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|TruCheck.exe msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|FlyCapture2Managed_v90.DLL msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|Drivers|Legacy|InstallDriver.dll msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|Drivers|InstallDriver.dll\InstallDriver,Version="1.0.4421.41005",Culture="neutral",ProcessorArchitecture="x86" = 5d0068007b004300380067002400650036003f006500530025002a004b00740051004e007e0069003e003000660034007500500047007b002b005b0066006100470036006f002900550054005a006b00350000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|TruCheckRemote.DLL msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|AxInterop.AcroPDFLib.DLL msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\430804F30863F3843A3082D6260983AC msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|Drivers|InstallDriver.dll msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|fr|TruCheck.resources.dll msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|zh-CN|TruCheck.resources.dll\TruCheck.resources,Version="3.3.68.3617",Culture="zh-CN",ProcessorArchitecture="MSIL" = 5d0068007b004300380067002400650036003f006500530025002a004b00740051004e007e0069003e0075002e004500660067002d0063006d002400540068004400670024005e003d00780056004b00720000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|Ionic.Zip.Reduced.DLL\Ionic.Zip.Reduced,Version="1.9.1.8",Culture="neutral",ProcessorArchitecture="MSIL",PublicKeyToken="EDBE51AD942A3F5C" = 5d0068007b004300380067002400650036003f006500530025002a004b00740051004e007e0069003e006500510052006000300065007200560033004f0046006200320049002900590038007a005300400000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|System.Windows.Controls.DataVisualization.Toolkit.DLL\System.Windows.Controls.DataVisualization.Toolkit,Version="3.5.40128.1",Culture="neutral",ProcessorArc = 5d0068007b004300380067002400650036003f006500530025002a004b00740051004e007e0069003e0062007300470071005b007a00540064002c004a005a0056006500300065006c00620024004e00390000000000 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\430804F30863F3843A3082D6260983AC\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\430804F30863F3843A3082D6260983AC\SourceList\Net msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|TruCheckControl.DLL msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|en-US|TruCheckCoreManaged.resources.dll msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|Drivers|HardwareWizard.exe msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|Drivers|Legacy|HardwareWizard.exe\HardwareWizard,Version="1.0.4114.16721",Culture="neutral",ProcessorArchitecture="x86" = 5d0068007b004300380067002400650036003f006500530025002a004b00740051004e007e0069003e0078006e005200550062007800210036003f004d00500043007800720079007a0028004c006e00630000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\430804F30863F3843A3082D6260983AC msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\430804F30863F3843A3082D6260983AC\SourceList\Net msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|AxInterop.AcroPDFLib.DLL msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|RawPrinterHelper.DLL msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|zh-CN|TruCheckCoreManaged.resources.dll msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Webscan Inc|TruCheck|TruCheckRemote.DLL\TruCheckRemote,Version="3.3.70.0",Culture="neutral",ProcessorArchitecture="x86",PublicKeyToken="32ED4FAA5501C8FD" = 5d0068007b004300380067002400650036003f006500530025002a004b00740051004e007e0069003e0021004f005f006d0063005900370079004800340076004d00260031005f006600720063003400730000000000 msiexec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5408 msiexec.exe 5408 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeSecurityPrivilege 5408 msiexec.exe Token: SeShutdownPrivilege 2824 msiexec.exe Token: SeIncreaseQuotaPrivilege 2824 msiexec.exe Token: SeCreateTokenPrivilege 2824 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2824 msiexec.exe Token: SeLockMemoryPrivilege 2824 msiexec.exe Token: SeIncreaseQuotaPrivilege 2824 msiexec.exe Token: SeMachineAccountPrivilege 2824 msiexec.exe Token: SeTcbPrivilege 2824 msiexec.exe Token: SeSecurityPrivilege 2824 msiexec.exe Token: SeTakeOwnershipPrivilege 2824 msiexec.exe Token: SeLoadDriverPrivilege 2824 msiexec.exe Token: SeSystemProfilePrivilege 2824 msiexec.exe Token: SeSystemtimePrivilege 2824 msiexec.exe Token: SeProfSingleProcessPrivilege 2824 msiexec.exe Token: SeIncBasePriorityPrivilege 2824 msiexec.exe Token: SeCreatePagefilePrivilege 2824 msiexec.exe Token: SeCreatePermanentPrivilege 2824 msiexec.exe Token: SeBackupPrivilege 2824 msiexec.exe Token: SeRestorePrivilege 2824 msiexec.exe Token: SeShutdownPrivilege 2824 msiexec.exe Token: SeDebugPrivilege 2824 msiexec.exe Token: SeAuditPrivilege 2824 msiexec.exe Token: SeSystemEnvironmentPrivilege 2824 msiexec.exe Token: SeChangeNotifyPrivilege 2824 msiexec.exe Token: SeRemoteShutdownPrivilege 2824 msiexec.exe Token: SeUndockPrivilege 2824 msiexec.exe Token: SeSyncAgentPrivilege 2824 msiexec.exe Token: SeEnableDelegationPrivilege 2824 msiexec.exe Token: SeManageVolumePrivilege 2824 msiexec.exe Token: SeImpersonatePrivilege 2824 msiexec.exe Token: SeCreateGlobalPrivilege 2824 msiexec.exe Token: SeCreateTokenPrivilege 2824 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2824 msiexec.exe Token: SeLockMemoryPrivilege 2824 msiexec.exe Token: SeIncreaseQuotaPrivilege 2824 msiexec.exe Token: SeMachineAccountPrivilege 2824 msiexec.exe Token: SeTcbPrivilege 2824 msiexec.exe Token: SeSecurityPrivilege 2824 msiexec.exe Token: SeTakeOwnershipPrivilege 2824 msiexec.exe Token: SeLoadDriverPrivilege 2824 msiexec.exe Token: SeSystemProfilePrivilege 2824 msiexec.exe Token: SeSystemtimePrivilege 2824 msiexec.exe Token: SeProfSingleProcessPrivilege 2824 msiexec.exe Token: SeIncBasePriorityPrivilege 2824 msiexec.exe Token: SeCreatePagefilePrivilege 2824 msiexec.exe Token: SeCreatePermanentPrivilege 2824 msiexec.exe Token: SeBackupPrivilege 2824 msiexec.exe Token: SeRestorePrivilege 2824 msiexec.exe Token: SeShutdownPrivilege 2824 msiexec.exe Token: SeDebugPrivilege 2824 msiexec.exe Token: SeAuditPrivilege 2824 msiexec.exe Token: SeSystemEnvironmentPrivilege 2824 msiexec.exe Token: SeChangeNotifyPrivilege 2824 msiexec.exe Token: SeRemoteShutdownPrivilege 2824 msiexec.exe Token: SeUndockPrivilege 2824 msiexec.exe Token: SeSyncAgentPrivilege 2824 msiexec.exe Token: SeEnableDelegationPrivilege 2824 msiexec.exe Token: SeManageVolumePrivilege 2824 msiexec.exe Token: SeImpersonatePrivilege 2824 msiexec.exe Token: SeCreateGlobalPrivilege 2824 msiexec.exe Token: SeCreateTokenPrivilege 2824 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2824 msiexec.exe Token: SeLockMemoryPrivilege 2824 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2824 msiexec.exe 2824 msiexec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3900 TruCheckSetup.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 5104 wrote to memory of 2144 5104 TruCheck_v3.03.70_b3647_Updater.exe 81 PID 5104 wrote to memory of 2144 5104 TruCheck_v3.03.70_b3647_Updater.exe 81 PID 2144 wrote to memory of 3900 2144 UpdateTool.exe 86 PID 2144 wrote to memory of 3900 2144 UpdateTool.exe 86 PID 2144 wrote to memory of 3900 2144 UpdateTool.exe 86 PID 3900 wrote to memory of 2824 3900 TruCheckSetup.exe 87 PID 3900 wrote to memory of 2824 3900 TruCheckSetup.exe 87 PID 3900 wrote to memory of 2824 3900 TruCheckSetup.exe 87 PID 5408 wrote to memory of 3880 5408 msiexec.exe 88 PID 5408 wrote to memory of 3880 5408 msiexec.exe 88 PID 5408 wrote to memory of 3880 5408 msiexec.exe 88 PID 5408 wrote to memory of 1088 5408 msiexec.exe 93 PID 5408 wrote to memory of 1088 5408 msiexec.exe 93 PID 5408 wrote to memory of 5100 5408 msiexec.exe 95 PID 5408 wrote to memory of 5100 5408 msiexec.exe 95 PID 5408 wrote to memory of 5100 5408 msiexec.exe 95 PID 5408 wrote to memory of 3164 5408 msiexec.exe 97 PID 5408 wrote to memory of 3164 5408 msiexec.exe 97 PID 5408 wrote to memory of 3164 5408 msiexec.exe 97 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\TruCheck_v3.03.70_b3647_Updater.exe"C:\Users\Admin\AppData\Local\Temp\TruCheck_v3.03.70_b3647_Updater.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Users\Admin\AppData\Local\Temp\UpdateTool.exe"C:\Users\Admin\AppData\Local\Temp\UpdateTool.exe" ud=true uf="Setup.exe PreInstallDriver=true"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Users\Admin\AppData\Local\Temp\TruCheckSetup.exe"C:\Users\Admin\AppData\Local\Temp\TruCheckSetup.exe" PreInstallDriver=true3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe" -I "C:\Users\Admin\AppData\Local\Temp\TruCheckSetup.msi" PreInstallDriver=true4⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2824
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5408 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 81A23FE86368B4BC96A68840778FF870 C2⤵
- Loads dropped DLL
PID:3880
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:1088
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 1BF0DB58494CD46CF47E1D7E55BCB4432⤵
- Loads dropped DLL
PID:5100
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 76F8E62875B8BCA0EDA726A6E75C4010 E Global\MSI00002⤵
- Loads dropped DLL
PID:3164
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:1544
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50KB
MD5fd6054ccda68e02610b899cdc16d186b
SHA1f23d3f737991466d758caabe1dac0fa0977384f3
SHA2563e271de68ca66ec912976e347816ceecab7540e05a98b1d8d0690c662d65d2da
SHA512efe63d70fd7d454b57cdd4c2fe85ccd20cd6ab68cc6f990f2436f4f7a9083a2443e7868af513c55e9f1f865395a5262787e2b588ece13ff0cd10ae1146f050ad
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_6C354C532D063DF5607A63BA827F5164
Filesize1KB
MD5e1a4b2b787a91b3f548716ed5b1b8171
SHA1767452821035bc9da20d0917474bff2b336f0b3a
SHA256f98370d45aa93a5f04e53bd92219b358491d6fef09c1aebba5fc0a120ab861d9
SHA512848296397cb7676717d94114bd8a344516edc750404b34aa1dee1d571ce2e2c9b345786c387e3f4ef57012528d3b8161291c6a6c248554ea26b714b8f673a6a3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A1D627669EFC8CD4F21BCF387D97F9B5_B8EC29A9F6EE1252C61F50A231A186F2
Filesize1KB
MD5eb8ecac08f744f5ac9637c0f0129f045
SHA1612c3e5375f0a6cc63cfeca549a361534b373889
SHA2563f95e4a685db2a4cc50df8dae853a0f38e574dc58983067d1e30842ff3955cd7
SHA51271a18d91c014986ff3e85fd23e268d227e84aa30216faa5bf542ea6cecbd9cd0329119a1aceb11f08cb940ccba55e23db48591fbae26a446ff6a6f4f84ad66da
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_6C354C532D063DF5607A63BA827F5164
Filesize532B
MD5c6fa5d78ec617c54efa446796efa00fb
SHA120974e86ed87a0a570e91313c22ecbd2e29b43e1
SHA256a733451127660767f43a7bdc5b053c0b885dc65048605ea309a2f3d30a0d54b4
SHA512e561b76a40ecf2439943e131b46c024c726fb16affb6edc3cde492d16927ffb0f1eb027775dec98b49dd3c81205251c1a6b158aceb94148c0d077fc15d47d6b2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A1D627669EFC8CD4F21BCF387D97F9B5_B8EC29A9F6EE1252C61F50A231A186F2
Filesize544B
MD5932fda6d7e48785052a3f26e1434aa0b
SHA139aba2c7b2b35e139f4d7db51e2fcf7ae94e3070
SHA256c1d466e23f3c01fc286ab9588ff707f29f82baea46860c67e631bcfa50c9df9c
SHA51262a5c93e2ffe9aec7d2fbf06278b20231157c0c5db52a5b6a07b669dd02e10037924815c8fce3be8fe942b158b52cab160f365cad15eb07dab5632f835e603b0
-
Filesize
123B
MD517af548f88a3199aa8a63a72201f470f
SHA14e64bb20a2f54d778ed684aa21abebad63a5c2c0
SHA256a558dbe555749cd3bdd62060fdbba72720c4f4a186d5870b977ed2acf9721d9e
SHA51208bdbc75f5fd4d9ec85c53253e4030ce7245b20ecc95e032835609c7c43a07d6c9e7776f48c5494a788a543240c0649a9f1a34a0e514ebc4dda5730953647338
-
Filesize
221KB
MD5911aa8d08b7ccab654e897b0e4439354
SHA14f4f16048deae47a2ff5b9849042f62ec51794bc
SHA256ba56a2fa13e5dae48b6d74a8fa40f2f44473b386e71ba1e7ec2ded90ad56bb8b
SHA5128aa11f26093e54a62c5390c64e218a8a57cd3374bbce8ecc243042dd8a2214ede1f3befa699837698c0bd42b9b4e011f95c62588b8bdd4da9aae12dabe4b46e4
-
Filesize
384KB
MD5776851d4a843a0717892e075d03f46ce
SHA171158f473006c4bbe7c0a5e969c0b346e0c57ac8
SHA2563242c4e31b2158a950b66220ba6029138be0c00a4534c7e3c3c109cb882f239b
SHA51257130f320b81da24c784d84b94d2968437f48a7a950944e4c5c31858741d2e31f33cd01992f36fd55b9fcd2fdd425b831da6b7a196bba4d9486d4a8f0aead7aa
-
Filesize
191.6MB
MD5b42d32a276b782d58420ec171789ed34
SHA1789505e6363e2fc9942e5b73df99884760273abf
SHA256704f21dd7d649d9875b903727e232316dda3075feaf9f25efd46134af9c31839
SHA51263741b75309f8f41a57bd9e1daa4f7e408a73de2d2fe19e2ef3b51dc7d0e1cc5b9d3ba2c2bc3250649992e693a206825081a6cf25badd93c12592c359ec61684
-
Filesize
59KB
MD5d42b83e5e46d7cc78baf0fc96c9eb676
SHA1f8749d8dcfc7e5ca8ae9c1c61cd07c69ba5179e8
SHA2561d346380993baeddb1b36928497cc442415e05b761dd66296f85815b13091cb6
SHA512bafd9284e3de19607cc64c2f1b4ec7d18906f49618aac246ae2ef103e36a918d7f6d0c8df7a45d11e36281dcd95da8b65add4e72228d97fd4f4c43de086b6508
-
Filesize
63KB
MD5384a729b4093250d9786013e15e9aa31
SHA1c7ebd3366e0b05b2eb0cd17a6a8354427436774c
SHA256e83ddd458b0433c98f4d13853cc88cf72fada6ffce6d56fcaca8e83bd76abfad
SHA512d6f70005e29e6e8b5c926d7fa4280ae1081c8c0626f74417a73fb81dd5522abab300dd7105f8842a2f41b8f036edacb4853bc6ca7be8f67e5da80ca9de9bc66e
-
Filesize
9KB
MD5ce8ee64c66e92bbb46231b1be06aba22
SHA15bb368fbcf57d92d8c83a4487fdde7e713ed3a24
SHA256d4f066db44f8ec61d8ec183091bead9578022c2385d4f7552b32f1b0c53fd26b
SHA512aa31399cde6457dfa727f3f21074efb8f1f5b7ff5bfee6e54231082e7e8f5d4b6d4df90d70529aaff3935bb3ab86dc86ac1a0d85429d247fdcff9720f4e2c0ec
-
Filesize
14KB
MD507282ca770d5cc6fba8e0c1598c485f2
SHA1b7bb6f83b446f73499059d2e14cafba3fc09eb81
SHA256c7669bc86c8102ab2cec262de32ac4aca06e4904959c088d85440ae77b85ec36
SHA512845fd16f032fd40456d74f30045e688044b5d2b4014a06ec700fd0211ed4a2b9fbe53dc89ad8bd7f2407c0ce6cb12885f06185c56065672071d682b39716903b
-
Filesize
12.8MB
MD5e8f53bdc0952bbe259f78f4faa365509
SHA1f6c00579513751807bb7fce5bdf345bd061edace
SHA256c980da25f17f2dd771381dfbc85d2b83cd14e9ed981cc52fa8478590b30ad05a
SHA5120f494df6625d7a65774adf1afc3d118df20583f6ae15c1d0e6fb5971aae1935b6c6df8d13d1da759847996b69cb0e51051eed3265cd0c768d2a42818c3d3b0da
-
\??\Volume{7a15c5d7-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{74b04522-11ae-4373-a393-025fbe2ebba5}_OnDiskSnapshotProp
Filesize6KB
MD5a0381ce23db4ef6d54e11ad46e2c573a
SHA11a77808f134362c6a1b0023cffbe755c83f6e57c
SHA2567303826fe3f37342e3678d44a4fb519ff2562d31a4258caab65bc801e0ef8c10
SHA512a519fac48fd0cf3ff672e03c894e203494131520c5547ad1b61061b0bca9f9c60cdcbb33e41a5977a3e74e95b560e26f43f83db3cbca65e0943925ac781327e5