1365039baed4ec04983d16a583a332b818b2af9977807e5481310528897b02b3

Analysis

max time kernel
146s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05-04-2024 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1365039baed4ec04983d16a583a332b818b2af9977807e5481310528897b02b3.exe
Size

2.2MB
MD5

144bfc7f77a9b0b57d39e75ffda71ae1
SHA1

77ca0a359058ccabe720d310ee729ecd3e66561f
SHA256

1365039baed4ec04983d16a583a332b818b2af9977807e5481310528897b02b3
SHA512

6a4a82e59b21ede7ae722aef50ceecf264cadffe4bc61d9f94d88c96c8e1d76b86b16cdd93e9440dd1f3c905cb2a0915b8d851b73dfcbeaab6756a3d2bf1c9d0
SSDEEP

49152:19UJj87k/a4nQkh6ZISIyR7fJATyIeOgWfPfyDLmd/DIuJxThJqEB6ZmKYGCsWH5:m8D4nQkhSRtATyIe+fPf6Lmd/DI0xT5N

Score

8^/10

discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\Drivers\fardisk.sys	FSSInstaller.exe
File created	C:\Windows\system32\Drivers\fardisk.sys	FSSInstaller.exe
File created	C:\Windows\system32\drivers\FwaKbd.sys	MsiExec.exe
File created	C:\Windows\system32\drivers\FwaMouse.sys	MsiExec.exe

Executes dropped EXE 10 IoCs

pid	Process
4288	FWAInstallMonitor.exe
3568	FSSInstaller.exe
2180	ModulesUpgradeMgr.exe
1616	AVBLicPatch.exe
4608	SCPwdChecker.exe
3960	FWAService.exe
4364	ModulesUpgradeMgr.exe
888	FaronicsSA.exe
2256	FWA_UI_Agent.exe
1464	FWA_UI_Agent.exe

Loads dropped DLL 36 IoCs

pid	Process
4504	MsiExec.exe
4504	MsiExec.exe
4504	MsiExec.exe
4504	MsiExec.exe
4504	MsiExec.exe
4504	MsiExec.exe
4504	MsiExec.exe
4504	MsiExec.exe
4504	MsiExec.exe
4504	MsiExec.exe
4504	MsiExec.exe
4504	MsiExec.exe
1820	MsiExec.exe
1020	regsvr32.exe
4972	regsvr32.exe
1820	MsiExec.exe
1820	MsiExec.exe
1820	MsiExec.exe
1820	MsiExec.exe
3548	regsvr32.exe
1820	MsiExec.exe
5032	Process not Found
1820	MsiExec.exe
1820	MsiExec.exe
1820	MsiExec.exe
1820	MsiExec.exe
1820	MsiExec.exe
1820	MsiExec.exe
1820	MsiExec.exe
1820	MsiExec.exe
1820	MsiExec.exe
1820	MsiExec.exe
1820	MsiExec.exe
4504	MsiExec.exe
3960	FWAService.exe
3960	FWAService.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\FWAInstaller = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\1365039baed4ec04983d16a583a332b818b2af9977807e5481310528897b02b3.exe\" -r"	1365039baed4ec04983d16a583a332b818b2af9977807e5481310528897b02b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	Msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\L:	Msiexec.exe
File opened (read-only)	\??\N:	Msiexec.exe
File opened (read-only)	\??\O:	Msiexec.exe
File opened (read-only)	\??\X:	Msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	Msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	Msiexec.exe
File opened (read-only)	\??\U:	Msiexec.exe
File opened (read-only)	\??\V:	Msiexec.exe
File opened (read-only)	\??\Y:	Msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\K:	Msiexec.exe
File opened (read-only)	\??\P:	Msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\B:	Msiexec.exe
File opened (read-only)	\??\R:	Msiexec.exe
File opened (read-only)	\??\W:	Msiexec.exe
File opened (read-only)	\??\Z:	Msiexec.exe
File opened (read-only)	\??\Q:	Msiexec.exe
File opened (read-only)	\??\S:	Msiexec.exe
File opened (read-only)	\??\T:	Msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\A:	Msiexec.exe
File opened (read-only)	\??\E:	Msiexec.exe
File opened (read-only)	\??\J:	Msiexec.exe
File opened (read-only)	\??\M:	Msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	FWAService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	FWAService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	FWAService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	FWAService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_ECDD3935CC754E5CFA6B9F744727AB95	FWAService.exe
File created	C:\Windows\system32\wbem\AutoRecover\58AA3B985A5BFAEC5D9B77D0AD5C7F5C.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\DE1DB967FB7CEA504C65A2D332374471.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\132C6C2DF8780F3C400C568756339D78.mof	mofcomp.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5	FWAService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5	FWAService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_ECDD3935CC754E5CFA6B9F744727AB95	FWAService.exe
File created	C:\Windows\system32\wbem\AutoRecover\73317743DE50685770A3220F43E970CA.mof	mofcomp.exe

Drops file in Program Files directory 35 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\FWAMigrator.dll	msiexec.exe
File created	C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\FWAService.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\fardisk.sys	FSSInstaller.exe
File created	C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\fardisk.sys	FSSInstaller.exe
File created	C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\FWA_UI_Agent.exe	msiexec.exe
File created	C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\KbdMouse\X64\FwaKbd.sys	msiexec.exe
File created	C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\ModulesUpgradeMgr.exe	msiexec.exe
File created	C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\UserNotificationHelper.exe	msiexec.exe
File created	C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\MigrationHelper_32.exe	msiexec.exe
File created	C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\FaronicsWebProduct.mof	msiexec.exe
File created	C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\KbdMouse\Win32\FwaKbd.sys	msiexec.exe
File created	C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\StorageSpaces.dll	msiexec.exe
File created	C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\FarSpaceX64.sys	msiexec.exe
File created	C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\MigrationHelper_64.exe	msiexec.exe
File created	C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\KbdMouse\X64\FwaKbd.inf	msiexec.exe
File created	C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\FSSInstaller.exe	msiexec.exe
File created	C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\FaronicsWebProduct_v2.mof	msiexec.exe
File created	C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\FWALocker_32.exe	msiexec.exe
File created	C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\FWALocker_64.exe	msiexec.exe
File created	C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\FWAWmiProvider.dll	msiexec.exe
File created	C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\FarWsClient.dll	msiexec.exe
File created	C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\KbdMouse\Win32\FwaMouse.sys	msiexec.exe
File created	C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\NotificationHelper.exe	msiexec.exe
File created	C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\fardisk64.sys	msiexec.exe
File created	C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\DeepFreezeAdapter.dll	msiexec.exe
File created	C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\KbdMouse\Win32\FwaKbd.inf	msiexec.exe
File created	C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\KbdMouse\X64\FwaMouse.inf	msiexec.exe
File created	C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\FarSpace.sys	msiexec.exe
File created	C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\StorageSpaces.mof	msiexec.exe
File created	C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\fardisk32.sys	msiexec.exe
File created	C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\WebAgent.mof	msiexec.exe
File created	C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\FaronicsSA.exe	msiexec.exe
File created	C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\FwaCore.dll	msiexec.exe
File created	C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\KbdMouse\Win32\FwaMouse.inf	msiexec.exe
File created	C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\KbdMouse\X64\FwaMouse.sys	msiexec.exe

Drops file in Windows directory 41 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSID2FC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2A65.tmp	msiexec.exe
File created	C:\Windows\Installer\e579a8a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9E54.tmp	msiexec.exe
File created	C:\Windows\Installer\{E2D76ECB-CE09-4587-9D5F-57711F9CF222}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE66B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEFF5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6CE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e579a8a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA08A.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{E2D76ECB-CE09-4587-9D5F-57711F9CF222}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF587.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA03A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA514.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9F01.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA563.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE570.tmp	msiexec.exe
File opened for modification	C:\Windows\Products.ini	1365039baed4ec04983d16a583a332b818b2af9977807e5481310528897b02b3.exe
File opened for modification	C:\Windows\Installer\MSI9C01.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA1A5.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID7DF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF41E.tmp	msiexec.exe
File created	C:\Windows\Installer\e579a8e.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA127.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE9C9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEB02.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{E2D76ECB-CE09-4587-9D5F-57711F9CF222}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE26F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE2ED.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE30D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE802.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2870.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA36B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA477.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF3BF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF557.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA3E9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE8AF.tmp	msiexec.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2500	schtasks.exe
2256	schtasks.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4456	taskkill.exe

Modifies data under HKEY_USERS 60 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	FWAService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	FWAService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	FWAService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	runonce.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	FWAService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	FWAService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	FWAService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	FWAService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	FWAService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	FWAService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	FWAService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	FWAService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	FWAService.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309d9c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	runonce.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	runonce.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	FWAService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	FWAService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	FWAService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	runonce.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	runonce.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	FWAService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	FWAService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	FWAService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	FWAService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	runonce.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	FWAService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	FWAService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	FWAService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	FWAService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	FWAService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	FWAService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	FWAService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	runonce.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	FWAService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	FWAService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	FWAService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	FWAService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	FWAService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	FWAService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	runonce.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	FWAService.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309d9c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	runonce.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	FWAService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	FWAService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	runonce.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	runonce.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	FWAService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	FWAService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	FWAService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\GrpConv	grpconv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	runonce.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\GrpConv	grpconv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	FWAService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	FWAService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	FWAService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	runonce.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	runonce.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FAR.DFE.Adapter	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{359C24F1-51B5-44CE-8F2D-2FBB1A0FE4EA}\FWA_GUI_Agent\PolicyId = "1"	ModulesUpgradeMgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{359C24F1-51B5-44CE-8F2D-2FBB1A0FE4EA}\FWA_GUI_Agent\CK = "d3dc1247ba8c48ac845f1b5aa6295c2c"	ModulesUpgradeMgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\{D5460976-987D-4418-AA5E-BD3497AD2DC7}\FWA_PROXY_SETTINGS	FWAService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{87CD0BC6-16D2-4E1F-ACDF-77F6859DD884}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{359C24F1-51B5-44CE-8F2D-2FBB1A0FE4EA}\FWA_GUI_Agent\Policy	ModulesUpgradeMgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5DC3CB54-E27B-479E-B808-839B782649BC}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAR.DFE.Adapter.1\ = "DFEAdapter Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{83FAD298-BEB5-44BE-9756-5CDB2D2304CC}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FAR.DFE.Adapter.1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAR.DFE.Adapter\ = "DFEAdapter Class"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BCE67D2E90EC7854D9F57517F1C92F22\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\{359C24F1-51B5-44CE-8F2D-2FBB1A0FE4EA}\FWA_GUI_Agent	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA220945-0674-4494-B122-93EF5A4A6345}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAR.DFE.Adapter.1\CLSID\ = "{5DC3CB54-E27B-479E-B808-839B782649BC}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\StorageSpaces.FaronicsStorageSpace\CurVer\ = "StorageSpaces.FaronicsStorageSpace.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA220945-0674-4494-B122-93EF5A4A6345}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{C5D763D9-2422-4B2D-A425-02D5BD016239}\1.0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C5D763D9-2422-4B2D-A425-02D5BD016239}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Faronics\\Faronics Cloud\\Faronics Cloud Agent\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6055DB66-56A9-4264-8A2D-EC1E19293928}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\{359C24F1-51B5-44CE-8F2D-2FBB1A0FE4EA}\FWA_GUI_Agent	ModulesUpgradeMgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9022825-AEEE-4AF6-87C0-4BCE6608DCCB}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BCE67D2E90EC7854D9F57517F1C92F22\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\ProductInstaller\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{359C24F1-51B5-44CE-8F2D-2FBB1A0FE4EA}\FWA_GUI_Agent\WID = "00000000000000000000E27D0092C90A"	FWAService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FAR.DFE.Adapter\CLSID	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{87CD0BC6-16D2-4E1F-ACDF-77F6859DD884}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{359C24F1-51B5-44CE-8F2D-2FBB1A0FE4EA}\FWA_GUI_Agent\GroupId = "2"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA220945-0674-4494-B122-93EF5A4A6345}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{C5D763D9-2422-4B2D-A425-02D5BD016239}\1.0\FLAGS	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{87CD0BC6-16D2-4E1F-ACDF-77F6859DD884}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{359C24F1-51B5-44CE-8F2D-2FBB1A0FE4EA}\FWA_GUI_Agent\Version	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA220945-0674-4494-B122-93EF5A4A6345}\AppID = "{{FEE93EA4-7276-4010-9EEB-318186C4521B}}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5DC3CB54-E27B-479E-B808-839B782649BC}\ = "DFEAdapter Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA220945-0674-4494-B122-93EF5A4A6345}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{359C24F1-51B5-44CE-8F2D-2FBB1A0FE4EA}\FWA_GUI_Agent\SiteType = "2"	ModulesUpgradeMgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA220945-0674-4494-B122-93EF5A4A6345}\ = "FaronicsStorageSpace Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{359C24F1-51B5-44CE-8F2D-2FBB1A0FE4EA}\FWA_GUI_Agent\PolicyId = "1"	FWAService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5DC3CB54-E27B-479E-B808-839B782649BC}\InprocServer32	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BCE67D2E90EC7854D9F57517F1C92F22\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BCE67D2E90EC7854D9F57517F1C92F22\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{83FAD298-BEB5-44BE-9756-5CDB2D2304CC}\InprocServer32\ = "C:\\PROGRA~2\\Faronics\\FARONI~1\\FARONI~1\\FWAWMI~1.DLL"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5DC3CB54-E27B-479E-B808-839B782649BC}\TypeLib\ = "{C5D763D9-2422-4B2D-A425-02D5BD016239}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\StorageSpaces.DLL\AppID = "{FEE93EA4-7276-4010-9EEB-318186C4521B}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\StorageSpaces.FaronicsStorageSpace	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{359C24F1-51B5-44CE-8F2D-2FBB1A0FE4EA}\FWA_GUI_Agent\Version = "2.22.2100.804"	FWAService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5DC3CB54-E27B-479E-B808-839B782649BC}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{87CD0BC6-16D2-4E1F-ACDF-77F6859DD884}\ = "IDFEActions"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{87CD0BC6-16D2-4E1F-ACDF-77F6859DD884}\TypeLib	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\{D5460976-987D-4418-AA5E-BD3497AD2DC7}\FWA_PROXY_SETTINGS\AuthRequired = "0"	FWAService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5DC3CB54-E27B-479E-B808-839B782649BC}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{FEE93EA4-7276-4010-9EEB-318186C4521B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9022825-AEEE-4AF6-87C0-4BCE6608DCCB}\1.0\ = "StorageSpaces 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{359C24F1-51B5-44CE-8F2D-2FBB1A0FE4EA}\FWA_GUI_Agent\Group	FWAService.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{5DC3CB54-E27B-479E-B808-839B782649BC}\Version	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C5D763D9-2422-4B2D-A425-02D5BD016239}\1.0	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5DC3CB54-E27B-479E-B808-839B782649BC}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{359C24F1-51B5-44CE-8F2D-2FBB1A0FE4EA}\FWA_GUI_Agent\MobileSupportEnabled = "false"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{359C24F1-51B5-44CE-8F2D-2FBB1A0FE4EA}\FWA_GUI_Agent\CoreInfoVersion = "1"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{359C24F1-51B5-44CE-8F2D-2FBB1A0FE4EA}\FWA_GUI_Agent\CoreInfoVersion = "1"	FWAService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAR.DFE.Adapter.1\ = "DFEAdapter Class"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C5D763D9-2422-4B2D-A425-02D5BD016239}\1.0\FLAGS\ = "0"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5DC3CB54-E27B-479E-B808-839B782649BC}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\{359C24F1-51B5-44CE-8F2D-2FBB1A0FE4EA}	MsiExec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1008	msiexec.exe
1008	msiexec.exe
888	FaronicsSA.exe
888	FaronicsSA.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
640	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2224	Msiexec.exe
Token: SeIncreaseQuotaPrivilege	2224	Msiexec.exe
Token: SeSecurityPrivilege	1008	msiexec.exe
Token: SeCreateTokenPrivilege	2224	Msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2224	Msiexec.exe
Token: SeLockMemoryPrivilege	2224	Msiexec.exe
Token: SeIncreaseQuotaPrivilege	2224	Msiexec.exe
Token: SeMachineAccountPrivilege	2224	Msiexec.exe
Token: SeTcbPrivilege	2224	Msiexec.exe
Token: SeSecurityPrivilege	2224	Msiexec.exe
Token: SeTakeOwnershipPrivilege	2224	Msiexec.exe
Token: SeLoadDriverPrivilege	2224	Msiexec.exe
Token: SeSystemProfilePrivilege	2224	Msiexec.exe
Token: SeSystemtimePrivilege	2224	Msiexec.exe
Token: SeProfSingleProcessPrivilege	2224	Msiexec.exe
Token: SeIncBasePriorityPrivilege	2224	Msiexec.exe
Token: SeCreatePagefilePrivilege	2224	Msiexec.exe
Token: SeCreatePermanentPrivilege	2224	Msiexec.exe
Token: SeBackupPrivilege	2224	Msiexec.exe
Token: SeRestorePrivilege	2224	Msiexec.exe
Token: SeShutdownPrivilege	2224	Msiexec.exe
Token: SeDebugPrivilege	2224	Msiexec.exe
Token: SeAuditPrivilege	2224	Msiexec.exe
Token: SeSystemEnvironmentPrivilege	2224	Msiexec.exe
Token: SeChangeNotifyPrivilege	2224	Msiexec.exe
Token: SeRemoteShutdownPrivilege	2224	Msiexec.exe
Token: SeUndockPrivilege	2224	Msiexec.exe
Token: SeSyncAgentPrivilege	2224	Msiexec.exe
Token: SeEnableDelegationPrivilege	2224	Msiexec.exe
Token: SeManageVolumePrivilege	2224	Msiexec.exe
Token: SeImpersonatePrivilege	2224	Msiexec.exe
Token: SeCreateGlobalPrivilege	2224	Msiexec.exe
Token: SeRestorePrivilege	1008	msiexec.exe
Token: SeTakeOwnershipPrivilege	1008	msiexec.exe
Token: SeRestorePrivilege	1008	msiexec.exe
Token: SeTakeOwnershipPrivilege	1008	msiexec.exe
Token: SeRestorePrivilege	1008	msiexec.exe
Token: SeTakeOwnershipPrivilege	1008	msiexec.exe
Token: SeRestorePrivilege	1008	msiexec.exe
Token: SeTakeOwnershipPrivilege	1008	msiexec.exe
Token: SeRestorePrivilege	1008	msiexec.exe
Token: SeTakeOwnershipPrivilege	1008	msiexec.exe
Token: SeRestorePrivilege	1008	msiexec.exe
Token: SeTakeOwnershipPrivilege	1008	msiexec.exe
Token: SeRestorePrivilege	1008	msiexec.exe
Token: SeTakeOwnershipPrivilege	1008	msiexec.exe
Token: SeRestorePrivilege	1008	msiexec.exe
Token: SeTakeOwnershipPrivilege	1008	msiexec.exe
Token: SeRestorePrivilege	1008	msiexec.exe
Token: SeTakeOwnershipPrivilege	1008	msiexec.exe
Token: SeRestorePrivilege	1008	msiexec.exe
Token: SeTakeOwnershipPrivilege	1008	msiexec.exe
Token: SeRestorePrivilege	1008	msiexec.exe
Token: SeTakeOwnershipPrivilege	1008	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4504	MsiExec.exe
Token: SeSecurityPrivilege	4504	MsiExec.exe
Token: SeTakeOwnershipPrivilege	4504	MsiExec.exe
Token: SeLoadDriverPrivilege	4504	MsiExec.exe
Token: SeSystemProfilePrivilege	4504	MsiExec.exe
Token: SeSystemtimePrivilege	4504	MsiExec.exe
Token: SeProfSingleProcessPrivilege	4504	MsiExec.exe
Token: SeIncBasePriorityPrivilege	4504	MsiExec.exe
Token: SeCreatePagefilePrivilege	4504	MsiExec.exe
Token: SeBackupPrivilege	4504	MsiExec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4288	FWAInstallMonitor.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 2224	1604	1365039baed4ec04983d16a583a332b818b2af9977807e5481310528897b02b3.exe	96
PID 1604 wrote to memory of 2224	1604	1365039baed4ec04983d16a583a332b818b2af9977807e5481310528897b02b3.exe	96
PID 1604 wrote to memory of 2224	1604	1365039baed4ec04983d16a583a332b818b2af9977807e5481310528897b02b3.exe	96
PID 1008 wrote to memory of 4504	1008	msiexec.exe	99
PID 1008 wrote to memory of 4504	1008	msiexec.exe	99
PID 1008 wrote to memory of 4504	1008	msiexec.exe	99
PID 4504 wrote to memory of 4456	4504	MsiExec.exe	100
PID 4504 wrote to memory of 4456	4504	MsiExec.exe	100
PID 4504 wrote to memory of 4456	4504	MsiExec.exe	100
PID 4504 wrote to memory of 4288	4504	MsiExec.exe	102
PID 4504 wrote to memory of 4288	4504	MsiExec.exe	102
PID 4504 wrote to memory of 4288	4504	MsiExec.exe	102
PID 1008 wrote to memory of 1820	1008	msiexec.exe	104
PID 1008 wrote to memory of 1820	1008	msiexec.exe	104
PID 1008 wrote to memory of 1820	1008	msiexec.exe	104
PID 1820 wrote to memory of 1116	1820	MsiExec.exe	105
PID 1820 wrote to memory of 1116	1820	MsiExec.exe	105
PID 1820 wrote to memory of 1116	1820	MsiExec.exe	105
PID 1820 wrote to memory of 5000	1820	MsiExec.exe	108
PID 1820 wrote to memory of 5000	1820	MsiExec.exe	108
PID 1820 wrote to memory of 5000	1820	MsiExec.exe	108
PID 1820 wrote to memory of 3948	1820	MsiExec.exe	110
PID 1820 wrote to memory of 3948	1820	MsiExec.exe	110
PID 1820 wrote to memory of 3948	1820	MsiExec.exe	110
PID 1820 wrote to memory of 1020	1820	MsiExec.exe	112
PID 1820 wrote to memory of 1020	1820	MsiExec.exe	112
PID 1820 wrote to memory of 1020	1820	MsiExec.exe	112
PID 1820 wrote to memory of 4972	1820	MsiExec.exe	113
PID 1820 wrote to memory of 4972	1820	MsiExec.exe	113
PID 1820 wrote to memory of 4972	1820	MsiExec.exe	113
PID 1820 wrote to memory of 4244	1820	MsiExec.exe	114
PID 1820 wrote to memory of 4244	1820	MsiExec.exe	114
PID 1820 wrote to memory of 4244	1820	MsiExec.exe	114
PID 1820 wrote to memory of 3548	1820	MsiExec.exe	116
PID 1820 wrote to memory of 3548	1820	MsiExec.exe	116
PID 1820 wrote to memory of 3548	1820	MsiExec.exe	116
PID 1820 wrote to memory of 4280	1820	MsiExec.exe	118
PID 1820 wrote to memory of 4280	1820	MsiExec.exe	118
PID 1820 wrote to memory of 4280	1820	MsiExec.exe	118
PID 4280 wrote to memory of 880	4280	rundll32.exe	119
PID 4280 wrote to memory of 880	4280	rundll32.exe	119
PID 4280 wrote to memory of 880	4280	rundll32.exe	119
PID 880 wrote to memory of 2024	880	runonce.exe	120
PID 880 wrote to memory of 2024	880	runonce.exe	120
PID 880 wrote to memory of 2024	880	runonce.exe	120
PID 1820 wrote to memory of 4464	1820	MsiExec.exe	121
PID 1820 wrote to memory of 4464	1820	MsiExec.exe	121
PID 1820 wrote to memory of 4464	1820	MsiExec.exe	121
PID 4464 wrote to memory of 60	4464	rundll32.exe	122
PID 4464 wrote to memory of 60	4464	rundll32.exe	122
PID 4464 wrote to memory of 60	4464	rundll32.exe	122
PID 60 wrote to memory of 1684	60	runonce.exe	124
PID 60 wrote to memory of 1684	60	runonce.exe	124
PID 60 wrote to memory of 1684	60	runonce.exe	124
PID 3568 wrote to memory of 1188	3568	FSSInstaller.exe	127
PID 3568 wrote to memory of 1188	3568	FSSInstaller.exe	127
PID 1008 wrote to memory of 2180	1008	msiexec.exe	129
PID 1008 wrote to memory of 2180	1008	msiexec.exe	129
PID 1008 wrote to memory of 2180	1008	msiexec.exe	129
PID 2180 wrote to memory of 1616	2180	ModulesUpgradeMgr.exe	131
PID 2180 wrote to memory of 1616	2180	ModulesUpgradeMgr.exe	131
PID 2180 wrote to memory of 1616	2180	ModulesUpgradeMgr.exe	131
PID 2180 wrote to memory of 4608	2180	ModulesUpgradeMgr.exe	133
PID 2180 wrote to memory of 4608	2180	ModulesUpgradeMgr.exe	133

C:\Users\Admin\AppData\Local\Temp\1365039baed4ec04983d16a583a332b818b2af9977807e5481310528897b02b3.exe
"C:\Users\Admin\AppData\Local\Temp\1365039baed4ec04983d16a583a332b818b2af9977807e5481310528897b02b3.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Windows\SysWOW64\Msiexec.exe
  Msiexec /i "C:\Users\Admin\AppData\Local\Temp\ProductInstaller\Web Agent_C64.msi" /q REBOOT="ReallySuppress"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  PID:2224

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1008
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9D894254DE3332F5C268BC9FF29FF860
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4504
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM FWAInstallMonitor.exe /F
    3⤵
    - Kills process with taskkill
    PID:4456
- - C:\ProgramData\FWAInstallMonitor.exe
    "C:\ProgramData\FWAInstallMonitor.exe" /StartMonitor /CreateStartUpMonitorTask /MsiPath "C:\Users\Admin\AppData\Local\Temp\ProductInstaller\Web Agent_C64.msi" /Pid 4504
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4288
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\FWACleanupScheduler.bat
      4⤵
      PID:848
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /tn LaunchStartUpFWAInstallHelper /f
        5⤵
        
        PID:4864
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /RU System /tn LaunchStartUpFWAInstallHelper /tr "\"C:\ProgramData\FWAInstallMonitor.exe\" /StartMonitorAtStartUp 5 /MsiPath C:\Users\Admin\AppData\Local\Temp\FaronicsCloudAgent.msi" /sc onstart
        5⤵
        Creates scheduled task(s)
        
        PID:2256
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\FWACleanupScheduler.bat
      4⤵
      PID:2548
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /tn LaunchFWACleanupHelper /f
        5⤵
        
        PID:4512
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\FWACleanupScheduler.bat
      4⤵
      PID:1888
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /tn LaunchStartUpFWAInstallHelper /f
        5⤵
        
        PID:540
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding BC45D9ADD9622E10E592AC84C226CEBF E Global\MSI0000
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1820
- - C:\Windows\SysWOW64\wbem\mofcomp.exe
    "C:\Windows\system32\wbem\mofcomp.exe" "C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\FaronicsWebProduct.mof"
    3⤵
    - Drops file in System32 directory
    PID:1116
- - C:\Windows\SysWOW64\wbem\mofcomp.exe
    "C:\Windows\system32\wbem\mofcomp.exe" "C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\FaronicsWebProduct_v2.mof"
    3⤵
    - Drops file in System32 directory
    PID:5000
- - C:\Windows\SysWOW64\wbem\mofcomp.exe
    "C:\Windows\system32\wbem\mofcomp.exe" "C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\WebAgent.mof"
    3⤵
    - Drops file in System32 directory
    PID:3948
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\DeepFreezeAdapter.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:1020
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\FWAWmiProvider.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:4972
- - C:\Windows\SysWOW64\wbem\mofcomp.exe
    "C:\Windows\system32\wbem\mofcomp.exe" "C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\StorageSpaces.mof"
    3⤵
    - Drops file in System32 directory
    PID:4244
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\StorageSpaces.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:3548
- - C:\Windows\syswow64\rundll32.exe
    "rundll32.exe" SETUPAPI.DLL InstallHinfSection DefaultInstall 128 C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\KbdMouse\X64\Fwakbd.inf
    3⤵
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4280
  - - C:\Windows\SysWOW64\runonce.exe
      "C:\Windows\system32\runonce.exe" -r
      4⤵
      Checks processor information in registry
      Modifies data under HKEY_USERS
      Suspicious use of WriteProcessMemory
      PID:880
    - - C:\Windows\SysWOW64\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        5⤵
        Modifies data under HKEY_USERS
        
        PID:2024
- - C:\Windows\syswow64\rundll32.exe
    "rundll32.exe" SETUPAPI.DLL InstallHinfSection DefaultInstall 128 C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\KbdMouse\X64\FwaMouse.inf
    3⤵
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4464
  - - C:\Windows\SysWOW64\runonce.exe
      "C:\Windows\system32\runonce.exe" -r
      4⤵
      Checks processor information in registry
      Modifies data under HKEY_USERS
      Suspicious use of WriteProcessMemory
      PID:60
    - - C:\Windows\SysWOW64\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        5⤵
        Modifies data under HKEY_USERS
        
        PID:1684
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Create /RU System /SC ONSTART /tn FWASvcHelperMonitortask /tr "'C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\FWA_UI_Agent.exe' /CHECKSVCHEALTH" /F
    3⤵
    - Creates scheduled task(s)
    PID:2500
- C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\ModulesUpgradeMgr.exe
  "C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\ModulesUpgradeMgr.exe" 2.22.2100.804 "C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\\" LaunchFromInstaller
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\ProgramData\Faronics\StorageSpace\FWA\modules\AVBLicPatch.exe
    "C:\ProgramData\Faronics\StorageSpace\FWA\modules\AVBLicPatch.exe"
    3⤵
    - Executes dropped EXE
    PID:1616
- - C:\ProgramData\Faronics\StorageSpace\FWA\modules\SCPwdChecker.exe
    "C:\ProgramData\Faronics\StorageSpace\FWA\modules\SCPwdChecker.exe"
    3⤵
    - Executes dropped EXE
    PID:4608

C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\FSSInstaller.exe
"C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\FSSInstaller.exe" /CreateFSS=750
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3568
- C:\Windows\system32\fsutil.exe
  "fsutil" file createnew C:\Fss0.dsk 786432000
  2⤵
  PID:1188

C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\FWAService.exe
"C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\FWAService.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies registry class
PID:3960
- C:\ProgramData\Faronics\StorageSpace\FWA\modules\ModulesUpgradeMgr.exe
  "C:\ProgramData\Faronics\StorageSpace\FWA\modules\ModulesUpgradeMgr.exe" 2.22.2100.804 "C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\"
  2⤵
  - Executes dropped EXE
  PID:4364
- C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\FaronicsSA.exe
  "C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\FaronicsSA.exe" 3960
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:888
- C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\FWA_UI_Agent.exe
  "C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\FWA_UI_Agent.exe"
  2⤵
  - Executes dropped EXE
  PID:2256
- C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\FWA_UI_Agent.exe
  "C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\FWA_UI_Agent.exe" /WATCHDOG
  2⤵
  - Executes dropped EXE
  PID:1464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e579a8d.rbs

Filesize
4.4MB

MD5
e0b61ccde8573bbd23743b4af64e5a99

SHA1
c206fbb5728d7da110dde60b456a4547c2b790ec

SHA256
cefec29000c80ab9733d9d8306a0d56bd22af289dff1666f4c034f396d9ad3ba

SHA512
7905688d16ef8f3acdc5c523dec26fb863df29862905b9cebdf5a8eba15f936a21a001ab4743541e9a023d6eb0bc0e82471e2ba4ae9c5aee2951a4a582bf5f43

Download Submit
C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\DeepFreezeAdapter.dll

Filesize
1.6MB

MD5
6451430dd611914e287e31a03b982378

SHA1
0696655b8726bd50ec8e3064bf3532c7a018e310

SHA256
73473d0f1d07763109f991611980f658410d16f4179b31291f2553dafa7a04bc

SHA512
ba2a71a484b750e28a2d799ab2b43cc21651ded532e4532ab840b1a4c52b40dd56b4d390855169d208955c68732b60bfd7b080379c0509d065ccc64f85e339c4

Download Submit
C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\FWAWmiProvider.dll

Filesize
286KB

MD5
6bfb227838de5469e1d7a4c7f146d137

SHA1
968e34059c38d51a9673e45d1f4fcc6f69686ad1

SHA256
3753d7ebef8cd279460af04d701fb8a3663eae9db394b42895d0fdf2055a907d

SHA512
4300ca6f8f4b1dd1ca22da2b8ce009e82f462fd0a3c3395967925e1fd22bfcd1da71549f378541a33c14ab90ee4f0552f1afef0de8d3017747cc5cef7c862c1e

Download Submit
C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\FaronicsWebProduct.mof

Filesize
719B

MD5
7fa8d87869afb2f84d5ca36b9402a555

SHA1
7eaeb6ef29530cfa0b86c8ead2450cd2e7404e87

SHA256
ad81deda391bacdb17148de21b56281308c557ef998bdbcda71186b786ac2503

SHA512
3dff08d3becc8b0dd99e5c4569cfa22581f5e17575f83c68d753d4ae4b223f00a927d1fceed03d64c8729d800e98d0b851259f001c5355b63c9473a2897298b9

Download Submit
C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\FaronicsWebProduct_v2.mof

Filesize
4KB

MD5
c2153986413b79d14ef7e88c38194a4c

SHA1
0261d8e1ff1a94d3d7f056d68c54b79e4fd3b699

SHA256
1d3936d0973b63a09159e1f18227ffa34c0d7d5b4752ad1fa183dc1d6819ebd6

SHA512
42cacd3e9926d13f766926e54761a23ac9a7b73aeec141a569da38fed9e98194098248256ad68160e3334204f814dd52fa2aed8908c00cb1406cb78a66dbea0f

Download Submit
C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\KbdMouse\X64\FwaKbd.sys

Filesize
22KB

MD5
9bccc38f545b36e9fb431c9bbb23a8dd

SHA1
2ea6514c3dba77d8957641ee80e4be7f514b3745

SHA256
57f97dec16e3a1b1e6fcca8ca3aff47960fe23c9c8fcbb9a6dd4fc8d95306cb0

SHA512
46b7ccc56eff104e84bb7b5e5be73d1d30e52857237c5cf7cc7f7d2826a7df441f8ecda1108e36d0653d4cbd1aa0427c7d9ef307fd3354f9354f45a1b1391b40

Download Submit
C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\KbdMouse\X64\FwaMouse.inf

Filesize
4KB

MD5
741a9b8d4841868beecd0556a50e1c13

SHA1
f4646a5259480a569a12fdd97e51016376dc57da

SHA256
e19937a71809f3fda0f2aac9c8e471bd0d33d9c8e4e711df5b148e23c47e1c6d

SHA512
24a085735fef1291a1efb5ae1d59f30fdca376d71426dc387aabd87baf0df902698c422c8b45b00a1a03629cdefd9013b50ce2de836de97e52f4e00cc909fa35

Download Submit
C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\KbdMouse\X64\Fwakbd.inf

Filesize
4KB

MD5
880beecb416129cc2592b4e2b38ffedd

SHA1
c2f21dc2cd2c6d00424a38656ad3e4256e8c6fca

SHA256
d29560966fad671d85c59edc9c2f237b2a5b6ba3541d5c499ca88bd083d31236

SHA512
1a56d32defdc9d27080d7d84bc28622734886e4edc057c1e65b17b6194ef29cae8994aeec6595f0d74198cfd8ea317a07d462d0bce91c25f3e6bc4f21890bfba

Download Submit
C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\StorageSpaces.dll

Filesize
331KB

MD5
d4a2ab3196a7dd6db431f78b39de0f9e

SHA1
aebf6f2363c5907f803f8fd29c485949b67ed434

SHA256
731bd0168c964438bb388f7a7213e4be740f880e5e414b004da692c06334e18a

SHA512
05fc7c24c820555fad59c9cbb689af4b4de516302631335845df4265a801503c84379bebf0f03403e336f90be42c754d95659df7d4a66fe99ca3cf517edad79e

Download Submit
C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\StorageSpaces.mof

Filesize
6KB

MD5
acb011eebd496621b25036ad0368a792

SHA1
7c9ae920ae5b72627ea6578157a4a9837dc0e94a

SHA256
835d7a0cc6a5b5828db951848deb043df0711f59875d2e8790d3bb39a8b3f390

SHA512
cab3410e52272eb729e2d52a09020029840bfa8ecb249e2850535d44c36e39f7d0d9e4495a53b7c48ef84ba4285007525b50d5edb5a9b3bf92d8aec1d0ec4098

Download Submit
C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\WebAgent.mof

Filesize
15KB

MD5
cec2f149961e975fc3c2d86d75ef32c9

SHA1
f64db95f6d0a22fe54fd5bff2a3b90d9ff7f600e

SHA256
3266480072382642e4a36c701ac331b240a41ed429ba72a5746840d31d517324

SHA512
8a0f53f6bd82c75e43c952449d556e09c5856f08a9e80dcf94eb5a25f6d11d01d2fd7e5f28402ca53826677d19fcc55d2a9a45841fab0d6a1ccfdad227222dc0

Download Submit
C:\Program Files (x86)\Faronics\Faronics Cloud\Faronics Cloud Agent\fardisk.sys

Filesize
44KB

MD5
f271435f04b4e9ce92a176c8097a1f61

SHA1
eee912fb347988004ce0d690e36eca5df2733368

SHA256
10618ce313212f7e4fdd2b945c059bddaa8d0cd2b68c495fcb08fd1d2d65ae2a

SHA512
cf41a70b61f79603273f30c07ca64164d5ee3f0120b1f0ba52b3f6146af4a0afc337b770e66cedd5d65cf444f10bafbf58e6b61e171ba8e56acb2ccba0ea42dd

Download Submit
C:\ProgramData\CloudAgentCleanupHelper.LOG

Filesize
25KB

MD5
44ff6aca27ffcf6dc45703740ac42385

SHA1
54f7f31c6254d0b2ccda74619e2eed15ae72633f

SHA256
ae5b5c96f87bcce7a2d302251dbd40b4d774fc92f72ac674ac7bf2ce6b134eb4

SHA512
b8c8e5719d6a48beca06dcaefa0ad1feb922400ca019aa6b5127b702cc1e416751e5a680eee4ba4f4573b1c071e47cc19928a158142b34422c0d3f47e1a891c8

Download Submit
C:\ProgramData\CloudAgentCleanupHelper.LOG

Filesize
581B

MD5
d2501ce230119bd553e90f5f3e5a3c14

SHA1
23f6539632ea5c3c7954c73d2d08ff2fb141b7a7

SHA256
980048573d177b21744dd7518c1ff8b76d5532fcbcb1d946b8f71fc8a8401714

SHA512
0d0e92118d91b3a84a17b99858894b99f5f85ad251e26e59f7604d77103293ff39ae3523f6fef33f4c60b6b03a7221848c0ec2e3f91e74f48a83b050554d6594

Download Submit
C:\ProgramData\Faronics\StorageSpace\FWA\State.dat

Filesize
18KB

MD5
2a763b0cfc9570d1c7dd82bec7d959e1

SHA1
85090fa3f3c69558c5ac921d9f84f50057bd8195

SHA256
814b95d27aa98f3d22361a00b955a4e6abade152b742bd12d673fc3dd1ceb1d1

SHA512
229cbdd3b7b2a45de6afba71ba181f6accb30ec409edde193c5315ff576ba3e8c7c599ee9edbf3ad70dad5a2a49155dabad6d65e9e2acc5639b777eff3a46a9b

Download Submit
C:\ProgramData\Faronics\StorageSpace\FWA\State.dat

Filesize
18KB

MD5
59df84c3110b3e6c532f2a2ad5c280a7

SHA1
afc30dd058d3d2483d3da024c0729cac787c8343

SHA256
658b267a0cba04c6320074ede08d9e1c2a869001bef2e8985667f91354f5e6f4

SHA512
2a69374d57828a6156be3880cae46cd66600ca024dc0b88521aae1ac8e898c27fc59f1608f0e995dc4b91f2141674be3ee7ba703ad7978c9b43ec7de33bacc2f

Download Submit
C:\ProgramData\Faronics\StorageSpace\FWA\State.dat

Filesize
33KB

MD5
2fc615793d9adc3b5bad8c45fb20211c

SHA1
b9238dc59073092dfe04d811181a683a3c79607f

SHA256
51237fba2f29ead307e9c81f33bc35a3afa5c138cedcd17b0a44d009cb9aa15a

SHA512
84906f8f15d065fe9f5440f13ba9aa633966b7e7d42d553157b3189b506ac03d7bdd629ec454e32db7b02c380a33b622508e99992b940b2fa127cac696b8f574

Download Submit
C:\ProgramData\Faronics\StorageSpace\FWA\State.dat

Filesize
30KB

MD5
be57956c0b79c67e81fe1c0aa7fa9d46

SHA1
4e4332b5cab3c12c187a7666dd9b69627a2c5674

SHA256
1e176942bac42f0839fc5f23accf4c63b063c99e657ba2f309dc9712290bbaef

SHA512
a13148ea6d554b11d9d1ab35702b5e023d2025f48ac84cca5d7e3d655f5d346a2a3db674572f7d5c0b16b455262544f59c029b9fcef56af31f4ac0fac6f964a8

Download Submit
C:\ProgramData\Faronics\StorageSpace\FWA\State.dat

Filesize
30KB

MD5
28141bff2c96f56afe851c7626667cce

SHA1
5d0a8a726a15ce64f7292efab0b8d6be280f77ca

SHA256
c3f6843631fba1ceb64e7eeee252ad4fa9f6a7f3dee24d6c8eed20d8ad79d189

SHA512
b58ecd4b0f582e2fb2cb9eca6f378bee3f5b0d5c6f6dbab31b0088b8e62a238423695df3f02e71cef1b20a97c9d770cb7e243a252ce1f749cc516ac562dfd542

Download Submit
C:\ProgramData\Faronics\StorageSpace\FWA\State.dat

Filesize
37KB

MD5
cf3454a66af79f856e833330ac6a0b0d

SHA1
94b8c160ff688737c3c8f111dd716f7893be9a49

SHA256
fccaf259adf15ba14ef6d4cfa2ea5c2d76067115f652d0c1823b5a909a1c0154

SHA512
cba2bb8a536392f4ceef7aa36ba72909d232cb6885732aac199be6026efb85de1b45c2738796a4c8642e9d881e514e6f504ebc83feaceb7c021e6b242aaecbad

Download Submit
C:\ProgramData\Faronics\StorageSpace\FWA\Tasks.dat

Filesize
20KB

MD5
76628078d4a5d0736fd9bc725a6ce58f

SHA1
f4c5ac2faf11d829e99d56153eb4ded7e6d85747

SHA256
a069f8f43a460e9d2b966975e1f9665fbfcea9a461e0a42c3d7f11b763001ea6

SHA512
b4dbdaa05188080d09e578efef3624d3c48890c85c4c00ecf198d03568508d89e6465d734752927d2c08715ef8fd69387bf294d10c8ebfb2bf09ecc3662cbd4e

Download Submit
C:\ProgramData\Faronics\StorageSpace\FWA\Tasks.dat

Filesize
20KB

MD5
3ebc02d77cf298d4c1c8b81aa117fe18

SHA1
6d718cf00626a34c0d773258fef36e550c0685be

SHA256
bc40bcc00758640daf40e1f6c9a60062ec79ee544dee148d17f5846199d6cdf7

SHA512
bbd99df6843d3e2dbd9aa07a80dc3eabc9ad32d097ee4e53ab202985a345a2f79c482c9ac90091df0b8cd7342dd37c0758c78d162f399c90c3abcdc4f06f8f9f

Download Submit
C:\ProgramData\Faronics\StorageSpace\FWA\WebAgentConfig.xml

Filesize
5KB

MD5
f1d4518f39b23b200196514b357eff1b

SHA1
7f02206a753bf226adc10b37c2cece7afa140da6

SHA256
002ab08ba6aec587ea36ddb63d61349a4affe6a7f0c314ab830fa656ad77d2b5

SHA512
dbe12d29ec8db0dc900fd0c0a4639f56566806dc486d8342ee5cf724869ffdb6e6363155b14507ecb48bf9c3593e125327b38374c46810f4b62afe72aa70ce44

Download Submit
C:\ProgramData\Faronics\StorageSpace\FWA\modules\AVBLicPatch.exe

Filesize
140KB

MD5
23ee006ed6ac5ad3ab8aea5ca32a3b53

SHA1
ccd16a6a22694f28ae125b3f4d7839f06eedbb16

SHA256
69ba3883965f1c3193e084212d4af4b087e68d4dd9f7903bdb78ae2733c5c405

SHA512
50fc105747866a9c34829a98e1771af227b49806f858d0f88803e389ed6d2cfcf6346584caf4d133230cd4afb8f6dfe8fee8332be817d39801f0d7f6f309bff4

Download Submit
C:\ProgramData\Faronics\StorageSpace\FWA\modules\SCPwdChecker.LOG

Filesize
1KB

MD5
b8b9375a241750fdb341badd1de85631

SHA1
531aac0af1ab831c7fe6bf57248049d442875bf0

SHA256
21615bc753272c1755b0db716239041b0b89e5725ebe28a2e396d54382f93093

SHA512
bd399f17445a2d7a63aea7a29bd4777dc0c0cf81d008ec170a8f96ad99cee238d70ccb17ac52906f739220507814b2f6aff4c4b4e01173b4da0a5fb36945151f

Download Submit
C:\ProgramData\Faronics\StorageSpace\FWA\tempModules\FwaCore.dll

Filesize
3.6MB

MD5
fff308b4d9adfeb19d53a39e7621c655

SHA1
6bd6aed41dfe0c69d323e99563c5644e3ade4fc5

SHA256
0173b05ee7021fd55f9d07cdf88747315a1cd5e4be1a49c6a0d2f9954bf260cf

SHA512
e2136f6656fa973eb4452ae95b516cc92c3309e6d926acbdf58553326359128d0eb6de5145bc03040ab2610f3381881f88d6d9010555075c89840f78dd37a637

Download Submit
C:\ProgramData\Faronics\StorageSpace\FWA\tempModules\ModulesUpgradeMgr.exe

Filesize
690KB

MD5
472806d4bde1da87f9e99fef255aec7b

SHA1
61d120480773207debc5b51b3b80269a7b17e655

SHA256
dd5a68f785549ce3a957406dc65e78ceaf0cabd587a7bb9e9dd97e84ed110bc5

SHA512
5a2f693b666df27fcd4f082b1cd1d8d02160b8d935ad5705d3214cf253ac0ead74fe7d811e06dad613c6604eb5774baafbc450663220eb11948a89015f95ba25

Download Submit
C:\ProgramData\Faronics\StorageSpace\FWA\tempModules\SCPwdChecker.exe

Filesize
382KB

MD5
b47fba7aca9365359c3da69eba378316

SHA1
5e766ff817092c9a836bf02dfa8ee44114b931ce

SHA256
e98fd9de22cfc794b77923427ac18f32961e15a47f7af8c3c593c5a679646d3b

SHA512
872e968c84ea64d46736d6bf693450d72bca8ff01c066f76e6b6970518fcadb875ab050b0a1a188cc781b969aad0d848d2de7505b7e4eac333779116aa8f7cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI79858.LOG

Filesize
1KB

MD5
5360bbc1fb870b094af6f82b0a181b0a

SHA1
ea9a44aaf9ff480bcfcaa8547a8421eb27aa31d9

SHA256
b3de4655c8ca2740e6a121e5af0d8650007dca0534cd8c18b77fb15ce4df2393

SHA512
f29b851b4bfd3e50a84c628a0bcdfc4e037140f4ccc48acfcbd16a2df3105f069bd728c4ed7e2499dde8a5d8cb49704c1970a54c2d9c3beb409ddbe747ea623c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ProductInstaller\Web Agent_C64.msi

Filesize
8.3MB

MD5
e67cae084a4781797efbda37df6f761a

SHA1
cdd484f4a1a77d8b6548ba59642e4af217ac83d7

SHA256
16ffa6484f98e934c714e596dce6c1922a0709597c04ab478dce19997b0561f9

SHA512
294a3ff3c0b5f233c0a2ad7e49ee3a31153bd702e9e91d332352a9f3099c72d92e93aec9b2617e70df82fb3de6103c7882f005104d93d915a10c71641451e87d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{E2D76ECB-CE09-4587-9D5F-57711F9CF222}\FWACleanupHelper.exe

Filesize
611KB

MD5
a1d3b9f1a7f69071e0aa97ad16a26050

SHA1
de51fe146cbe31b01f336acc9e41d69555592870

SHA256
2489b9c27fa17d083d79d4def4fdf6659aa2ad9f8d6a3148cdab1bbca943adea

SHA512
b78a6ae638b9205ef3074429d37d3ecf7b39f417e1052f8edc8a7a8b5f0a092741d45e3bcfc182530a072dd42340f2ee1d3036a537c6cec46ed3727412432c6b

Download Submit
C:\Windows\Installer\MSI9C01.tmp

Filesize
57KB

MD5
d480853146cffda8e468cc4d2751b405

SHA1
e0b9de6eb4e0f5a92411dfe12a2e498a39eb102b

SHA256
e1076225eafe4cca82c39a4a7db820e0fd44dd293c9847564346e4bb047214b3

SHA512
c22fe3996ea0eeaed9dc4f90e107a5e4b9c5e56fe1bf33b09db2bdc6ae52fc57fee70ca7d4b02d8f446257b2c46c5927a1961146588b7dbc0af4e6104a481f2f

Download Submit
C:\Windows\Installer\MSI9E54.tmp

Filesize
138KB

MD5
b96cc173298220d17aa0932bf3047727

SHA1
38b81f2f69916d52d5d8c95185150c20586fe0ea

SHA256
69bdcb8dbad5145459bc64ee749e84d9e92171aeff5eea37f2145319c99bdf3e

SHA512
7357ea0a95b77c2bb51283e7859b2ac000804bed4aeedeea22b7e6b261a7fece110c13f244bc3458ddaaa6d9f94ebb0098ffb37c7b5d733db49aea17e04040ca

Download Submit
C:\Windows\Installer\MSI9F01.tmp

Filesize
1.1MB

MD5
9396a1f02189f0bf3dd56f92283ce5d6

SHA1
1ff6e8ce485a3b5eeacb89a5722587a56240e4a7

SHA256
0ae8d17046dfc3c41a55ec8dc80929cc38ea366e7e94f0b0a00c73515b984a85

SHA512
7398268870de492152856c6c28f0f799b8527de45e90939e16df25f8686dace2800d1beeb54232e24a7bae4ad663d76f49063779318746fd94ed10e5599f56be

Download Submit
C:\Windows\Installer\MSIE2ED.tmp

Filesize
156KB

MD5
cbe2c68db34abd1888644d6fe278424a

SHA1
fbde05fa0c677cfb0c680b7c3e0dc57198165383

SHA256
5d04c47b83aef46fcea1d4f30647099ecdd728c97abebe6fbf9a016ba6a3a9a4

SHA512
b9c2dfb937a643b936f97b476ffb29d99e133b13086f1b9c63c010e181ddc7acb18e10e200fb4c26cfc53e018869b2ec1b6ebe2d470db504f990763835d95094

Download Submit