Analysis
-
max time kernel
134s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 07:18
Static task
static1
Behavioral task
behavioral1
Sample
iAssistInstaller.msi
Resource
win7-20240508-en
General
-
Target
iAssistInstaller.msi
-
Size
34.6MB
-
MD5
1d0e56b37600e01a44929ad918d21d74
-
SHA1
1bdf869933ed3e7f1196f2a2fd8a021adc2e86c5
-
SHA256
b512f37f19537645ded040070d6be27aa8539d8e007bb71527cef4b1c8f20f32
-
SHA512
1199055ba8de84a1f94ab55f0504eb7570e88837897e2e3219fd20ee83c7f3b73f031201787e7bdac5075a10b6313858fd95094035ae8dd946eb4f788ed287c1
-
SSDEEP
786432:3MZHx5AbaWxE9hHZWafeOJptURXbpedT9kHxwh6ISvwj3OxwdbcYir:SHxW+WyDkHOJpmp7nvwj3Jdbcr
Malware Config
Signatures
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Modifies file permissions 1 TTPs 4 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exepid Process 3052 icacls.exe 2784 icacls.exe 1864 icacls.exe 2600 icacls.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc Process File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\O: msiexec.exe -
Drops file in Windows directory 64 IoCs
Processes:
runner.exemsiexec.exeDrvInst.exeattrib.exeMsiExec.exedescription ioc Process File created C:\Windows\iassist\MaterialDesignThemes.Wpf.xml runner.exe File created C:\Windows\iassist\Solutions\16055\citrix.ankscpt runner.exe File created C:\Windows\iassist\custom_scripts\657\maintainproxy.bat runner.exe File created C:\Windows\iassist\custom_scripts\source\21\fix.vbs runner.exe File created C:\Windows\iassist\Solutions\16024\showprofile.bmp runner.exe File created C:\Windows\iassist\System.Net.Http.Primitives.xml runner.exe File created C:\Windows\iassist\runner.exe runner.exe File created C:\Windows\iassist\runtimes\win-x86\native\WebView2Loader.dll runner.exe File opened for modification C:\Windows\Installer\f775227.ipi msiexec.exe File opened for modification C:\Windows\iassist\log4net.dll runner.exe File created C:\Windows\iassist\custom_scripts\2\enablepopupinchrome.bat runner.exe File created C:\Windows\iassist\custom_scripts\662\clearfirefoxcookiescachehistory.bat runner.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File created C:\Windows\IAssist\HealITApp.exe.config msiexec.exe File opened for modification C:\Windows\iassist\IAssistApp.png runner.exe File created C:\Windows\iassist\proactiveDatabase.db runner.exe File created C:\Windows\iassist\sqlite3.dll runner.exe File created C:\Windows\iassist\StemmersNet.dll runner.exe File created C:\Windows\iassist\cpprest_2_10.dll runner.exe File created C:\Windows\iassist\runtimes\win-x64\native\WebView2Loader.dll runner.exe File created C:\Windows\iassist\Solutions\16022\NewProfile.ankscpt runner.exe File created C:\Windows\iassist\Solutions\18003\IssuesWithOpeningHyperlinkInOutlook.ankscpt runner.exe File opened for modification C:\Windows\iassist\System.Net.Http.dll runner.exe File opened for modification C:\Windows\iassist\System.Net.Http.Extensions.dll runner.exe File created C:\Windows\iassist\Telerik.Windows.Controls.Navigation.DLL runner.exe File created C:\Windows\iassist\Telerik.Windows.Data.DLL runner.exe File created C:\Windows\IAssist\x64\SQLite.Interop.dll msiexec.exe File created C:\Windows\iassist\CampaignLogo.png runner.exe File created C:\Windows\iassist\Microsoft.Web.WebView2.Wpf.xml runner.exe File created C:\Windows\iassist\Solutions\18001\NodeJS.ankscpt runner.exe File created C:\Windows\iassist\custom_scripts\21\deletechromebrowsinghistory.bat runner.exe File created C:\Windows\iassist\custom_scripts\678\iecookiesandtrustedsites.bat runner.exe File created C:\Windows\iassist\Solutions\18005\PrinterTroubleshooter.ankscpt runner.exe File created C:\Windows\Installer\{A2F25BA0-86AE-4357-ACF2-A283098FBF71}\_A4E76B87B556A45C6A7778.exe msiexec.exe File created C:\Windows\iassist\AnakageProactive.exe runner.exe File created C:\Windows\iassist\ChatbotWelcome.png runner.exe File created C:\Windows\iassist\Solutions\16020\delCredential.bat runner.exe File created C:\Windows\iassist\Porter2Stemmer.dll runner.exe File opened for modification C:\Windows\IAssist attrib.exe File created C:\Windows\IAssist\System.Net.Http.Primitives.dll msiexec.exe File created C:\Windows\iassist\IAssistHelperN64.exe runner.exe File created C:\Windows\iassist\MH64.dll runner.exe File created C:\Windows\iassist\MHN64.dll runner.exe File created C:\Windows\IAssist\HealITApp.exe msiexec.exe File created C:\Windows\iassist\banner.jpg runner.exe File opened for modification C:\Windows\iassist\MaterialDesignColors.dll runner.exe File created C:\Windows\iassist\Telerik.Windows.Controls.DLL runner.exe File created C:\Windows\iassist\Microsoft.Web.WebView2.WinForms.dll runner.exe File created C:\Windows\iassist\custom_scripts\674\mappednetworkdrive.bat runner.exe File created C:\Windows\Installer\f775226.msi msiexec.exe File created C:\Windows\IAssist\x86\SQLite.Interop.dll msiexec.exe File created C:\Windows\IAssist\System.Data.SQLite.dll msiexec.exe File created C:\Windows\iassist\iAssist32.exe runner.exe File created C:\Windows\iassist\HealITService.exe runner.exe File created C:\Windows\iassist\iAssistN64.exe runner.exe File created C:\Windows\iassist\Solutions\18002\MaintenanceTroubleshooter.ankscpt runner.exe File created C:\Windows\IAssist\System.Net.Primitives.dll msiexec.exe File created C:\Windows\Installer\{A2F25BA0-86AE-4357-ACF2-A283098FBF71}\_6FEFF9B68218417F98F549.exe msiexec.exe File created C:\Windows\iassist\Campaign.exe.config runner.exe File created C:\Windows\iassist\custom_scripts.zip runner.exe File created C:\Windows\IAssist\HealITService.InstallState MsiExec.exe File created C:\Windows\iassist\AnakageProactivePackager.exe runner.exe File created C:\Windows\iassist\custom_scripts\26\disablesystemrestart.bat runner.exe File opened for modification C:\Windows\Installer\MSID0DA.tmp msiexec.exe -
Executes dropped EXE 3 IoCs
Processes:
runner.exerunner.exeHealITService.exepid Process 1712 runner.exe 1652 runner.exe 2356 HealITService.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exepid Process 2520 sc.exe 752 sc.exe -
Loads dropped DLL 7 IoCs
Processes:
MsiExec.exeMsiExec.exeMsiExec.exepid Process 340 MsiExec.exe 340 MsiExec.exe 1288 MsiExec.exe 1288 MsiExec.exe 1408 MsiExec.exe 1408 MsiExec.exe 1408 MsiExec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid Process 768 schtasks.exe 952 schtasks.exe 3060 schtasks.exe -
Kills process with taskkill 9 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid Process 2764 taskkill.exe 2856 taskkill.exe 2492 taskkill.exe 2636 taskkill.exe 2468 taskkill.exe 3052 taskkill.exe 2768 taskkill.exe 2524 taskkill.exe 2164 taskkill.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
cscript.exeDrvInst.exerunner.exemsiexec.execscript.exerunner.exedescription ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" cscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{35786D3C-B075-49B9-88DD-029876E11C01} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 010000000000000020ae07a02bbeda01 runner.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings cscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host cscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing cscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" cscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2B751294-F736-4FC7-8A15-590DC1B63F88}\c6-5a-ef-ec-97-44 cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{B155BDF8-02F0-451E-9A26-AE317CFD7779} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 010000000000000040d20ea02bbeda01 runner.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" runner.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2B751294-F736-4FC7-8A15-590DC1B63F88}\WpadNetworkName = "Network 3" cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" cscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c6-5a-ef-ec-97-44 cscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ runner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ runner.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft cscript.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 cscript.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2B751294-F736-4FC7-8A15-590DC1B63F88}\WpadDecisionTime = e07241a52bbeda01 cscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2B751294-F736-4FC7-8A15-590DC1B63F88} cscript.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c6-5a-ef-ec-97-44\WpadDecisionTime = e07241a52bbeda01 cscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" runner.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2B751294-F736-4FC7-8A15-590DC1B63F88}\WpadDecision = "0" cscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" runner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings cscript.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" cscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2B751294-F736-4FC7-8A15-590DC1B63F88}\WpadDecisionReason = "1" cscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" cscript.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" runner.exe Key created \REGISTRY\USER\.DEFAULT\Software cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ cscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe -
Modifies registry class 49 IoCs
Processes:
msiexec.exedescription ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Net.Http.Extensions.dll\System.Net.Http.Extensions,Version="2.2.29.0",Culture="neutral",PublicKeyToken="B03F5F7F11D50A3A",ProcessorArchitecture="MSIL" = 65005500540047005d004d00250065005f0039004300790031004200520047005700500057004c003e003f006a00560058004c003f007e007b006c006c00340068006f004000330060007e0067006c00700000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\PackageCode = "69E5F2D9D6074DD4F8444A206B511434" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\SourceList\Net msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|MaterialDesignColors.dll\MaterialDesignColors,Version="1.2.6.1513",Culture="neutral",ProcessorArchitecture="MSIL" = 65005500540047005d004d00250065005f0039004300790031004200520047005700500057004c003e00450035005a00640051007500260078005a004a006b007e003f00560043004b00460025007700370000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Net.Primitives.dll msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\SourceList msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Net.Primitives.dll\System.Net.Primitives,Version="4.0.0.0",Culture="neutral",PublicKeyToken="B03F5F7F11D50A3A",ProcessorArchitecture="MSIL" = 65005500540047005d004d00250065005f0039004300790031004200520047005700500057004c003e002b002500620060004d002d005b0046004100660038002e0025007e005e0035006f0035003000600000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|HealITApp.exe\HealITApp,Version="1.0.0.0",Culture="neutral",ProcessorArchitecture="MSIL" = 65005500540047005d004d00250065005f0039004300790031004200520047005700500057004c003e0054003d0045007a00600041007600260021007600250039006e0044005300410025005e003100260000000000 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\InstanceType = "0" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Net.Http.Primitives.dll msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Runtime.InteropServices.dll\System.Runtime.InteropServices,Version="4.0.0.0",Culture="neutral",PublicKeyToken="B03F5F7F11D50A3A",ProcessorArchitecture="MSIL" = 65005500540047005d004d00250065005f0039004300790031004200520047005700500057004c003e0053004f004f00670062002b004f004e007300370028004e006500610031004f00610058003800680000000000 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\Version = "16777216" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|log4net.dll\log4net,Version="2.0.8.0",Culture="neutral",PublicKeyToken="669E0DDF0BB1AA2A",ProcessorArchitecture="MSIL" = 65005500540047005d004d00250065005f0039004300790031004200520047005700500057004c003e002b00480029007d005f002b0075004e00510069004b005a0073006e00500037007e00770031004c0000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|HealITService.exe\HealITService,Version="1.0.0.0",Culture="neutral",ProcessorArchitecture="MSIL" = 65005500540047005d004d00250065005f0039004300790031004200520047005700500057004c003e00700028005400410036003200770070002700660073005f004400720047006500240067003200710000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Net.Http.WebRequest.dll msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Runtime.dll\System.Runtime,Version="4.0.0.0",Culture="neutral",PublicKeyToken="B03F5F7F11D50A3A",ProcessorArchitecture="MSIL" = 65005500540047005d004d00250065005f0039004300790031004200520047005700500057004c003e00690049005f00670043007b004a004a0074005f00750052006e00370040007a00730034007600700000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\SourceList\PackageName = "iAssistInstaller.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|log4net.dll msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|MaterialDesignThemes.Wpf.dll msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|MaterialDesignThemes.Wpf.dll\MaterialDesignThemes.Wpf,Version="2.3.1.953",Culture="neutral",ProcessorArchitecture="MSIL" = 65005500540047005d004d00250065005f0039004300790031004200520047005700500057004c003e004f00650063003f003100250071007e0044005300620064002700260078006800580070002800550000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|MaterialDesignColors.dll msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Net.Http.WebRequest.dll\System.Net.Http.WebRequest,Version="4.0.0.0",Culture="neutral",PublicKeyToken="B03F5F7F11D50A3A",ProcessorArchitecture="MSIL" = 65005500540047005d004d00250065005f0039004300790031004200520047005700500057004c003e003d0052006c003f0041002e00390053007a0026002b00430073007300720059004400400021002a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|HealITApp.exe msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Runtime.InteropServices.dll msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Net.Http.dll msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|HealITService.exe msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Data.SQLite.dll\System.Data.SQLite,Version="1.0.113.0",Culture="neutral",PublicKeyToken="DB937BC2D44FF139",ProcessorArchitecture="MSIL" = 65005500540047005d004d00250065005f0039004300790031004200520047005700500057004c003e0076007e00240024002d0057004800340050006c007e006a006c00430072003d00300058007d00740000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Net.Http.Primitives.dll\System.Net.Http.Primitives,Version="4.2.29.0",Culture="neutral",PublicKeyToken="B03F5F7F11D50A3A",ProcessorArchitecture="MSIL" = 65005500540047005d004d00250065005f0039004300790031004200520047005700500057004c003e00760032002c006100260041006c005d004c0045005800270048004b003500580027002d005a004b0000000000 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\AdvertiseFlags = "388" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Data.SQLite.dll msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0AB52F2AEA687534CA2F2A3890F8FB17 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\05B419C9DAA35234196526056BB4144A msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Runtime.dll msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\05B419C9DAA35234196526056BB4144A\0AB52F2AEA687534CA2F2A3890F8FB17 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0AB52F2AEA687534CA2F2A3890F8FB17\DefaultFeature msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\ProductName = "Heal-IT" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\DeploymentFlags = "3" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Net.Http.dll\System.Net.Http,Version="4.0.0.0",Culture="neutral",PublicKeyToken="B03F5F7F11D50A3A",ProcessorArchitecture="MSIL" = 65005500540047005d004d00250065005f0039004300790031004200520047005700500057004c003e00270035007900510032002a007b0075005b0070002e005800400064004a004c007b0039003800300000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Net.Http.Extensions.dll msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\ProductIcon = "C:\\Windows\\Installer\\{A2F25BA0-86AE-4357-ACF2-A283098FBF71}\\_6FEFF9B68218417F98F549.exe" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\SourceList\Media\1 = ";" msiexec.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid Process 1616 msiexec.exe 1616 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msiexec.exepid Process 1580 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exedescription pid Process Token: SeShutdownPrivilege 1580 msiexec.exe Token: SeIncreaseQuotaPrivilege 1580 msiexec.exe Token: SeRestorePrivilege 1616 msiexec.exe Token: SeTakeOwnershipPrivilege 1616 msiexec.exe Token: SeSecurityPrivilege 1616 msiexec.exe Token: SeCreateTokenPrivilege 1580 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1580 msiexec.exe Token: SeLockMemoryPrivilege 1580 msiexec.exe Token: SeIncreaseQuotaPrivilege 1580 msiexec.exe Token: SeMachineAccountPrivilege 1580 msiexec.exe Token: SeTcbPrivilege 1580 msiexec.exe Token: SeSecurityPrivilege 1580 msiexec.exe Token: SeTakeOwnershipPrivilege 1580 msiexec.exe Token: SeLoadDriverPrivilege 1580 msiexec.exe Token: SeSystemProfilePrivilege 1580 msiexec.exe Token: SeSystemtimePrivilege 1580 msiexec.exe Token: SeProfSingleProcessPrivilege 1580 msiexec.exe Token: SeIncBasePriorityPrivilege 1580 msiexec.exe Token: SeCreatePagefilePrivilege 1580 msiexec.exe Token: SeCreatePermanentPrivilege 1580 msiexec.exe Token: SeBackupPrivilege 1580 msiexec.exe Token: SeRestorePrivilege 1580 msiexec.exe Token: SeShutdownPrivilege 1580 msiexec.exe Token: SeDebugPrivilege 1580 msiexec.exe Token: SeAuditPrivilege 1580 msiexec.exe Token: SeSystemEnvironmentPrivilege 1580 msiexec.exe Token: SeChangeNotifyPrivilege 1580 msiexec.exe Token: SeRemoteShutdownPrivilege 1580 msiexec.exe Token: SeUndockPrivilege 1580 msiexec.exe Token: SeSyncAgentPrivilege 1580 msiexec.exe Token: SeEnableDelegationPrivilege 1580 msiexec.exe Token: SeManageVolumePrivilege 1580 msiexec.exe Token: SeImpersonatePrivilege 1580 msiexec.exe Token: SeCreateGlobalPrivilege 1580 msiexec.exe Token: SeCreateTokenPrivilege 1580 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1580 msiexec.exe Token: SeLockMemoryPrivilege 1580 msiexec.exe Token: SeIncreaseQuotaPrivilege 1580 msiexec.exe Token: SeMachineAccountPrivilege 1580 msiexec.exe Token: SeTcbPrivilege 1580 msiexec.exe Token: SeSecurityPrivilege 1580 msiexec.exe Token: SeTakeOwnershipPrivilege 1580 msiexec.exe Token: SeLoadDriverPrivilege 1580 msiexec.exe Token: SeSystemProfilePrivilege 1580 msiexec.exe Token: SeSystemtimePrivilege 1580 msiexec.exe Token: SeProfSingleProcessPrivilege 1580 msiexec.exe Token: SeIncBasePriorityPrivilege 1580 msiexec.exe Token: SeCreatePagefilePrivilege 1580 msiexec.exe Token: SeCreatePermanentPrivilege 1580 msiexec.exe Token: SeBackupPrivilege 1580 msiexec.exe Token: SeRestorePrivilege 1580 msiexec.exe Token: SeShutdownPrivilege 1580 msiexec.exe Token: SeDebugPrivilege 1580 msiexec.exe Token: SeAuditPrivilege 1580 msiexec.exe Token: SeSystemEnvironmentPrivilege 1580 msiexec.exe Token: SeChangeNotifyPrivilege 1580 msiexec.exe Token: SeRemoteShutdownPrivilege 1580 msiexec.exe Token: SeUndockPrivilege 1580 msiexec.exe Token: SeSyncAgentPrivilege 1580 msiexec.exe Token: SeEnableDelegationPrivilege 1580 msiexec.exe Token: SeManageVolumePrivilege 1580 msiexec.exe Token: SeImpersonatePrivilege 1580 msiexec.exe Token: SeCreateGlobalPrivilege 1580 msiexec.exe Token: SeCreateTokenPrivilege 1580 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
msiexec.exepid Process 1580 msiexec.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msiexec.exerunner.execmd.execmd.execmd.execmd.execmd.exedescription pid Process procid_target PID 1616 wrote to memory of 340 1616 msiexec.exe 31 PID 1616 wrote to memory of 340 1616 msiexec.exe 31 PID 1616 wrote to memory of 340 1616 msiexec.exe 31 PID 1616 wrote to memory of 340 1616 msiexec.exe 31 PID 1616 wrote to memory of 340 1616 msiexec.exe 31 PID 1616 wrote to memory of 340 1616 msiexec.exe 31 PID 1616 wrote to memory of 340 1616 msiexec.exe 31 PID 1616 wrote to memory of 1288 1616 msiexec.exe 35 PID 1616 wrote to memory of 1288 1616 msiexec.exe 35 PID 1616 wrote to memory of 1288 1616 msiexec.exe 35 PID 1616 wrote to memory of 1288 1616 msiexec.exe 35 PID 1616 wrote to memory of 1288 1616 msiexec.exe 35 PID 1616 wrote to memory of 1288 1616 msiexec.exe 35 PID 1616 wrote to memory of 1288 1616 msiexec.exe 35 PID 1616 wrote to memory of 1712 1616 msiexec.exe 36 PID 1616 wrote to memory of 1712 1616 msiexec.exe 36 PID 1616 wrote to memory of 1712 1616 msiexec.exe 36 PID 1616 wrote to memory of 1712 1616 msiexec.exe 36 PID 1712 wrote to memory of 884 1712 runner.exe 38 PID 1712 wrote to memory of 884 1712 runner.exe 38 PID 1712 wrote to memory of 884 1712 runner.exe 38 PID 1712 wrote to memory of 884 1712 runner.exe 38 PID 1712 wrote to memory of 2912 1712 runner.exe 40 PID 1712 wrote to memory of 2912 1712 runner.exe 40 PID 1712 wrote to memory of 2912 1712 runner.exe 40 PID 1712 wrote to memory of 2912 1712 runner.exe 40 PID 1712 wrote to memory of 2956 1712 runner.exe 41 PID 1712 wrote to memory of 2956 1712 runner.exe 41 PID 1712 wrote to memory of 2956 1712 runner.exe 41 PID 1712 wrote to memory of 2956 1712 runner.exe 41 PID 1712 wrote to memory of 1492 1712 runner.exe 42 PID 1712 wrote to memory of 1492 1712 runner.exe 42 PID 1712 wrote to memory of 1492 1712 runner.exe 42 PID 1712 wrote to memory of 1492 1712 runner.exe 42 PID 1712 wrote to memory of 3016 1712 runner.exe 46 PID 1712 wrote to memory of 3016 1712 runner.exe 46 PID 1712 wrote to memory of 3016 1712 runner.exe 46 PID 1712 wrote to memory of 3016 1712 runner.exe 46 PID 1712 wrote to memory of 2400 1712 runner.exe 47 PID 1712 wrote to memory of 2400 1712 runner.exe 47 PID 1712 wrote to memory of 2400 1712 runner.exe 47 PID 1712 wrote to memory of 2400 1712 runner.exe 47 PID 1712 wrote to memory of 2832 1712 runner.exe 50 PID 1712 wrote to memory of 2832 1712 runner.exe 50 PID 1712 wrote to memory of 2832 1712 runner.exe 50 PID 1712 wrote to memory of 2832 1712 runner.exe 50 PID 884 wrote to memory of 2764 884 cmd.exe 53 PID 884 wrote to memory of 2764 884 cmd.exe 53 PID 884 wrote to memory of 2764 884 cmd.exe 53 PID 884 wrote to memory of 2764 884 cmd.exe 53 PID 2912 wrote to memory of 2856 2912 cmd.exe 52 PID 2912 wrote to memory of 2856 2912 cmd.exe 52 PID 2912 wrote to memory of 2856 2912 cmd.exe 52 PID 2912 wrote to memory of 2856 2912 cmd.exe 52 PID 2956 wrote to memory of 2492 2956 cmd.exe 54 PID 2956 wrote to memory of 2492 2956 cmd.exe 54 PID 2956 wrote to memory of 2492 2956 cmd.exe 54 PID 2956 wrote to memory of 2492 2956 cmd.exe 54 PID 1492 wrote to memory of 2768 1492 cmd.exe 55 PID 1492 wrote to memory of 2768 1492 cmd.exe 55 PID 1492 wrote to memory of 2768 1492 cmd.exe 55 PID 1492 wrote to memory of 2768 1492 cmd.exe 55 PID 3016 wrote to memory of 2636 3016 cmd.exe 56 PID 3016 wrote to memory of 2636 3016 cmd.exe 56 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\iAssistInstaller.msi1⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1580
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A3DFDBBA3481DE1CBB4A81491BC07412 C2⤵
- Loads dropped DLL
PID:340
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding DBB7C95C25D7B2479685274E4824A5CE2⤵
- Loads dropped DLL
PID:1288
-
-
C:\Windows\IAssist\runner.exe"C:\Windows\IAssist\runner.exe" 92⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM Campaign.exe /T3⤵
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\SysWOW64\taskkill.exeTASKKILL /F /IM Campaign.exe /T4⤵
- Kills process with taskkill
PID:2764
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM HealITApp.exe /T3⤵
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\taskkill.exeTASKKILL /F /IM HealITApp.exe /T4⤵
- Kills process with taskkill
PID:2856
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM iAssist32.exe /T3⤵
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\taskkill.exeTASKKILL /F /IM iAssist32.exe /T4⤵
- Kills process with taskkill
PID:2492
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM iAssist64.exe /T3⤵
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\taskkill.exeTASKKILL /F /IM iAssist64.exe /T4⤵
- Kills process with taskkill
PID:2768
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM IAssistHelper.exe /T3⤵
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\taskkill.exeTASKKILL /F /IM IAssistHelper.exe /T4⤵
- Kills process with taskkill
PID:2636
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM IAssistHelper64.exe /T3⤵PID:2400
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /F /IM IAssistHelper64.exe /T4⤵
- Kills process with taskkill
PID:2468
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM AnakageProactive.exe /T3⤵PID:2832
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /F /IM AnakageProactive.exe /T4⤵
- Kills process with taskkill
PID:2524
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\atemp.bat"3⤵PID:2640
-
C:\Windows\SysWOW64\net.exenet stop HealITService4⤵PID:2940
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop HealITService5⤵PID:1644
-
-
-
C:\Windows\SysWOW64\sc.exesc delete HealITService4⤵
- Launches sc.exe
PID:752
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /F /IM HealITService.exe /T4⤵
- Kills process with taskkill
PID:3052
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /F /IM Heal-IT.exe /T4⤵
- Kills process with taskkill
PID:2164
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Schtasks /delete /TN AnkActionManager /f3⤵PID:2288
-
C:\Windows\SysWOW64\schtasks.exeSchtasks /delete /TN AnkActionManager /f4⤵PID:2560
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Schtasks /delete /TN AnkAnalyticsManager /f3⤵PID:572
-
C:\Windows\SysWOW64\schtasks.exeSchtasks /delete /TN AnkAnalyticsManager /f4⤵PID:560
-
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 96D917C31503435FB3204DB1329C6324 M Global\MSI00002⤵
- Drops file in Windows directory
- Loads dropped DLL
PID:1408
-
-
C:\Windows\IAssist\runner.exe"C:\Windows\IAssist\runner.exe" 02⤵
- Drops file in Windows directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1652 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C echo 14:06:2024.07:22:35 ExtractBinResource = C:\Users\Admin\AppData\Local\Temp\\ >> %TEMP%\AnakageInstaller.log3⤵PID:2088
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\atemp.bat"3⤵PID:1080
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\IAssist" /grant Users:(OI)(CI)F4⤵
- Modifies file permissions
PID:3052
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Windows\IAssist"4⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:2560
-
-
C:\Windows\SysWOW64\net.exenet start HealITService4⤵PID:1312
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start HealITService5⤵PID:1140
-
-
-
C:\Windows\SysWOW64\sc.exeSC failure "HealITService" reset= 0 actions= restart/0/restart/0/restart/04⤵
- Launches sc.exe
PID:2520
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\IAssist\HealITService.exe" /inheritance:d4⤵
- Modifies file permissions
PID:2784
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\IAssist\HealITService.exe" /remove:g Users4⤵
- Modifies file permissions
PID:1864
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\IAssist\HealITService.exe" /grant Users:RX4⤵
- Modifies file permissions
PID:2600
-
-
C:\Windows\SysWOW64\schtasks.exeSchtasks /delete /TN AnkActionManager /f4⤵PID:1264
-
-
C:\Windows\SysWOW64\schtasks.exeSchtasks /delete /TN AnkAnalyticsManager /f4⤵PID:1496
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /F /TN AnkAnalyticsManager /XML atemp1.xml4⤵
- Creates scheduled task(s)
PID:952
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /F /TN AnkActionManager /XML atemp.xml4⤵
- Creates scheduled task(s)
PID:3060
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /F /TN AnkRebootManager /XML atemp2.xml4⤵
- Creates scheduled task(s)
PID:768
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C echo 14:06:2024.07:22:35 ExtractBinResource = C:\Users\Admin\AppData\Local\Temp\\ >> %TEMP%\AnakageInstaller.log3⤵PID:1856
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\System32\cmd.exe /c cscript //NOLOGO C:\Users\Admin\AppData\Local\Temp\\atemp1.vbs3⤵PID:2264
-
C:\Windows\SysWOW64\cscript.execscript //NOLOGO C:\Users\Admin\AppData\Local\Temp\\atemp1.vbs4⤵
- Modifies data under HKEY_USERS
PID:2736
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\System32\cmd.exe /c cscript //NOLOGO C:\Users\Admin\AppData\Local\Temp\\atemp2.vbs https://aiops.anakage.com/api/license/?userName=&hostName=Uhrqkjcp&macAddress&facility=fpt3⤵PID:1604
-
C:\Windows\SysWOW64\cscript.execscript //NOLOGO C:\Users\Admin\AppData\Local\Temp\\atemp2.vbs https://aiops.anakage.com/api/license/?userName=4⤵
- Modifies data under HKEY_USERS
PID:2964
-
-
C:\Windows\SysWOW64\HOSTNAME.EXEhostName =Uhrqkjcp4⤵PID:1032
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C echo 14:06:2024.07:22:35 server license = >> %TEMP%\AnakageInstaller.log3⤵PID:2548
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C echo 14:06:2024.07:22:35 Failed to send license >> %TEMP%\AnakageInstaller.log3⤵PID:2280
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:2044
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005A8" "0000000000000060"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:540
-
C:\Windows\IAssist\HealITService.exe"C:\Windows\IAssist\HealITService.exe"1⤵
- Executes dropped EXE
PID:2356
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
123KB
MD5093b06c98ef3d3e6ce254e50a880e748
SHA159ebcd81c4de58fd7aed21cffc42ab7411429bac
SHA25627b5e65faf8137505da008bbac9cf839e80a1201070fbf23e9bf581f3b769d42
SHA51277a0590a9c1f24a3f8bd56c5a2785849fd4d24fc802a8aaac0ad96a38f018707a80d7b2896a5789ae52f4e16bec4ee89e08a0d24f8c26f9df4b3e22bb489a9eb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD56dbfe3a4423efa10a0650ffccf2000fd
SHA1459c54030134556041a2c3262f76e3cf12ac7364
SHA2564b8ffaf80e80e16b0af1786e8a5045f6fd0ce62288d40a100c063bad9346e6a3
SHA5120322922ffdf8f0e8141695f3bf5a14c118e95ed125dd28a018d9cfbc5d0a96f18c5264a7e722111509c6fefdf06be0989f2c16c47f56e03f061a9a936713e6e6
-
Filesize
150B
MD5fdbbdb01ebc78a136a78f17e1e2e40d8
SHA1955db341bacbe1a4f3fa6225c9576b90c07e9499
SHA256a0314ff4cb7d286bcf94cf5b862e96122ddf6fea6af1014b71253e04cf67c94b
SHA5125492a71f6a9e9f55f57c32ea9a632e090daf32103bcf996ea6b5939b984ceb32fb6e786b5abda6e8ef6432eba3cec06092d6f7ddbe5b8299594a59ffd7848065
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
298KB
MD5684f2d21637cb5835172edad55b6a8d9
SHA15eac3b8d0733aa11543248b769d7c30d2c53fcdb
SHA256da1fe86141c446921021bb26b6fe2bd2d1bb51e3e614f46f8103ffad8042f2c0
SHA5127b626c2839ac7df4dd764d52290da80f40f7c02cb70c8668a33ad166b0bcb0c1d4114d08a8754e0ae9c0210129ae7e885a90df714ca79bd946fbd8009848538c
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
1KB
MD5e4a5ef6526bcc16e97e83da01f4ebf03
SHA15046ed1e16bd147491f70a9089848860e85e072f
SHA2560c3ee6c475599034bb0ada3015df76fc399aa26c5c87ae4da62b20da1f37039e
SHA512420f6991457e68e7149fdb946d2f191ba581ae91ba86a1a56bc505fb73c6b791aeb3c2094abf25592a1dfe8f3a2cf814b9cad615796bcd192053ce9daa36b4b6
-
Filesize
425B
MD5542a3f3d2d3e38d9ee58c70e743d6aef
SHA1832577ce0808e6a9bb1625fdd9aa21748a54d490
SHA256dabcc7a2aeb0b9d6f340e770a4c124519e4b9a33031b7cee7dd0a064ff5e74dc
SHA5120b70a295a116af8e5fa6a17c548106fa21d7eb83c0b099b209f6ebed9cb56ee039a1ca7612fb8b673b429796e2e0101ec15d8c81e90c021f6ce9722ff510320b
-
Filesize
400B
MD59d0c6bf00d6ea0d444f8e5df8034a15e
SHA15cf14b0238cec3b8f03cde8659b2f9efa7772974
SHA256e4b3a9af656f2dbab1a4bb11c6f5a3661b0e029751351a398506ae30eeb1daa2
SHA512739a76c6f28e1ba4ee4b44e1f338bfb79dd8f07c7793820d5feb86b89b60f5a45c85051c605ff6c4a5b675394008a86b121400af004f97117e1211fb8aa0dfbd
-
Filesize
1.5MB
MD592256b73a07831c012896ef89a836656
SHA169ff4ce667c9a0d12f9467d4bf6c521ae81ccf9e
SHA2565019a5e128a7a65c86df69b819235b636dcc73a47d730a1bb4c183cad8c4a550
SHA512ff277549220b75176070d5b29fb2abf4b08fc8b356c98544ec7c3526f736a6c8d99111ed94df45e6428d8436750581b5e1df5c3a604438c6de4c36bcede04180
-
Filesize
147KB
MD58e6fec9071a1084873bcce13fe064a42
SHA1efee18f56d892723d75427ad290fbeeabb7b1888
SHA25601da7957ee307cb02732acf294d3bd3560a51a0d1d0afeee6cd4e5c0cf455cf8
SHA5124fd6fd9706db498d2467e43f38341187442f174d5b9b4e152a721e4f6ba1f010678a1bca2e770875dc44f5c5cdc9f6a1ceab99ae14d8c02f07ca27f638aa355c
-
Filesize
191B
MD59ae1589235924ca09ca772c85d5b09d5
SHA1349b79111169fe4599ff6206cb702d9889a13f53
SHA25656a2ff0cbc50211c27e8e1dbc6dac1ea959987dc21bbd3ca5cfdadcb0534181a
SHA512f07e406cc2ca62e966c2a3284f4a870f5e429c45ca16cdd4d74e3f853756409fd0ff4ec5da18511e10fe60344f3ddc5fce4c264737820290000874c10db5bace
-
Filesize
894KB
MD550ded9235a03b899c17c5d69287ceb91
SHA1dbe0356e44b8b842d4a38fc02e37e0816b7ef448
SHA256d9445e06f8d3a1364bf710c4060f1efdecb9d3371dc6cedc4a3ed33e7ab7eb44
SHA512dd5f2f29560f5f1de6051eee5dc0d0f0be74e31445dfb97dd1d36f2c692ff89969c79188d4329a53f25ede0bc31d3d912fa787ab94f12aa8ffb06f54cec5a6a2
-
Filesize
189B
MD5ef0181de18ef3951806c0ad63b897ba4
SHA14b6a4b0f7fbbbd1dceab385e7fac74a35fc132cb
SHA256e8decc96235b5494880083eb79c22c84c6d9ef312828baf9490bee7782c350ec
SHA512b1816817e8deaa7b22bc51966e9debed46b254be6463f2ac0204be348baefb751c5d846a5353d43cce66a005a73f6226462b8ec8b59d4e16a54130c327c68b79
-
Filesize
323KB
MD51818f9ea0069636728dcb60f9096098e
SHA10e841decb0f995629bf86b5a68a9c98d7c962671
SHA25665a96a8134f1071d1c042034ecd35949cc49b941a96c067ad310bf3ff897d122
SHA512ce97d67a34b67edbc677b885327c85bcb33d06542b0919f8ce61129718287f7de1e2d28a5062ce9038378545be65c7055e32b5aa6067673abceea2430e0aa963
-
Filesize
31KB
MD5111dd3382e71828ec2a96ac5679ed44b
SHA144eec2e255517bad36d69a0b268c039fad1d4af3
SHA256cfcbcc0e8de1a8dfa10186e47400ac598cf5136a9f16b89a13e6155b021bbf88
SHA512e285d3823c5daa8476c33ff7187559fe22e3f912b19e3e3716931084585f71c959eb21b3c2ced2dda916c15f90b1fecff68aa357507fa4bd1b7c3f8fdb2bb09b
-
Filesize
126KB
MD5a05f57db2637ab9d369b514f095d8bb7
SHA1a6da636f526039d9a25faa39fda0859af2e5cfa3
SHA256bb83cce0d9db3bc829e680e12bdda6204b7b6af2776c7bb9d0988c7ab0a46aec
SHA5120dfec886106836d236dd6a1b36496bd43bc1785fd7c6355723d76dbd38a5a2455e1ee59effa077bfc3cacf6a1d272d1cf724ff761d5d64e57c1aec79a2fdc81b
-
Filesize
811KB
MD54f8a4a0ad6c94b60db955ba3e7033e8e
SHA190d68a63b629f39a49d69968df16cb1221550fcf
SHA256b69a3d5ed7fd451d9fa6e16813785a3d5630e0940a8eb16dff241c2639310da9
SHA5126f639540349bab213c3f6cd06163e1bf5a2164374bac1f3cf99641d15a1303cf9e3b758d34986bd29b69db6b27543ddd349b763067e31b0adac9a7580ff43569
-
Filesize
10KB
MD51f4b1208d1c6c974e333ca455f9bbf0e
SHA1a1c62753d2088b57c9de41bba63acde66d8dec8d
SHA25611a807394cab631531465d91964f0fbeb33ada9f80fd0be70009d6cdc8994a50
SHA5127315b7c2259334c210b3b25a948fa3f40a1ec246fbef9c48c252f0ab25ce008875106ed39f6d07cb9f2c4740dd0e4d028df221696a6eafe64e150c2f875e6ac6
-
Filesize
169B
MD515e7325ab895c6883e065028bfe4073b
SHA180716821669c7f0e20838163ee0a69f9df29c8de
SHA256ffe366dda2cac1f1371f6ce701043bb7ff60540f4752821d82676b433a88d4ac
SHA512dc358d20e5b398a20bed1f73ff1d35a9896992ddf2b80044b755be9ae9eacf006d727d636d2f5f5613c453c828a1ac07fd126778ec7d8d2293e68e6be4de2917
-
Filesize
102B
MD5451168cab68f4ab6a2b4781d0dc08783
SHA1016103a27a226afa6fd13c198d820bafc101696e
SHA256faf8e3f9fae824e21065fe719e54417bda07c956ea9ebf3b0bbac1f0e0879fc6
SHA5123ee55d8f494a8d1bf238baa1d3b514ff62e8be52096cd7d134b6bc21671e4240ed7fe7d177f44a66a623865e18fcc72b3ab97d0af8b48a2b597c503649dbbf41
-
Filesize
107B
MD5359c8fe8d3aedb58f1f6ac12ec71fceb
SHA17c131d5449909ad08a722077f876dd09ce8597bc
SHA25648385e54acb365b08bc45e7a415a00061a50fe477fc1971477182bb5d1f4059c
SHA51262c65953c632f56f62644b35b3857e1b8a568e31f8e2875c4c5c9b296997ce1e7dfdebcc3746c9b3fe339e11fcf78eaa5644f9954fa6ffd5736aeb4767108135
-
Filesize
695B
MD5e002711daf08cb7759d3dc8698d4697a
SHA191943f90129a0120b852620b0c5fbe0a4ac45778
SHA256097e3c4633121032aee95250fdd82336023fd9c10b3df29e183eff9967fa607c
SHA51258c4faf6227efc80c98c690df739fe60ac9d03c7e76f99bc9086ae80acf2d9d70d3567c857568c83cd5f8bf4dcd42c808afb8f3ab34ce80636cc4eb41f20a74b
-
Filesize
237B
MD54d38aade6327e6e68a30ed66e14b859e
SHA17930eece118941528247e36181436f040815a9d0
SHA256bcf79cd5e78b91020322b3b12a885b7d11a18e72b5b15ba0906efbf5a3d92cfb
SHA512398d0a18497c640c912ba739e84ab3957d9e59a07a93f05481ce99c7aee84d25abdb531a1a8cac59d4279016cea5dc4bfa30399ce09bade6b01fac9790a28353
-
Filesize
696B
MD5d636cfecf3dffd81ec0aa21f082bb979
SHA13efc9f524520202c6636a167cd1aa2a4dee45f65
SHA25663b7384e2cdbbd0be6d51adb6cd35d1dbc4635220820fd08820ade3ccdb07b98
SHA5122b91141641ece514a8fd692a261a46c5771fff7ab94d5ebfc87722e15119e16b321df515b5e780a79638f159c008fcf70dd822b84067dcbe47d7a9c74488881d
-
Filesize
169B
MD57c575203045e08d227c0195bd71f4a18
SHA1b510d1b4a668b0145f7448edfda496ba11c9abdc
SHA25634a14c7ebb3fa6e841bea6059f634b47e3dfc09d59331e9a234ac51407c2adac
SHA51279e97176c40d1c4cbb6820031797a55b7b409ed83cb0ef90854f10ee701d5a9ee4d790bae73abdaa416b9072252cea81991be1cf7bfdb178d178774147812833
-
Filesize
849B
MD59add21e567084f717a9e9cd9d9a68098
SHA15f3c2f9bc6870dd081b27e6112dcf4f67e2b60a7
SHA25693db3d7a8201ed67a7570048f78b67a5261a713c9713d1df84a4efa12f3da474
SHA512431525f4e81ec911d7a83b12550edd25ef6482e51e55841f47b13dd37b8e6b57cec44965f0e2aab1eab356faebf3d2ba06ef44ce517d1587806cc73625a68c97
-
Filesize
257B
MD55a7e73d99a8b0cb8cc59a7de28d7f41d
SHA1a6cc77b275ae89d29e1bb7b845659bf4079f035b
SHA256e0c415c1cec75f438b7694a0f9a3f337773b231cfa22ae6a913004cfcb94d2d5
SHA5124d6aea98b5f6ef238cf1b7ecd7ac31a2e90e9e9eae571f0d0daa4fed68f81114510273e6dbff73663c5bfd70b22f4a5c007df3cf14db4e770011438a69903c82
-
Filesize
3KB
MD53d8a8a5f2770ee6f32dbbb342081b332
SHA16628d97bc9aa2c43597e2e55c0efad85cc2384a3
SHA256af5aaf70f3bd7006bf366900df19ab4da708172963f493e299b8f5f8739a4a6c
SHA512037a30a0bc770cb98619ab68d6b5e9c983099e21d8b775fce41e65841b62dfe66a896d37d5cb54d4bb59277240d2b4331ed63eec6d0bca8dcf26a69bf885455c
-
Filesize
3KB
MD5fa9d05115cae5c2d8867df46ff9610f4
SHA1d75eb025dec040fe22accf8def8b5c13004f4405
SHA256e0d1ada7761793f3b91cbba6b318b6ca8f71b0e4ad81cc80d87d9b25a8184e55
SHA512a6a973fe9ca9ad96ca7baf1415f864f629429c2b4d72b4e60c20323eade4af44328d6faf248b94d2c181611fa56ba4d2e29e6d9452ed5104ef29393d7deec3f8
-
Filesize
6KB
MD57b0068d0a420ef3b57feaca71a0c3c67
SHA11fdfce4422deae183a2820c83aa7fc6e637bf0c7
SHA2567619f5ee908dab0746d0348c40af64ce12723cbb66171875c56bad0e03d93420
SHA51251eeb17c3d6d2ee8937dbb6678d95b01d0408346a78afcdfebf6149cacf500081fa215d1f4eded4b9b683a950c9b5c48057b2eaafeb7d8fca69183311ff7ce9c
-
Filesize
824B
MD52d9a034020c26454e8850de89ffccf89
SHA12fe7659d9aae5a19eb56ec0288aa06b915bfc41a
SHA25690a1b8ca73d051198360f0999697a1d695f798a326ff472bf7e34acb4df38ae3
SHA51281a4f9538279f9fb21b88c4b7544625e45d62e366fc1bd885093107ea848768ce6b7a015a790c952f3c395611c5ead022a25136f68b50885b528c55b18722a8c
-
Filesize
104KB
MD53397446c7090eccabc67c9ed1e2b9ff7
SHA14e869a09a8c4b59e924938664544332de6d45dc1
SHA256556cd71a538e7ae200f571ea7722afc692e044e814127ee5d67111780608b206
SHA51296f840f2a0cd15d95f16610f2eb7d0f574527eff46c2fb436bb0a48b3afa29801f63eab75b2f4f1fc46eaf81ce3ee11e22b4f36e7f1e13cef4388385caf5e6d3
-
Filesize
106KB
MD53941ccf542c241226104ac61fd1cd373
SHA1636332a86c0c476977f3d9b7eb5d88e40a1a0f07
SHA2561d1191207b4acccda55db6ec688ffc606af1ebb3053060ae04e7edae0f80ce7b
SHA5127034a6a17e45dbef45950a41f60b31c295b7299ced5a34b6a8e98e9698b5a45b3a2d8eb9df845822540802999df244e53a3a264ac2c23d042efca4b946ba28a1
-
Filesize
34.6MB
MD51d0e56b37600e01a44929ad918d21d74
SHA11bdf869933ed3e7f1196f2a2fd8a021adc2e86c5
SHA256b512f37f19537645ded040070d6be27aa8539d8e007bb71527cef4b1c8f20f32
SHA5121199055ba8de84a1f94ab55f0504eb7570e88837897e2e3219fd20ee83c7f3b73f031201787e7bdac5075a10b6313858fd95094035ae8dd946eb4f788ed287c1
-
Filesize
361KB
MD5c1452013e9e2355ee7bafe892b4699bb
SHA1ae87fca94a0be253ced08dded980189288abaa76
SHA2562ad34df853ee9363bfe124751a3a5b1184115127f972b88a4403c482d0022862
SHA512b1bcaa7afd70bc72dbeb568019cfe4a61912bd05812ac1d0fab7b77546532d5cad6cab59f8b17283b3d15d281a1610751461f8b6fb49aab94189c8f12e3def1c
-
Filesize
24.6MB
MD5d9109f8f976cd2045646701991fc8cdf
SHA19c4d2e3b8ca32aa21f56cdcbf13364e1f3fde919
SHA2561494cd02bbafbb7518c7eea9f33b1af6da2e2ae2ca9a11e64e24329af6065127
SHA5120d4c98aa6fcb6f7b53e906d27abfb16239c614d1cfe4460d68790371eb04cf134e18909a8bc5a710961eeb81e8469cf69c269848578445c211e0c4d4b851659c
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
260B
MD58dc3899df72a2bdfc027682048422a37
SHA19f6c657d2ba08068b2bcae443b817d54f3dac574
SHA2567a6a763e21ca205bf7da8134088fe1978a8c2efbcf1c251ba93cdcf00e59ff57
SHA51224c3ef86bbcc57ddbde2d1e323056091d52cb21dba2e143029396b0256ce0fb53879b161a4a874f949bc5da0986d84b293002006ba9f3a06cdf5fdedc1cc8b18
-
Filesize
361KB
MD5d01fdba81ab16eacb785ed15fa1e2545
SHA11cdb43cc816ee91d369b36f898ecfa7d650d8693
SHA2564b1d13881de2e6d3742785dfc96d7ec955da93c07371093a097fb0e2c0b29d2f
SHA512fcca162266bca6fe029d8f97d5741e7f9a92b0d3be8177b30bc7d84c878b7daace01ab605eb6fc33ffbec04e2dec11744d6158752137f01b4b8a389a0daa3d2f
-
Filesize
2KB
MD56ffe8470d26c128e046375b381f419db
SHA1f03da4ed457191f5d1baee0a7ec8ddd4c2e984e3
SHA2565546ecc26122d3929397dcbf40f8b65679646e3735223e2f73562da5e9ed1d66
SHA5128a673633b1688eb152f8b14bcdbba4fd3dd1abd49762c60d182d41074e56ebf67f6a5d23616c5b2687b75e555f1eeb74475229bcd5c478b4198b6bca5a82f1fd
-
Filesize
304KB
MD5e2e62b30056dcc4283d7d2abce686bef
SHA117973122a58474d38a49a07a2d60517450a23aad
SHA256d8c0107204e4540ab24125f684660b7b87545a58c4a94a89746897383038a274
SHA512d0ead99c2fe213f165bc0c86bb5d044e9ce344f7433b0d9ddfa165f22341ab616bc45e3e80caaf7a43312d6bd9f5d1768f595a665c0d2835e40920dc5069d5eb
-
Filesize
4.3MB
MD521f54409dd443367b07c1641d6874417
SHA11a757140c2f3a9edf5b3c9c7edccc438f8d2378f
SHA25622163445e2e3249739bfe19afa009e9946ab6dcf90dbeea7a576316be9ccdd9e
SHA512ac8136324d9afb9ac12783649d17bd87c20a24f2c55ab3d47b1edfb59d314c49ec0dc853453b7094745af71386a9ee4dfa7b08b7b6635a4b56e4a30b905b09dc
-
Filesize
355KB
MD55c1392fa9dd90f66cffd7e111568e5ea
SHA109581a7af51ed183f4c698f36588dd03cc483f38
SHA2561e37284c26f08db40910d989dd9a7b917500b0c24280c8a71f16325ff265d177
SHA5121e1c8553a307b06bff34b422e5cfdd0230162b4c3dd97bc0d736ed5069352692462ba1bc81595711e16d97e25111be93ce9b3b6411f99f12071cad34532f163d
-
Filesize
21KB
MD57f86a47acd4d810ad673af81369f2f26
SHA1cea8da1478f2dee41ed2ecd2059b73d1c161734e
SHA2569c8b87e9a950deb7f28752f875ea82f1b55a70996ac8c12073fcea33664b2048
SHA512372a61489665bd37c552c383faff971fdb2d581d45664a37e5d58dbd894b26b5cc8403800a559f489bb4fa47f088e6e06553eca65efb16ab9867e5a80a0a7aa9
-
Filesize
21KB
MD5b43fd28dfec4d3b81d7fa0f10a2fb62c
SHA10ce6ea5928ba26ff31276f3dbe229b0a9a0149ce
SHA256e9b535f4460c76d67df629ce2cbb84c435a712ca948b61ddaaf31309506b8604
SHA5121d56a3bf36788265a546f7a2280b206febaea17195397ab165ef328b10c29da6ada53182be9a6190d48b4f3c7ad64fc4bf1fa573bad99f7ca400bda073431c02
-
Filesize
200KB
MD56243b50b07cdd14d260680ce5d0872b3
SHA1d85a6450bae0bcf9c80f498a49bf60c556674386
SHA256bab8785a6656f202b4153c887f5f19fa0075afafe728c24af50bd24342e76f75
SHA512a3dd79cc1dda248b8ebee949cd375da99ac46eee6d93adb2172e63ae051fa295ead63b1846cafbb922c92367afbc43cef74c3c64cf095a01cd84eabef53f4b1c
-
Filesize
30KB
MD5b78f49383a0ef23d80b5c96273faf678
SHA1f58d6327c99e52c4a71aca1cc60050ed62defb7d
SHA2566cafc6949abe5ab3563aba18c051b4eb705a4f67e88a65bf9e565f56db5c0b49
SHA5123aab36588f78abe9f6f7a61490b92b7194a0c28b32ade72d7067720e7f1e42677dcaa04a46f49f799f7f7b0a012c3e4cfdff380da000da7c73605fcb7a8d78f2
-
Filesize
32KB
MD5bedad87015d1c9207ba20052b4af9a1e
SHA11ac0320ec5531c78d45f197f024091226153e546
SHA256202bab731eb36d0b3bd4dfc75b97c5f0e3f64e34e9c06a76a9bf678b037ec59d
SHA512afd35e962fe396ce6540bc03943952d2621d4a80d22b7240e565278154ab79e39fd4dd0c22edb3a5f866f1772441929433caa51385a4ea5fe9e8a4026b7e7ac9
-
Filesize
37KB
MD5469b0b8f124b0cd3bb4154820e7a6e4e
SHA1695d5d9bf7238f39ab08bcfe2dbbf7a6095f62af
SHA2565527ea385f5f46ef317221cc68b61dcae41892b7b45d8cbf6453b7e920fbddf9
SHA51275a49560ddf4905964f787da98baa81d5d9809f71b8411f2ad12807e5c65aa645cf0ca1a12170d7e02f8b04a4e23013ca9edece4425acfb2dc52e6ce66ab1e4e
-
Filesize
281KB
MD525f95594ac292cadf79c8390aa458dd6
SHA1c2cfbf45cfcf0bde29894ce0736c6558cab784e7
SHA256ee19cb9c05fc6aaa81f77d4ff9b0114afc16dd9765074806e7078382e8c416ba
SHA5120950df285e510a3da20eae2e15f03a218e59fb26a1533b20795fa1bf720a1dc613eaad98ccaac816080f40e3e947f18bd85cbca62b915083796fb55d5ee5a356
-
Filesize
1.6MB
MD520bf56090460aa02f2294b4c897f6895
SHA155cb7c759f5b5ae4db482b5fdf85ae5dc0a1cd48
SHA256386d9f73dc2b527327d0b9d8c0a6700b901b7e69d9db35ea5c5ea52354b83a9c
SHA51236c704f3cea5042ce242b3152a2ec38918adea14a9ae02f943215e3956c83f891ae6e2e4bb3e64480bf0b85e72d941b928d42be253ed49c21391abb6ed6621a1
-
Filesize
1.3MB
MD59d766cf85c7a5b7d7286633cf8a0474b
SHA135b41e7064691080d39f4c66a7f3ab5941e9ebdd
SHA25630d0c8c8be4397e39acdc8e74d9921a8ee24c6a88411a2eb98eace513e216d36
SHA512087c918420574642af8dec566648ccaa0e25e3a597b3be8204ff82c40e35a48597640f8ad16f24e657ccd7c5e696ab20fbcfec8ab68775c2f3afaa97ba5f4852
-
Filesize
25KB
MD55828b1def77255e28d4bbab6af0fecaa
SHA17838bd801aba18235be5b7fc46c4a9de9f375892
SHA2564d385bdb2e1cf6fbdbe80d8910b4876f202628c838707f68d7291e7c26453465
SHA512a6f5b7fcb34f022955aaf5a127ec52efb97095f41ce90b4ede63db8b6b0cf40ad3ba9cfd197182208e035316b97fe5ea66134cfdb9122fbe7eb3c2b14d61804a