Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 07:18
Static task
static1
Behavioral task
behavioral1
Sample
iAssistInstaller.msi
Resource
win7-20240508-en
General
-
Target
iAssistInstaller.msi
-
Size
34.6MB
-
MD5
1d0e56b37600e01a44929ad918d21d74
-
SHA1
1bdf869933ed3e7f1196f2a2fd8a021adc2e86c5
-
SHA256
b512f37f19537645ded040070d6be27aa8539d8e007bb71527cef4b1c8f20f32
-
SHA512
1199055ba8de84a1f94ab55f0504eb7570e88837897e2e3219fd20ee83c7f3b73f031201787e7bdac5075a10b6313858fd95094035ae8dd946eb4f788ed287c1
-
SSDEEP
786432:3MZHx5AbaWxE9hHZWafeOJptURXbpedT9kHxwh6ISvwj3OxwdbcYir:SHxW+WyDkHOJpmp7nvwj3Jdbcr
Malware Config
Signatures
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Modifies file permissions 1 TTPs 4 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exepid Process 4648 icacls.exe 3880 icacls.exe 3672 icacls.exe 2188 icacls.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc Process File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\G: msiexec.exe -
Drops file in System32 directory 4 IoCs
Processes:
powershell.exepowershell.exepowershell.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe -
Drops file in Windows directory 64 IoCs
Processes:
msiexec.exerunner.exeAnakageProactive.exeIAssistHelper.exeIAssistHelper.exeIAssistHelper.exeHealITService.exedescription ioc Process File opened for modification C:\Windows\Installer\{A2F25BA0-86AE-4357-ACF2-A283098FBF71}\_02ABC302708F8D56C0169B.exe msiexec.exe File opened for modification C:\Windows\iassist\HealITApp.ico runner.exe File created C:\Windows\iassist\IAssistHelper.exe runner.exe File created C:\Windows\iassist\Solutions\16055\citrix.ankscpt runner.exe File created C:\Windows\iassist\Telerik.Windows.Controls.DLL runner.exe File opened for modification C:\Windows\Installer\MSIED30.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\iassist\IAssistApp.png runner.exe File created C:\Windows\iassist\MHN64.dll runner.exe File created C:\Windows\iassist\Solutions\18003\IssuesWithOpeningHyperlinkInOutlook.ankscpt runner.exe File opened for modification C:\Windows\IAssist\proactiveDatabase.db AnakageProactive.exe File opened for modification C:\Windows\IAssist\logs\iAssistHelper_06142024.log IAssistHelper.exe File opened for modification C:\Windows\Installer\{A2F25BA0-86AE-4357-ACF2-A283098FBF71}\_A4E76B87B556A45C6A7778.exe msiexec.exe File opened for modification C:\Windows\Installer\MSIF6C7.tmp msiexec.exe File opened for modification C:\Windows\iassist\System.Runtime.InteropServices.dll runner.exe File created C:\Windows\iassist\Telerik.Windows.Controls.Input.DLL runner.exe File created C:\Windows\iassist\custom_scripts.zip runner.exe File created C:\Windows\iassist\Porter2Stemmer.dll runner.exe File created C:\Windows\iassist\StemmersNet.dll runner.exe File created C:\Windows\IAssist\System.Net.Http.dll msiexec.exe File created C:\Windows\IAssist\HealITApp.exe msiexec.exe File created C:\Windows\iassist\Campaign.exe runner.exe File created C:\Windows\iassist\ChatbotWelcome.png runner.exe File created C:\Windows\iassist\log4net.xml runner.exe File created C:\Windows\iassist\Microsoft.Web.WebView2.Core.xml runner.exe File created C:\Windows\IAssist\MaterialDesignThemes.Wpf.dll msiexec.exe File created C:\Windows\IAssist\System.Net.Http.Primitives.dll msiexec.exe File created C:\Windows\iassist\Solutions\18000\GitInstallation.ankscpt runner.exe File created C:\Windows\iassist\custom_scripts\682\delCredential.bat runner.exe File created C:\Windows\Installer\e57ea71.msi msiexec.exe File created C:\Windows\iassist\MaterialDesignThemes.Wpf.pdb runner.exe File created C:\Windows\iassist\Microsoft.Web.WebView2.WinForms.xml runner.exe File created C:\Windows\iassist\runtimes\win-arm64\native\WebView2Loader.dll runner.exe File created C:\Windows\iassist\Solutions\16008\7zipInstall.ankscpt runner.exe File created C:\Windows\iassist\System.Net.Http.Primitives.xml runner.exe File created C:\Windows\iassist\custom_scripts\26\disablesystemrestart.bat runner.exe File created C:\Windows\iassist\custom_scripts\662\clearfirefoxcookiescachehistory.bat runner.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\iassist\MaterialDesignThemes.Wpf.dll runner.exe File opened for modification C:\Windows\IAssist\logs\iAssistHelper_06142024.log IAssistHelper.exe File opened for modification C:\Windows\iassist\HealITApp.exe runner.exe File opened for modification C:\Windows\IAssist\logs\iAssistHelper_06142024.log IAssistHelper.exe File created C:\Windows\iassist\runtimes\win-x86\native\WebView2Loader.dll runner.exe File created C:\Windows\iassist\Solutions\16024\showprofile.bmp runner.exe File created C:\Windows\iassist\custom_scripts\2\enablepopupinie.bat runner.exe File created C:\Windows\IAssist\log4net.dll msiexec.exe File created C:\Windows\iassist\IAssistHelperN.exe runner.exe File created C:\Windows\iassist\Telerik.Windows.Data.DLL runner.exe File opened for modification C:\Windows\iassist\x86\SQLite.Interop.dll runner.exe File opened for modification C:\Windows\IAssist\iAssistStatus.ll IAssistHelper.exe File created C:\Windows\IAssist\IAssistApp.png msiexec.exe File created C:\Windows\iassist\iAssist32.exe runner.exe File created C:\Windows\iassist\Solutions\16051\AddSignatureToOutlook.ankscpt runner.exe File created C:\Windows\Installer\{A2F25BA0-86AE-4357-ACF2-A283098FBF71}\_02ABC302708F8D56C0169B.exe msiexec.exe File created C:\Windows\iassist\Microsoft.Web.WebView2.Wpf.xml runner.exe File created C:\Windows\iassist\iAssist64.exe runner.exe File created C:\Windows\iassist\Solutions\16023\outlookNotConnected.ankscpt runner.exe File created C:\Windows\iassist\Solutions\16024\teamsStatus.ankscpt runner.exe File opened for modification C:\Windows\iassist\System.Net.Http.Extensions.dll runner.exe File created C:\Windows\iassist\custom_scripts\901\901.ps1 runner.exe File opened for modification C:\Windows\IAssist\signature.log HealITService.exe File created C:\Windows\IAssist\System.Runtime.InteropServices.dll msiexec.exe File opened for modification C:\Windows\iassist\HealITApp.exe.config runner.exe File created C:\Windows\IAssist\iAssistStatus.ll IAssistHelper.exe -
Executes dropped EXE 7 IoCs
Processes:
runner.exerunner.exeHealITService.exeAnakageProactive.exeIAssistHelper.exeIAssistHelper.exeIAssistHelper.exepid Process 2844 runner.exe 3320 runner.exe 4720 HealITService.exe 2188 AnakageProactive.exe 1768 IAssistHelper.exe 3064 IAssistHelper.exe 3160 IAssistHelper.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exepid Process 1944 sc.exe 3856 sc.exe -
Loads dropped DLL 9 IoCs
Processes:
MsiExec.exeMsiExec.exeMsiExec.exeAnakageProactive.exepid Process 4884 MsiExec.exe 4884 MsiExec.exe 3288 MsiExec.exe 3288 MsiExec.exe 1976 MsiExec.exe 1976 MsiExec.exe 1976 MsiExec.exe 2188 AnakageProactive.exe 2188 AnakageProactive.exe -
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid Process 4004 powershell.exe 2756 powershell.exe 2144 powershell.exe 60 powershell.exe 4516 powershell.exe 4832 powershell.exe 332 powershell.exe 3800 powershell.exe 3644 powershell.exe 2428 powershell.exe 1208 powershell.exe 1316 powershell.exe 2552 powershell.exe 3936 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000c9712a8ab103c3e30000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000c9712a8a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900c9712a8a000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dc9712a8a000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000c9712a8a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid Process 1352 schtasks.exe 1516 schtasks.exe 3064 schtasks.exe -
Kills process with taskkill 9 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid Process 4448 taskkill.exe 4092 taskkill.exe 3860 taskkill.exe 2376 taskkill.exe 4104 taskkill.exe 1516 taskkill.exe 3824 taskkill.exe 4844 taskkill.exe 3368 taskkill.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
cscript.exepowershell.execscript.exepowershell.exepowershell.exemsiexec.exeMsiExec.exerunner.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\Software cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings cscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" runner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" cscript.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached runner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a msiexec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe -
Modifies registry class 49 IoCs
Processes:
msiexec.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Net.Http.Extensions.dll msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Runtime.dll msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Data.SQLite.dll msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|log4net.dll msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Data.SQLite.dll\System.Data.SQLite,Version="1.0.113.0",Culture="neutral",PublicKeyToken="DB937BC2D44FF139",ProcessorArchitecture="MSIL" = 65005500540047005d004d00250065005f0039004300790031004200520047005700500057004c003e0076007e00240024002d0057004800340050006c007e006a006c00430072003d00300058007d00740000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\SourceList\PackageName = "iAssistInstaller.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|MaterialDesignColors.dll msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|HealITService.exe msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\SourceList\Media\1 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Net.Primitives.dll\System.Net.Primitives,Version="4.0.0.0",Culture="neutral",PublicKeyToken="B03F5F7F11D50A3A",ProcessorArchitecture="MSIL" = 65005500540047005d004d00250065005f0039004300790031004200520047005700500057004c003e002b002500620060004d002d005b0046004100660038002e0025007e005e0035006f0035003000600000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\05B419C9DAA35234196526056BB4144A msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Net.Http.WebRequest.dll\System.Net.Http.WebRequest,Version="4.0.0.0",Culture="neutral",PublicKeyToken="B03F5F7F11D50A3A",ProcessorArchitecture="MSIL" = 65005500540047005d004d00250065005f0039004300790031004200520047005700500057004c003e003d0052006c003f0041002e00390053007a0026002b00430073007300720059004400400021002a0000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Net.Http.Primitives.dll\System.Net.Http.Primitives,Version="4.2.29.0",Culture="neutral",PublicKeyToken="B03F5F7F11D50A3A",ProcessorArchitecture="MSIL" = 65005500540047005d004d00250065005f0039004300790031004200520047005700500057004c003e00760032002c006100260041006c005d004c0045005800270048004b003500580027002d005a004b0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\DeploymentFlags = "3" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\Version = "16777216" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|log4net.dll\log4net,Version="2.0.8.0",Culture="neutral",PublicKeyToken="669E0DDF0BB1AA2A",ProcessorArchitecture="MSIL" = 65005500540047005d004d00250065005f0039004300790031004200520047005700500057004c003e002b00480029007d005f002b0075004e00510069004b005a0073006e00500037007e00770031004c0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Net.Primitives.dll msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Net.Http.dll msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|MaterialDesignThemes.Wpf.dll\MaterialDesignThemes.Wpf,Version="2.3.1.953",Culture="neutral",ProcessorArchitecture="MSIL" = 65005500540047005d004d00250065005f0039004300790031004200520047005700500057004c003e004f00650063003f003100250071007e0044005300620064002700260078006800580070002800550000000000 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\ProductName = "Heal-IT" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|HealITApp.exe msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\SourceList\Media msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Net.Http.dll\System.Net.Http,Version="4.0.0.0",Culture="neutral",PublicKeyToken="B03F5F7F11D50A3A",ProcessorArchitecture="MSIL" = 65005500540047005d004d00250065005f0039004300790031004200520047005700500057004c003e00270035007900510032002a007b0075005b0070002e005800400064004a004c007b0039003800300000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|MaterialDesignColors.dll\MaterialDesignColors,Version="1.2.6.1513",Culture="neutral",ProcessorArchitecture="MSIL" = 65005500540047005d004d00250065005f0039004300790031004200520047005700500057004c003e00450035005a00640051007500260078005a004a006b007e003f00560043004b00460025007700370000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Net.Http.WebRequest.dll msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|MaterialDesignThemes.Wpf.dll msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\ProductIcon = "C:\\Windows\\Installer\\{A2F25BA0-86AE-4357-ACF2-A283098FBF71}\\_6FEFF9B68218417F98F549.exe" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Runtime.InteropServices.dll msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0AB52F2AEA687534CA2F2A3890F8FB17 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\PackageCode = "69E5F2D9D6074DD4F8444A206B511434" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\Language = "1033" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Runtime.dll\System.Runtime,Version="4.0.0.0",Culture="neutral",PublicKeyToken="B03F5F7F11D50A3A",ProcessorArchitecture="MSIL" = 65005500540047005d004d00250065005f0039004300790031004200520047005700500057004c003e00690049005f00670043007b004a004a0074005f00750052006e00370040007a00730034007600700000000000 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\AdvertiseFlags = "388" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Runtime.InteropServices.dll\System.Runtime.InteropServices,Version="4.0.0.0",Culture="neutral",PublicKeyToken="B03F5F7F11D50A3A",ProcessorArchitecture="MSIL" = 65005500540047005d004d00250065005f0039004300790031004200520047005700500057004c003e0053004f004f00670062002b004f004e007300370028004e006500610031004f00610058003800680000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0AB52F2AEA687534CA2F2A3890F8FB17\DefaultFeature msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Net.Http.Extensions.dll\System.Net.Http.Extensions,Version="2.2.29.0",Culture="neutral",PublicKeyToken="B03F5F7F11D50A3A",ProcessorArchitecture="MSIL" = 65005500540047005d004d00250065005f0039004300790031004200520047005700500057004c003e003f006a00560058004c003f007e007b006c006c00340068006f004000330060007e0067006c00700000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|HealITService.exe\HealITService,Version="1.0.0.0",Culture="neutral",ProcessorArchitecture="MSIL" = 65005500540047005d004d00250065005f0039004300790031004200520047005700500057004c003e00700028005400410036003200770070002700660073005f004400720047006500240067003200710000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Net.Http.Primitives.dll msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|HealITApp.exe\HealITApp,Version="1.0.0.0",Culture="neutral",ProcessorArchitecture="MSIL" = 65005500540047005d004d00250065005f0039004300790031004200520047005700500057004c003e0054003d0045007a00600041007600260021007600250039006e0044005300410025005e003100260000000000 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\05B419C9DAA35234196526056BB4144A\0AB52F2AEA687534CA2F2A3890F8FB17 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\Clients = 3a0000000000 msiexec.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 49 IoCs
Processes:
msiexec.exepowershell.exepowershell.exepowershell.exeAnakageProactive.exeHealITService.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid Process 4056 msiexec.exe 4056 msiexec.exe 4516 powershell.exe 4516 powershell.exe 4832 powershell.exe 4832 powershell.exe 2756 powershell.exe 2756 powershell.exe 2188 AnakageProactive.exe 2188 AnakageProactive.exe 4720 HealITService.exe 332 powershell.exe 332 powershell.exe 4720 HealITService.exe 2188 AnakageProactive.exe 2188 AnakageProactive.exe 3800 powershell.exe 3800 powershell.exe 3800 powershell.exe 3644 powershell.exe 3644 powershell.exe 3644 powershell.exe 3936 powershell.exe 3936 powershell.exe 3936 powershell.exe 4720 HealITService.exe 2188 AnakageProactive.exe 2188 AnakageProactive.exe 2144 powershell.exe 2144 powershell.exe 2144 powershell.exe 4004 powershell.exe 4004 powershell.exe 4004 powershell.exe 2428 powershell.exe 2428 powershell.exe 2428 powershell.exe 1208 powershell.exe 1208 powershell.exe 1208 powershell.exe 60 powershell.exe 60 powershell.exe 60 powershell.exe 1316 powershell.exe 1316 powershell.exe 1316 powershell.exe 2552 powershell.exe 2552 powershell.exe 2552 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exedescription pid Process Token: SeShutdownPrivilege 2800 msiexec.exe Token: SeIncreaseQuotaPrivilege 2800 msiexec.exe Token: SeSecurityPrivilege 4056 msiexec.exe Token: SeCreateTokenPrivilege 2800 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2800 msiexec.exe Token: SeLockMemoryPrivilege 2800 msiexec.exe Token: SeIncreaseQuotaPrivilege 2800 msiexec.exe Token: SeMachineAccountPrivilege 2800 msiexec.exe Token: SeTcbPrivilege 2800 msiexec.exe Token: SeSecurityPrivilege 2800 msiexec.exe Token: SeTakeOwnershipPrivilege 2800 msiexec.exe Token: SeLoadDriverPrivilege 2800 msiexec.exe Token: SeSystemProfilePrivilege 2800 msiexec.exe Token: SeSystemtimePrivilege 2800 msiexec.exe Token: SeProfSingleProcessPrivilege 2800 msiexec.exe Token: SeIncBasePriorityPrivilege 2800 msiexec.exe Token: SeCreatePagefilePrivilege 2800 msiexec.exe Token: SeCreatePermanentPrivilege 2800 msiexec.exe Token: SeBackupPrivilege 2800 msiexec.exe Token: SeRestorePrivilege 2800 msiexec.exe Token: SeShutdownPrivilege 2800 msiexec.exe Token: SeDebugPrivilege 2800 msiexec.exe Token: SeAuditPrivilege 2800 msiexec.exe Token: SeSystemEnvironmentPrivilege 2800 msiexec.exe Token: SeChangeNotifyPrivilege 2800 msiexec.exe Token: SeRemoteShutdownPrivilege 2800 msiexec.exe Token: SeUndockPrivilege 2800 msiexec.exe Token: SeSyncAgentPrivilege 2800 msiexec.exe Token: SeEnableDelegationPrivilege 2800 msiexec.exe Token: SeManageVolumePrivilege 2800 msiexec.exe Token: SeImpersonatePrivilege 2800 msiexec.exe Token: SeCreateGlobalPrivilege 2800 msiexec.exe Token: SeCreateTokenPrivilege 2800 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2800 msiexec.exe Token: SeLockMemoryPrivilege 2800 msiexec.exe Token: SeIncreaseQuotaPrivilege 2800 msiexec.exe Token: SeMachineAccountPrivilege 2800 msiexec.exe Token: SeTcbPrivilege 2800 msiexec.exe Token: SeSecurityPrivilege 2800 msiexec.exe Token: SeTakeOwnershipPrivilege 2800 msiexec.exe Token: SeLoadDriverPrivilege 2800 msiexec.exe Token: SeSystemProfilePrivilege 2800 msiexec.exe Token: SeSystemtimePrivilege 2800 msiexec.exe Token: SeProfSingleProcessPrivilege 2800 msiexec.exe Token: SeIncBasePriorityPrivilege 2800 msiexec.exe Token: SeCreatePagefilePrivilege 2800 msiexec.exe Token: SeCreatePermanentPrivilege 2800 msiexec.exe Token: SeBackupPrivilege 2800 msiexec.exe Token: SeRestorePrivilege 2800 msiexec.exe Token: SeShutdownPrivilege 2800 msiexec.exe Token: SeDebugPrivilege 2800 msiexec.exe Token: SeAuditPrivilege 2800 msiexec.exe Token: SeSystemEnvironmentPrivilege 2800 msiexec.exe Token: SeChangeNotifyPrivilege 2800 msiexec.exe Token: SeRemoteShutdownPrivilege 2800 msiexec.exe Token: SeUndockPrivilege 2800 msiexec.exe Token: SeSyncAgentPrivilege 2800 msiexec.exe Token: SeEnableDelegationPrivilege 2800 msiexec.exe Token: SeManageVolumePrivilege 2800 msiexec.exe Token: SeImpersonatePrivilege 2800 msiexec.exe Token: SeCreateGlobalPrivilege 2800 msiexec.exe Token: SeCreateTokenPrivilege 2800 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2800 msiexec.exe Token: SeLockMemoryPrivilege 2800 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid Process 2800 msiexec.exe 2800 msiexec.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AnakageProactive.exepid Process 2188 AnakageProactive.exe 2188 AnakageProactive.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msiexec.exerunner.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exenet.exedescription pid Process procid_target PID 4056 wrote to memory of 4884 4056 msiexec.exe 86 PID 4056 wrote to memory of 4884 4056 msiexec.exe 86 PID 4056 wrote to memory of 4884 4056 msiexec.exe 86 PID 4056 wrote to memory of 2872 4056 msiexec.exe 92 PID 4056 wrote to memory of 2872 4056 msiexec.exe 92 PID 4056 wrote to memory of 3288 4056 msiexec.exe 94 PID 4056 wrote to memory of 3288 4056 msiexec.exe 94 PID 4056 wrote to memory of 3288 4056 msiexec.exe 94 PID 4056 wrote to memory of 2844 4056 msiexec.exe 95 PID 4056 wrote to memory of 2844 4056 msiexec.exe 95 PID 4056 wrote to memory of 2844 4056 msiexec.exe 95 PID 2844 wrote to memory of 1088 2844 runner.exe 98 PID 2844 wrote to memory of 1088 2844 runner.exe 98 PID 2844 wrote to memory of 1088 2844 runner.exe 98 PID 2844 wrote to memory of 4652 2844 runner.exe 100 PID 2844 wrote to memory of 4652 2844 runner.exe 100 PID 2844 wrote to memory of 4652 2844 runner.exe 100 PID 2844 wrote to memory of 2112 2844 runner.exe 102 PID 2844 wrote to memory of 2112 2844 runner.exe 102 PID 2844 wrote to memory of 2112 2844 runner.exe 102 PID 2844 wrote to memory of 3148 2844 runner.exe 104 PID 2844 wrote to memory of 3148 2844 runner.exe 104 PID 2844 wrote to memory of 3148 2844 runner.exe 104 PID 1088 wrote to memory of 4448 1088 cmd.exe 106 PID 1088 wrote to memory of 4448 1088 cmd.exe 106 PID 1088 wrote to memory of 4448 1088 cmd.exe 106 PID 2844 wrote to memory of 3192 2844 runner.exe 107 PID 2844 wrote to memory of 3192 2844 runner.exe 107 PID 2844 wrote to memory of 3192 2844 runner.exe 107 PID 4652 wrote to memory of 4092 4652 cmd.exe 109 PID 4652 wrote to memory of 4092 4652 cmd.exe 109 PID 4652 wrote to memory of 4092 4652 cmd.exe 109 PID 2844 wrote to memory of 460 2844 runner.exe 110 PID 2844 wrote to memory of 460 2844 runner.exe 110 PID 2844 wrote to memory of 460 2844 runner.exe 110 PID 2844 wrote to memory of 1548 2844 runner.exe 111 PID 2844 wrote to memory of 1548 2844 runner.exe 111 PID 2844 wrote to memory of 1548 2844 runner.exe 111 PID 2112 wrote to memory of 3824 2112 cmd.exe 114 PID 2112 wrote to memory of 3824 2112 cmd.exe 114 PID 2112 wrote to memory of 3824 2112 cmd.exe 114 PID 2844 wrote to memory of 3112 2844 runner.exe 115 PID 2844 wrote to memory of 3112 2844 runner.exe 115 PID 2844 wrote to memory of 3112 2844 runner.exe 115 PID 3148 wrote to memory of 3860 3148 cmd.exe 117 PID 3148 wrote to memory of 3860 3148 cmd.exe 117 PID 3148 wrote to memory of 3860 3148 cmd.exe 117 PID 460 wrote to memory of 2376 460 cmd.exe 118 PID 460 wrote to memory of 2376 460 cmd.exe 118 PID 460 wrote to memory of 2376 460 cmd.exe 118 PID 1548 wrote to memory of 4104 1548 cmd.exe 119 PID 1548 wrote to memory of 4104 1548 cmd.exe 119 PID 1548 wrote to memory of 4104 1548 cmd.exe 119 PID 3192 wrote to memory of 1516 3192 cmd.exe 120 PID 3192 wrote to memory of 1516 3192 cmd.exe 120 PID 3192 wrote to memory of 1516 3192 cmd.exe 120 PID 3112 wrote to memory of 3436 3112 cmd.exe 121 PID 3112 wrote to memory of 3436 3112 cmd.exe 121 PID 3112 wrote to memory of 3436 3112 cmd.exe 121 PID 3436 wrote to memory of 1716 3436 net.exe 122 PID 3436 wrote to memory of 1716 3436 net.exe 122 PID 3436 wrote to memory of 1716 3436 net.exe 122 PID 3112 wrote to memory of 3856 3112 cmd.exe 123 PID 3112 wrote to memory of 3856 3112 cmd.exe 123 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\iAssistInstaller.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2800
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 00FE852D6741C14C0AF6BB93EFDD10A6 C2⤵
- Loads dropped DLL
PID:4884
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:2872
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 7DEE8A9BC591A205F5054123A3BE1E472⤵
- Loads dropped DLL
PID:3288
-
-
C:\Windows\IAssist\runner.exe"C:\Windows\IAssist\runner.exe" 92⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM Campaign.exe /T3⤵
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\taskkill.exeTASKKILL /F /IM Campaign.exe /T4⤵
- Kills process with taskkill
PID:4448
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM HealITApp.exe /T3⤵
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\SysWOW64\taskkill.exeTASKKILL /F /IM HealITApp.exe /T4⤵
- Kills process with taskkill
PID:4092
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM iAssist32.exe /T3⤵
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\taskkill.exeTASKKILL /F /IM iAssist32.exe /T4⤵
- Kills process with taskkill
PID:3824
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM iAssist64.exe /T3⤵
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Windows\SysWOW64\taskkill.exeTASKKILL /F /IM iAssist64.exe /T4⤵
- Kills process with taskkill
PID:3860
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM IAssistHelper.exe /T3⤵
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Windows\SysWOW64\taskkill.exeTASKKILL /F /IM IAssistHelper.exe /T4⤵
- Kills process with taskkill
PID:1516
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM IAssistHelper64.exe /T3⤵
- Suspicious use of WriteProcessMemory
PID:460 -
C:\Windows\SysWOW64\taskkill.exeTASKKILL /F /IM IAssistHelper64.exe /T4⤵
- Kills process with taskkill
PID:2376
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM AnakageProactive.exe /T3⤵
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\taskkill.exeTASKKILL /F /IM AnakageProactive.exe /T4⤵
- Kills process with taskkill
PID:4104
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\atemp.bat"3⤵
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\SysWOW64\net.exenet stop HealITService4⤵
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop HealITService5⤵PID:1716
-
-
-
C:\Windows\SysWOW64\sc.exesc delete HealITService4⤵
- Launches sc.exe
PID:3856
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /F /IM HealITService.exe /T4⤵
- Kills process with taskkill
PID:4844
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /F /IM Heal-IT.exe /T4⤵
- Kills process with taskkill
PID:3368
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Schtasks /delete /TN AnkActionManager /f3⤵PID:3208
-
C:\Windows\SysWOW64\schtasks.exeSchtasks /delete /TN AnkActionManager /f4⤵PID:3120
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Schtasks /delete /TN AnkAnalyticsManager /f3⤵PID:4300
-
C:\Windows\SysWOW64\schtasks.exeSchtasks /delete /TN AnkAnalyticsManager /f4⤵PID:2916
-
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F9DFFB1260F3448765056BB548F7B5AC E Global\MSI00002⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:1976
-
-
C:\Windows\IAssist\runner.exe"C:\Windows\IAssist\runner.exe" 02⤵
- Drops file in Windows directory
- Executes dropped EXE
PID:3320 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C echo 14:06:2024.07:21:25 ExtractBinResource = C:\Users\Admin\AppData\Local\Temp\\ >> %TEMP%\AnakageInstaller.log3⤵PID:384
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\atemp.bat"3⤵PID:1788
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\IAssist" /grant Users:(OI)(CI)F4⤵
- Modifies file permissions
PID:4648
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Windows\IAssist"4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3128
-
-
C:\Windows\SysWOW64\net.exenet start HealITService4⤵PID:3040
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start HealITService5⤵PID:2308
-
-
-
C:\Windows\SysWOW64\sc.exeSC failure "HealITService" reset= 0 actions= restart/0/restart/0/restart/04⤵
- Launches sc.exe
PID:1944
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\IAssist\HealITService.exe" /inheritance:d4⤵
- Modifies file permissions
PID:3880
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\IAssist\HealITService.exe" /remove:g Users4⤵
- Modifies file permissions
PID:3672
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\IAssist\HealITService.exe" /grant Users:RX4⤵
- Modifies file permissions
PID:2188
-
-
C:\Windows\SysWOW64\schtasks.exeSchtasks /delete /TN AnkActionManager /f4⤵PID:3264
-
-
C:\Windows\SysWOW64\schtasks.exeSchtasks /delete /TN AnkAnalyticsManager /f4⤵PID:4964
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /F /TN AnkAnalyticsManager /XML atemp1.xml4⤵
- Creates scheduled task(s)
PID:1516
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /F /TN AnkActionManager /XML atemp.xml4⤵
- Creates scheduled task(s)
PID:3064
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /F /TN AnkRebootManager /XML atemp2.xml4⤵
- Creates scheduled task(s)
PID:1352
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C echo 14:06:2024.07:21:25 ExtractBinResource = C:\Users\Admin\AppData\Local\Temp\\ >> %TEMP%\AnakageInstaller.log3⤵PID:1548
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\System32\cmd.exe /c cscript //NOLOGO C:\Users\Admin\AppData\Local\Temp\\atemp1.vbs3⤵PID:2868
-
C:\Windows\SysWOW64\cscript.execscript //NOLOGO C:\Users\Admin\AppData\Local\Temp\\atemp1.vbs4⤵
- Modifies data under HKEY_USERS
PID:3188
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\System32\cmd.exe /c cscript //NOLOGO C:\Users\Admin\AppData\Local\Temp\\atemp2.vbs https://aiops.anakage.com/api/license/?userName=&hostName=Bvrkipts&macAddress&facility=fpt3⤵PID:2680
-
C:\Windows\SysWOW64\cscript.execscript //NOLOGO C:\Users\Admin\AppData\Local\Temp\\atemp2.vbs https://aiops.anakage.com/api/license/?userName=4⤵
- Modifies data under HKEY_USERS
PID:3920
-
-
C:\Windows\SysWOW64\HOSTNAME.EXEhostName =Bvrkipts4⤵PID:1184
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C echo 14:06:2024.07:21:25 server license = >> %TEMP%\AnakageInstaller.log3⤵PID:2592
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C echo 14:06:2024.07:21:25 Failed to send license >> %TEMP%\AnakageInstaller.log3⤵PID:1632
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:2520
-
C:\Windows\IAssist\HealITService.exe"C:\Windows\IAssist\HealITService.exe"1⤵
- Drops file in Windows directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4720 -
C:\Windows\IAssist\IAssistHelper.exe"IAssistHelper" 1362⤵
- Drops file in Windows directory
- Executes dropped EXE
PID:1768 -
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\System32\cmd.exe /c powershell -ExecutionPolicy ByPass -File C:\windows\iassist\logs\Ank.ps13⤵PID:1520
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy ByPass -File C:\windows\iassist\logs\Ank.ps14⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:332
-
-
-
-
C:\Windows\IAssist\IAssistHelper.exe"IAssistHelper" 1362⤵
- Drops file in Windows directory
- Executes dropped EXE
PID:3064 -
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\System32\cmd.exe /c powershell -ExecutionPolicy ByPass -File C:\windows\iassist\logs\Ank.ps13⤵PID:3112
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy ByPass -File C:\windows\iassist\logs\Ank.ps14⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3800
-
-
-
-
C:\Windows\IAssist\IAssistHelper.exe"IAssistHelper" 1362⤵
- Drops file in Windows directory
- Executes dropped EXE
PID:3160 -
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\System32\cmd.exe /c powershell -ExecutionPolicy ByPass -File C:\windows\iassist\logs\Ank.ps13⤵PID:1352
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy ByPass -File C:\windows\iassist\logs\Ank.ps14⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2144
-
-
-
-
C:\Windows\IAssist\AnakageProactive.exeC:\Windows\IAssist\AnakageProactive.exe action1⤵
- Drops file in Windows directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2188 -
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\System32\cmd.exe /c %SystemRoot%\System32\wbem\WMIC.exe bios get serialnumber2⤵PID:4104
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe bios get serialnumber3⤵PID:3148
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\System32\cmd.exe /c %SystemRoot%\System32\wbem\WMIC.exe bios get serialnumber2⤵PID:3932
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe bios get serialnumber3⤵PID:4828
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\System32\cmd.exe /c %SystemRoot%\System32\wbem\WMIC.exe bios get serialnumber2⤵PID:3656
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe bios get serialnumber3⤵PID:1888
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\System32\cmd.exe /c net user Admin /DOMAIN | find "Password last set"2⤵PID:484
-
C:\Windows\SysWOW64\net.exenet user Admin /DOMAIN3⤵PID:3044
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user Admin /DOMAIN4⤵PID:3080
-
-
-
C:\Windows\SysWOW64\find.exefind "Password last set"3⤵PID:1592
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\System32\cmd.exe /c %SystemRoot%\System32\wbem\WMIC.exe bios get serialnumber2⤵PID:544
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe bios get serialnumber3⤵PID:2180
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\System32\cmd.exe /c %SystemRoot%\System32\wbem\WMIC.exe bios get serialnumber2⤵PID:3520
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe bios get serialnumber3⤵PID:2148
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\System32\cmd.exe /c %SystemRoot%\System32\wbem\WMIC.exe bios get serialnumber2⤵PID:1228
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe bios get serialnumber3⤵PID:4468
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\System32\cmd.exe /c %SystemRoot%\System32\wbem\WMIC.exe bios get serialnumber2⤵PID:4612
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe bios get serialnumber3⤵PID:4032
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\System32\cmd.exe /c %SystemRoot%\System32\wbem\WMIC.exe bios get serialnumber2⤵PID:3088
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe bios get serialnumber3⤵PID:3900
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\System32\cmd.exe /c %SystemRoot%\System32\wbem\WMIC.exe bios get serialnumber2⤵PID:3856
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe bios get serialnumber3⤵PID:4372
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\System32\cmd.exe /c %SystemRoot%\System32\wbem\WMIC.exe bios get serialnumber2⤵PID:1064
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe bios get serialnumber3⤵PID:1092
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\System32\cmd.exe /c %SystemRoot%\System32\wbem\WMIC.exe bios get serialnumber2⤵PID:876
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe bios get serialnumber3⤵PID:2300
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\System32\cmd.exe /c %SystemRoot%\System32\wbem\WMIC.exe bios get serialnumber2⤵PID:3988
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe bios get serialnumber3⤵PID:3980
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\System32\cmd.exe /c %SystemRoot%\System32\wbem\WMIC.exe bios get serialnumber2⤵PID:2376
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe bios get serialnumber3⤵PID:4964
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\System32\cmd.exe /c powershell -ExecutionPolicy ByPass -File C:\Users\Admin\AppData\Local\Temp\Anakage\config\ank.ps12⤵PID:1112
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy ByPass -File C:\Users\Admin\AppData\Local\Temp\Anakage\config\ank.ps13⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4516
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\System32\cmd.exe /c %SystemRoot%\System32\wbem\WMIC.exe bios get serialnumber2⤵PID:1940
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe bios get serialnumber3⤵PID:3472
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\System32\cmd.exe /c %SystemRoot%\System32\wbem\WMIC.exe bios get serialnumber2⤵PID:3956
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe bios get serialnumber3⤵PID:1768
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\System32\cmd.exe /c %SystemRoot%\System32\wbem\WMIC.exe computersystem get model2⤵PID:4524
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe computersystem get model3⤵PID:3208
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\System32\cmd.exe /c %SystemRoot%\System32\wbem\WMIC.exe computersystem get manufacturer2⤵PID:3120
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe computersystem get manufacturer3⤵PID:4100
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\System32\cmd.exe /c wmic os get Caption2⤵PID:3848
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic os get Caption3⤵PID:4548
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\System32\cmd.exe /c wmic os get Version2⤵PID:1476
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic os get Version3⤵PID:2728
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\System32\cmd.exe /c wmic diskdrive get status2⤵PID:4608
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic diskdrive get status3⤵PID:5076
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\System32\cmd.exe /c powershell.exe -ExecutionPolicy Bypass -Command "Get-TimeZone"2⤵PID:2280
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -Command "Get-TimeZone"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4832
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\System32\cmd.exe /c net user Admin| find /I "password last set"2⤵PID:2884
-
C:\Windows\SysWOW64\net.exenet user Admin3⤵PID:4424
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user Admin4⤵PID:1460
-
-
-
C:\Windows\SysWOW64\find.exefind /I "password last set"3⤵PID:4640
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\System32\cmd.exe /c powershell.exe -ExecutionPolicy Bypass -Command "Get-WmiObject Win32_USBController"2⤵PID:3920
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -Command "Get-WmiObject Win32_USBController"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2756
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\System32\cmd.exe /c %SystemRoot%\System32\wbem\WMIC.exe bios get serialnumber2⤵PID:1712
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe bios get serialnumber3⤵PID:568
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\System32\cmd.exe /c %SystemRoot%\System32\wbem\WMIC.exe bios get serialnumber2⤵PID:2180
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe bios get serialnumber3⤵PID:3644
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\System32\cmd.exe /c %SystemRoot%\System32\wbem\WMIC.exe bios get serialnumber2⤵PID:3008
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe bios get serialnumber3⤵PID:60
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\System32\cmd.exe /c %SystemRoot%\System32\wbem\WMIC.exe qfe get Hotfixid,InstalledOn2⤵PID:2756
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe qfe get Hotfixid,InstalledOn3⤵PID:768
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\System32\cmd.exe /c powershell.exe -ExecutionPolicy Bypass "Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 3 HotFixID | Format-Table -AutoSize"2⤵PID:3472
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass "Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 3 HotFixID | Format-Table -AutoSize"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3644
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\System32\cmd.exe /c powershell.exe -ExecutionPolicy Bypass "(Get-Service -Name wuauserv).StartType"2⤵PID:4584
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass "(Get-Service -Name wuauserv).StartType"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3936
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\System32\cmd.exe /c %SystemRoot%\System32\wbem\WMIC.exe bios get serialnumber2⤵PID:2776
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe bios get serialnumber3⤵PID:3320
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\System32\cmd.exe /c wmic path Win32_Battery get DeviceID2⤵PID:4856
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path Win32_Battery get DeviceID3⤵PID:4704
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\System32\cmd.exe /c %SystemRoot%\System32\wbem\WMIC.exe bios get serialnumber2⤵PID:5060
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe bios get serialnumber3⤵PID:2664
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\System32\cmd.exe /c %SystemRoot%\System32\wbem\WMIC.exe bios get serialnumber2⤵PID:744
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe bios get serialnumber3⤵PID:3224
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\System32\cmd.exe /c powershell.exe -ExecutionPolicy Bypass -Command "(Get-CimInstance Win32_ReliabilityStabilityMetrics | Measure-Object -Average -Maximum -Minimum -Property SystemStabilityIndex).Average"2⤵PID:772
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -Command "(Get-CimInstance Win32_ReliabilityStabilityMetrics | Measure-Object -Average -Maximum -Minimum -Property SystemStabilityIndex).Average"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4004
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\System32\cmd.exe /c powershell.exe -ExecutionPolicy Bypass -Command " (Get-WinEvent -LogName "Application" | Where-Object { $_.Id -eq 1000 -and $_.TimeCreated -ge (Get-Date).AddMonths(-1) }) | Measure-Object | Select-Object -ExpandProperty Count"2⤵PID:3420
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -Command " (Get-WinEvent -LogName "Application" | Where-Object { $_.Id -eq 1000 -and $_.TimeCreated -ge (Get-Date).AddMonths(-1) }) | Measure-Object | Select-Object -ExpandProperty Count"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2428
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\System32\cmd.exe /c powershell.exe -ExecutionPolicy Bypass -Command "Get-WinEvent -LogName System | Where-Object { $_.Id -eq 1001 } | Sort-Object -Property TimeCreated -Descending | Select-Object -First 1 |Select-object TimeCreated ,Message2⤵PID:3128
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -Command "Get-WinEvent -LogName System | Where-Object { $_.Id -eq 1001 } | Sort-Object -Property TimeCreated -Descending | Select-Object -First 1 |Select-object TimeCreated ,Message3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1208
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\System32\cmd.exe /c powershell.exe -ExecutionPolicy Bypass -Command "Get-WinEvent -LogName System | Where-Object { $_.Id -eq 6005 -or $_.Id -eq 6006 } | Sort-Object -Property TimeCreated -Descending | Select-Object -First 1 | select-object TimeCreated2⤵PID:4432
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -Command "Get-WinEvent -LogName System | Where-Object { $_.Id -eq 6005 -or $_.Id -eq 6006 } | Sort-Object -Property TimeCreated -Descending | Select-Object -First 1 | select-object TimeCreated3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:60
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\System32\cmd.exe /c %SystemRoot%\System32\wbem\WMIC.exe bios get serialnumber2⤵PID:1352
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe bios get serialnumber3⤵PID:3800
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\System32\cmd.exe /c %systemroot%\sysnative\windowspowershell\v1.0\powershell.exe -ExecutionPolicy Bypass -Command "Get-CimInstance Win32_WinSat"2⤵PID:1592
-
C:\Windows\system32\windowspowershell\v1.0\powershell.exeC:\Windows\sysnative\windowspowershell\v1.0\powershell.exe -ExecutionPolicy Bypass -Command "Get-CimInstance Win32_WinSat"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1316
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\System32\cmd.exe /c %SystemRoot%\System32\wbem\WMIC.exe bios get serialnumber2⤵PID:544
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe bios get serialnumber3⤵PID:2296
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\System32\cmd.exe /c powershell -ExecutionPolicy ByPass -File C:\Users\Admin\AppData\Local\Temp\Anakage\config\ank.ps12⤵PID:3592
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy ByPass -File C:\Users\Admin\AppData\Local\Temp\Anakage\config\ank.ps13⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2552
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\System32\cmd.exe /c %SystemRoot%\System32\wbem\WMIC.exe bios get serialnumber2⤵PID:1412
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe bios get serialnumber3⤵PID:1704
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\System32\cmd.exe /c %SystemRoot%\System32\wbem\WMIC.exe bios get serialnumber2⤵PID:3640
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe bios get serialnumber3⤵PID:1616
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1System Services
1Service Execution
1Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124KB
MD560e2504a3d9fcb2aef0e9032e1272921
SHA11acd8626a81113858bfab1d53258fecb5096bd99
SHA25625a11f35d1d84cf96a82d233d489d98480159b4c85f5e434a6f8816bb49c50eb
SHA5127b368ce131ec75ea8a04cabf0c0bb4927e9a78a8c8f3fb1aa0ea28bc56e4ec7468c7c4490f3c64a29c4f244db49aabd45c9f3a7c24570cafa4ee60b7e6624074
-
Filesize
150B
MD5fdbbdb01ebc78a136a78f17e1e2e40d8
SHA1955db341bacbe1a4f3fa6225c9576b90c07e9499
SHA256a0314ff4cb7d286bcf94cf5b862e96122ddf6fea6af1014b71253e04cf67c94b
SHA5125492a71f6a9e9f55f57c32ea9a632e090daf32103bcf996ea6b5939b984ceb32fb6e786b5abda6e8ef6432eba3cec06092d6f7ddbe5b8299594a59ffd7848065
-
Filesize
298KB
MD5684f2d21637cb5835172edad55b6a8d9
SHA15eac3b8d0733aa11543248b769d7c30d2c53fcdb
SHA256da1fe86141c446921021bb26b6fe2bd2d1bb51e3e614f46f8103ffad8042f2c0
SHA5127b626c2839ac7df4dd764d52290da80f40f7c02cb70c8668a33ad166b0bcb0c1d4114d08a8754e0ae9c0210129ae7e885a90df714ca79bd946fbd8009848538c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
425B
MD5542a3f3d2d3e38d9ee58c70e743d6aef
SHA1832577ce0808e6a9bb1625fdd9aa21748a54d490
SHA256dabcc7a2aeb0b9d6f340e770a4c124519e4b9a33031b7cee7dd0a064ff5e74dc
SHA5120b70a295a116af8e5fa6a17c548106fa21d7eb83c0b099b209f6ebed9cb56ee039a1ca7612fb8b673b429796e2e0101ec15d8c81e90c021f6ce9722ff510320b
-
Filesize
1KB
MD5e4a5ef6526bcc16e97e83da01f4ebf03
SHA15046ed1e16bd147491f70a9089848860e85e072f
SHA2560c3ee6c475599034bb0ada3015df76fc399aa26c5c87ae4da62b20da1f37039e
SHA512420f6991457e68e7149fdb946d2f191ba581ae91ba86a1a56bc505fb73c6b791aeb3c2094abf25592a1dfe8f3a2cf814b9cad615796bcd192053ce9daa36b4b6
-
Filesize
400B
MD59d0c6bf00d6ea0d444f8e5df8034a15e
SHA15cf14b0238cec3b8f03cde8659b2f9efa7772974
SHA256e4b3a9af656f2dbab1a4bb11c6f5a3661b0e029751351a398506ae30eeb1daa2
SHA512739a76c6f28e1ba4ee4b44e1f338bfb79dd8f07c7793820d5feb86b89b60f5a45c85051c605ff6c4a5b675394008a86b121400af004f97117e1211fb8aa0dfbd
-
Filesize
1.5MB
MD592256b73a07831c012896ef89a836656
SHA169ff4ce667c9a0d12f9467d4bf6c521ae81ccf9e
SHA2565019a5e128a7a65c86df69b819235b636dcc73a47d730a1bb4c183cad8c4a550
SHA512ff277549220b75176070d5b29fb2abf4b08fc8b356c98544ec7c3526f736a6c8d99111ed94df45e6428d8436750581b5e1df5c3a604438c6de4c36bcede04180
-
Filesize
147KB
MD58e6fec9071a1084873bcce13fe064a42
SHA1efee18f56d892723d75427ad290fbeeabb7b1888
SHA25601da7957ee307cb02732acf294d3bd3560a51a0d1d0afeee6cd4e5c0cf455cf8
SHA5124fd6fd9706db498d2467e43f38341187442f174d5b9b4e152a721e4f6ba1f010678a1bca2e770875dc44f5c5cdc9f6a1ceab99ae14d8c02f07ca27f638aa355c
-
Filesize
191B
MD59ae1589235924ca09ca772c85d5b09d5
SHA1349b79111169fe4599ff6206cb702d9889a13f53
SHA25656a2ff0cbc50211c27e8e1dbc6dac1ea959987dc21bbd3ca5cfdadcb0534181a
SHA512f07e406cc2ca62e966c2a3284f4a870f5e429c45ca16cdd4d74e3f853756409fd0ff4ec5da18511e10fe60344f3ddc5fce4c264737820290000874c10db5bace
-
Filesize
894KB
MD550ded9235a03b899c17c5d69287ceb91
SHA1dbe0356e44b8b842d4a38fc02e37e0816b7ef448
SHA256d9445e06f8d3a1364bf710c4060f1efdecb9d3371dc6cedc4a3ed33e7ab7eb44
SHA512dd5f2f29560f5f1de6051eee5dc0d0f0be74e31445dfb97dd1d36f2c692ff89969c79188d4329a53f25ede0bc31d3d912fa787ab94f12aa8ffb06f54cec5a6a2
-
Filesize
189B
MD5ef0181de18ef3951806c0ad63b897ba4
SHA14b6a4b0f7fbbbd1dceab385e7fac74a35fc132cb
SHA256e8decc96235b5494880083eb79c22c84c6d9ef312828baf9490bee7782c350ec
SHA512b1816817e8deaa7b22bc51966e9debed46b254be6463f2ac0204be348baefb751c5d846a5353d43cce66a005a73f6226462b8ec8b59d4e16a54130c327c68b79
-
Filesize
323KB
MD51818f9ea0069636728dcb60f9096098e
SHA10e841decb0f995629bf86b5a68a9c98d7c962671
SHA25665a96a8134f1071d1c042034ecd35949cc49b941a96c067ad310bf3ff897d122
SHA512ce97d67a34b67edbc677b885327c85bcb33d06542b0919f8ce61129718287f7de1e2d28a5062ce9038378545be65c7055e32b5aa6067673abceea2430e0aa963
-
Filesize
31KB
MD5111dd3382e71828ec2a96ac5679ed44b
SHA144eec2e255517bad36d69a0b268c039fad1d4af3
SHA256cfcbcc0e8de1a8dfa10186e47400ac598cf5136a9f16b89a13e6155b021bbf88
SHA512e285d3823c5daa8476c33ff7187559fe22e3f912b19e3e3716931084585f71c959eb21b3c2ced2dda916c15f90b1fecff68aa357507fa4bd1b7c3f8fdb2bb09b
-
Filesize
25KB
MD55828b1def77255e28d4bbab6af0fecaa
SHA17838bd801aba18235be5b7fc46c4a9de9f375892
SHA2564d385bdb2e1cf6fbdbe80d8910b4876f202628c838707f68d7291e7c26453465
SHA512a6f5b7fcb34f022955aaf5a127ec52efb97095f41ce90b4ede63db8b6b0cf40ad3ba9cfd197182208e035316b97fe5ea66134cfdb9122fbe7eb3c2b14d61804a
-
Filesize
126KB
MD5a05f57db2637ab9d369b514f095d8bb7
SHA1a6da636f526039d9a25faa39fda0859af2e5cfa3
SHA256bb83cce0d9db3bc829e680e12bdda6204b7b6af2776c7bb9d0988c7ab0a46aec
SHA5120dfec886106836d236dd6a1b36496bd43bc1785fd7c6355723d76dbd38a5a2455e1ee59effa077bfc3cacf6a1d272d1cf724ff761d5d64e57c1aec79a2fdc81b
-
Filesize
811KB
MD54f8a4a0ad6c94b60db955ba3e7033e8e
SHA190d68a63b629f39a49d69968df16cb1221550fcf
SHA256b69a3d5ed7fd451d9fa6e16813785a3d5630e0940a8eb16dff241c2639310da9
SHA5126f639540349bab213c3f6cd06163e1bf5a2164374bac1f3cf99641d15a1303cf9e3b758d34986bd29b69db6b27543ddd349b763067e31b0adac9a7580ff43569
-
Filesize
824B
MD52d9a034020c26454e8850de89ffccf89
SHA12fe7659d9aae5a19eb56ec0288aa06b915bfc41a
SHA25690a1b8ca73d051198360f0999697a1d695f798a326ff472bf7e34acb4df38ae3
SHA51281a4f9538279f9fb21b88c4b7544625e45d62e366fc1bd885093107ea848768ce6b7a015a790c952f3c395611c5ead022a25136f68b50885b528c55b18722a8c
-
Filesize
169B
MD515e7325ab895c6883e065028bfe4073b
SHA180716821669c7f0e20838163ee0a69f9df29c8de
SHA256ffe366dda2cac1f1371f6ce701043bb7ff60540f4752821d82676b433a88d4ac
SHA512dc358d20e5b398a20bed1f73ff1d35a9896992ddf2b80044b755be9ae9eacf006d727d636d2f5f5613c453c828a1ac07fd126778ec7d8d2293e68e6be4de2917
-
Filesize
102B
MD5451168cab68f4ab6a2b4781d0dc08783
SHA1016103a27a226afa6fd13c198d820bafc101696e
SHA256faf8e3f9fae824e21065fe719e54417bda07c956ea9ebf3b0bbac1f0e0879fc6
SHA5123ee55d8f494a8d1bf238baa1d3b514ff62e8be52096cd7d134b6bc21671e4240ed7fe7d177f44a66a623865e18fcc72b3ab97d0af8b48a2b597c503649dbbf41
-
Filesize
107B
MD5359c8fe8d3aedb58f1f6ac12ec71fceb
SHA17c131d5449909ad08a722077f876dd09ce8597bc
SHA25648385e54acb365b08bc45e7a415a00061a50fe477fc1971477182bb5d1f4059c
SHA51262c65953c632f56f62644b35b3857e1b8a568e31f8e2875c4c5c9b296997ce1e7dfdebcc3746c9b3fe339e11fcf78eaa5644f9954fa6ffd5736aeb4767108135
-
Filesize
695B
MD5e002711daf08cb7759d3dc8698d4697a
SHA191943f90129a0120b852620b0c5fbe0a4ac45778
SHA256097e3c4633121032aee95250fdd82336023fd9c10b3df29e183eff9967fa607c
SHA51258c4faf6227efc80c98c690df739fe60ac9d03c7e76f99bc9086ae80acf2d9d70d3567c857568c83cd5f8bf4dcd42c808afb8f3ab34ce80636cc4eb41f20a74b
-
Filesize
237B
MD54d38aade6327e6e68a30ed66e14b859e
SHA17930eece118941528247e36181436f040815a9d0
SHA256bcf79cd5e78b91020322b3b12a885b7d11a18e72b5b15ba0906efbf5a3d92cfb
SHA512398d0a18497c640c912ba739e84ab3957d9e59a07a93f05481ce99c7aee84d25abdb531a1a8cac59d4279016cea5dc4bfa30399ce09bade6b01fac9790a28353
-
Filesize
696B
MD5d636cfecf3dffd81ec0aa21f082bb979
SHA13efc9f524520202c6636a167cd1aa2a4dee45f65
SHA25663b7384e2cdbbd0be6d51adb6cd35d1dbc4635220820fd08820ade3ccdb07b98
SHA5122b91141641ece514a8fd692a261a46c5771fff7ab94d5ebfc87722e15119e16b321df515b5e780a79638f159c008fcf70dd822b84067dcbe47d7a9c74488881d
-
Filesize
169B
MD57c575203045e08d227c0195bd71f4a18
SHA1b510d1b4a668b0145f7448edfda496ba11c9abdc
SHA25634a14c7ebb3fa6e841bea6059f634b47e3dfc09d59331e9a234ac51407c2adac
SHA51279e97176c40d1c4cbb6820031797a55b7b409ed83cb0ef90854f10ee701d5a9ee4d790bae73abdaa416b9072252cea81991be1cf7bfdb178d178774147812833
-
Filesize
849B
MD59add21e567084f717a9e9cd9d9a68098
SHA15f3c2f9bc6870dd081b27e6112dcf4f67e2b60a7
SHA25693db3d7a8201ed67a7570048f78b67a5261a713c9713d1df84a4efa12f3da474
SHA512431525f4e81ec911d7a83b12550edd25ef6482e51e55841f47b13dd37b8e6b57cec44965f0e2aab1eab356faebf3d2ba06ef44ce517d1587806cc73625a68c97
-
Filesize
257B
MD55a7e73d99a8b0cb8cc59a7de28d7f41d
SHA1a6cc77b275ae89d29e1bb7b845659bf4079f035b
SHA256e0c415c1cec75f438b7694a0f9a3f337773b231cfa22ae6a913004cfcb94d2d5
SHA5124d6aea98b5f6ef238cf1b7ecd7ac31a2e90e9e9eae571f0d0daa4fed68f81114510273e6dbff73663c5bfd70b22f4a5c007df3cf14db4e770011438a69903c82
-
Filesize
3KB
MD53d8a8a5f2770ee6f32dbbb342081b332
SHA16628d97bc9aa2c43597e2e55c0efad85cc2384a3
SHA256af5aaf70f3bd7006bf366900df19ab4da708172963f493e299b8f5f8739a4a6c
SHA512037a30a0bc770cb98619ab68d6b5e9c983099e21d8b775fce41e65841b62dfe66a896d37d5cb54d4bb59277240d2b4331ed63eec6d0bca8dcf26a69bf885455c
-
Filesize
3KB
MD5fa9d05115cae5c2d8867df46ff9610f4
SHA1d75eb025dec040fe22accf8def8b5c13004f4405
SHA256e0d1ada7761793f3b91cbba6b318b6ca8f71b0e4ad81cc80d87d9b25a8184e55
SHA512a6a973fe9ca9ad96ca7baf1415f864f629429c2b4d72b4e60c20323eade4af44328d6faf248b94d2c181611fa56ba4d2e29e6d9452ed5104ef29393d7deec3f8
-
Filesize
6KB
MD57b0068d0a420ef3b57feaca71a0c3c67
SHA11fdfce4422deae183a2820c83aa7fc6e637bf0c7
SHA2567619f5ee908dab0746d0348c40af64ce12723cbb66171875c56bad0e03d93420
SHA51251eeb17c3d6d2ee8937dbb6678d95b01d0408346a78afcdfebf6149cacf500081fa215d1f4eded4b9b683a950c9b5c48057b2eaafeb7d8fca69183311ff7ce9c
-
Filesize
104KB
MD53397446c7090eccabc67c9ed1e2b9ff7
SHA14e869a09a8c4b59e924938664544332de6d45dc1
SHA256556cd71a538e7ae200f571ea7722afc692e044e814127ee5d67111780608b206
SHA51296f840f2a0cd15d95f16610f2eb7d0f574527eff46c2fb436bb0a48b3afa29801f63eab75b2f4f1fc46eaf81ce3ee11e22b4f36e7f1e13cef4388385caf5e6d3
-
Filesize
106KB
MD53941ccf542c241226104ac61fd1cd373
SHA1636332a86c0c476977f3d9b7eb5d88e40a1a0f07
SHA2561d1191207b4acccda55db6ec688ffc606af1ebb3053060ae04e7edae0f80ce7b
SHA5127034a6a17e45dbef45950a41f60b31c295b7299ced5a34b6a8e98e9698b5a45b3a2d8eb9df845822540802999df244e53a3a264ac2c23d042efca4b946ba28a1
-
Filesize
34.6MB
MD51d0e56b37600e01a44929ad918d21d74
SHA11bdf869933ed3e7f1196f2a2fd8a021adc2e86c5
SHA256b512f37f19537645ded040070d6be27aa8539d8e007bb71527cef4b1c8f20f32
SHA5121199055ba8de84a1f94ab55f0504eb7570e88837897e2e3219fd20ee83c7f3b73f031201787e7bdac5075a10b6313858fd95094035ae8dd946eb4f788ed287c1
-
Filesize
361KB
MD5c1452013e9e2355ee7bafe892b4699bb
SHA1ae87fca94a0be253ced08dded980189288abaa76
SHA2562ad34df853ee9363bfe124751a3a5b1184115127f972b88a4403c482d0022862
SHA512b1bcaa7afd70bc72dbeb568019cfe4a61912bd05812ac1d0fab7b77546532d5cad6cab59f8b17283b3d15d281a1610751461f8b6fb49aab94189c8f12e3def1c
-
Filesize
24.6MB
MD5d9109f8f976cd2045646701991fc8cdf
SHA19c4d2e3b8ca32aa21f56cdcbf13364e1f3fde919
SHA2561494cd02bbafbb7518c7eea9f33b1af6da2e2ae2ca9a11e64e24329af6065127
SHA5120d4c98aa6fcb6f7b53e906d27abfb16239c614d1cfe4460d68790371eb04cf134e18909a8bc5a710961eeb81e8469cf69c269848578445c211e0c4d4b851659c
-
Filesize
3.4MB
MD5df651955f810b70bd9f0ba3a4a883cf0
SHA1069217d29d1ef7699e97c99af70d84d24993720b
SHA25629f62c661c9c5f2ed4eae65bf76632dc0852716dc45867130fa3c12113b825ca
SHA512da21e81be3e50cfa31bbefd4e2be573ef26f56320ca00098d6dded009f4fd770a6f593a0c3ede8651be8a48b5ee6aeee46d589dd16bd126156aaf21f9156a728
-
Filesize
260B
MD58dc3899df72a2bdfc027682048422a37
SHA19f6c657d2ba08068b2bcae443b817d54f3dac574
SHA2567a6a763e21ca205bf7da8134088fe1978a8c2efbcf1c251ba93cdcf00e59ff57
SHA51224c3ef86bbcc57ddbde2d1e323056091d52cb21dba2e143029396b0256ce0fb53879b161a4a874f949bc5da0986d84b293002006ba9f3a06cdf5fdedc1cc8b18
-
Filesize
361KB
MD5d01fdba81ab16eacb785ed15fa1e2545
SHA11cdb43cc816ee91d369b36f898ecfa7d650d8693
SHA2564b1d13881de2e6d3742785dfc96d7ec955da93c07371093a097fb0e2c0b29d2f
SHA512fcca162266bca6fe029d8f97d5741e7f9a92b0d3be8177b30bc7d84c878b7daace01ab605eb6fc33ffbec04e2dec11744d6158752137f01b4b8a389a0daa3d2f
-
Filesize
2KB
MD56ffe8470d26c128e046375b381f419db
SHA1f03da4ed457191f5d1baee0a7ec8ddd4c2e984e3
SHA2565546ecc26122d3929397dcbf40f8b65679646e3735223e2f73562da5e9ed1d66
SHA5128a673633b1688eb152f8b14bcdbba4fd3dd1abd49762c60d182d41074e56ebf67f6a5d23616c5b2687b75e555f1eeb74475229bcd5c478b4198b6bca5a82f1fd
-
Filesize
304KB
MD5e2e62b30056dcc4283d7d2abce686bef
SHA117973122a58474d38a49a07a2d60517450a23aad
SHA256d8c0107204e4540ab24125f684660b7b87545a58c4a94a89746897383038a274
SHA512d0ead99c2fe213f165bc0c86bb5d044e9ce344f7433b0d9ddfa165f22341ab616bc45e3e80caaf7a43312d6bd9f5d1768f595a665c0d2835e40920dc5069d5eb
-
Filesize
4.3MB
MD521f54409dd443367b07c1641d6874417
SHA11a757140c2f3a9edf5b3c9c7edccc438f8d2378f
SHA25622163445e2e3249739bfe19afa009e9946ab6dcf90dbeea7a576316be9ccdd9e
SHA512ac8136324d9afb9ac12783649d17bd87c20a24f2c55ab3d47b1edfb59d314c49ec0dc853453b7094745af71386a9ee4dfa7b08b7b6635a4b56e4a30b905b09dc
-
Filesize
355KB
MD55c1392fa9dd90f66cffd7e111568e5ea
SHA109581a7af51ed183f4c698f36588dd03cc483f38
SHA2561e37284c26f08db40910d989dd9a7b917500b0c24280c8a71f16325ff265d177
SHA5121e1c8553a307b06bff34b422e5cfdd0230162b4c3dd97bc0d736ed5069352692462ba1bc81595711e16d97e25111be93ce9b3b6411f99f12071cad34532f163d
-
Filesize
21KB
MD57f86a47acd4d810ad673af81369f2f26
SHA1cea8da1478f2dee41ed2ecd2059b73d1c161734e
SHA2569c8b87e9a950deb7f28752f875ea82f1b55a70996ac8c12073fcea33664b2048
SHA512372a61489665bd37c552c383faff971fdb2d581d45664a37e5d58dbd894b26b5cc8403800a559f489bb4fa47f088e6e06553eca65efb16ab9867e5a80a0a7aa9
-
Filesize
21KB
MD5b43fd28dfec4d3b81d7fa0f10a2fb62c
SHA10ce6ea5928ba26ff31276f3dbe229b0a9a0149ce
SHA256e9b535f4460c76d67df629ce2cbb84c435a712ca948b61ddaaf31309506b8604
SHA5121d56a3bf36788265a546f7a2280b206febaea17195397ab165ef328b10c29da6ada53182be9a6190d48b4f3c7ad64fc4bf1fa573bad99f7ca400bda073431c02
-
Filesize
200KB
MD56243b50b07cdd14d260680ce5d0872b3
SHA1d85a6450bae0bcf9c80f498a49bf60c556674386
SHA256bab8785a6656f202b4153c887f5f19fa0075afafe728c24af50bd24342e76f75
SHA512a3dd79cc1dda248b8ebee949cd375da99ac46eee6d93adb2172e63ae051fa295ead63b1846cafbb922c92367afbc43cef74c3c64cf095a01cd84eabef53f4b1c
-
Filesize
30KB
MD5b78f49383a0ef23d80b5c96273faf678
SHA1f58d6327c99e52c4a71aca1cc60050ed62defb7d
SHA2566cafc6949abe5ab3563aba18c051b4eb705a4f67e88a65bf9e565f56db5c0b49
SHA5123aab36588f78abe9f6f7a61490b92b7194a0c28b32ade72d7067720e7f1e42677dcaa04a46f49f799f7f7b0a012c3e4cfdff380da000da7c73605fcb7a8d78f2
-
Filesize
32KB
MD5bedad87015d1c9207ba20052b4af9a1e
SHA11ac0320ec5531c78d45f197f024091226153e546
SHA256202bab731eb36d0b3bd4dfc75b97c5f0e3f64e34e9c06a76a9bf678b037ec59d
SHA512afd35e962fe396ce6540bc03943952d2621d4a80d22b7240e565278154ab79e39fd4dd0c22edb3a5f866f1772441929433caa51385a4ea5fe9e8a4026b7e7ac9
-
Filesize
37KB
MD5469b0b8f124b0cd3bb4154820e7a6e4e
SHA1695d5d9bf7238f39ab08bcfe2dbbf7a6095f62af
SHA2565527ea385f5f46ef317221cc68b61dcae41892b7b45d8cbf6453b7e920fbddf9
SHA51275a49560ddf4905964f787da98baa81d5d9809f71b8411f2ad12807e5c65aa645cf0ca1a12170d7e02f8b04a4e23013ca9edece4425acfb2dc52e6ce66ab1e4e
-
Filesize
281KB
MD525f95594ac292cadf79c8390aa458dd6
SHA1c2cfbf45cfcf0bde29894ce0736c6558cab784e7
SHA256ee19cb9c05fc6aaa81f77d4ff9b0114afc16dd9765074806e7078382e8c416ba
SHA5120950df285e510a3da20eae2e15f03a218e59fb26a1533b20795fa1bf720a1dc613eaad98ccaac816080f40e3e947f18bd85cbca62b915083796fb55d5ee5a356
-
Filesize
1.6MB
MD520bf56090460aa02f2294b4c897f6895
SHA155cb7c759f5b5ae4db482b5fdf85ae5dc0a1cd48
SHA256386d9f73dc2b527327d0b9d8c0a6700b901b7e69d9db35ea5c5ea52354b83a9c
SHA51236c704f3cea5042ce242b3152a2ec38918adea14a9ae02f943215e3956c83f891ae6e2e4bb3e64480bf0b85e72d941b928d42be253ed49c21391abb6ed6621a1
-
Filesize
1.3MB
MD59d766cf85c7a5b7d7286633cf8a0474b
SHA135b41e7064691080d39f4c66a7f3ab5941e9ebdd
SHA25630d0c8c8be4397e39acdc8e74d9921a8ee24c6a88411a2eb98eace513e216d36
SHA512087c918420574642af8dec566648ccaa0e25e3a597b3be8204ff82c40e35a48597640f8ad16f24e657ccd7c5e696ab20fbcfec8ab68775c2f3afaa97ba5f4852
-
Filesize
23.7MB
MD5d1e6da3a4699e3386c53d89351664cc8
SHA1eb8da38d055bb3693383143c672e825db1ee804a
SHA2561dd75280949fe18e03f8cf3e72e7d42cf2365c5139c82a701caf2c9a546237c3
SHA5128ce2798f01bbb58234f53fa2dfe6217e8312c6c6a5877dba9c21d25884e896cb306bbba96f895386759c70be9a4f93f14830f337a0295099f9e4d29cbe041779
-
\??\Volume{8a2a71c9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{ba0b025c-2174-4398-81cd-47867113b28e}_OnDiskSnapshotProp
Filesize6KB
MD5b6c20a7721637987c39121c36d0aa6bd
SHA1cbdae2d96fba575e57f9bbb108f47a6e64a10780
SHA25688f7be95e9a4a43886fd5fcee4c5c7b848b09e89db20ed75d29198b27dd9fd5b
SHA512e92c72527c7de554b54e45f06cff1e1a1003d56d8c7a3036d131ae3fe0e068f5b52643872629bfcb98bc55717369724d082444df994066e25534866522ef6eaa