Analysis Overview
SHA256
b512f37f19537645ded040070d6be27aa8539d8e007bb71527cef4b1c8f20f32
Threat Level: Likely malicious
The file iAssistInstaller.msi was found to be: Likely malicious.
Malicious Activity Summary
Stops running service(s)
Sets file to hidden
Reads user/profile data of web browsers
Modifies file permissions
Enumerates connected drives
Drops file in System32 directory
Loads dropped DLL
Drops file in Windows directory
Launches sc.exe
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Creates scheduled task(s)
Runs net.exe
Suspicious use of SetWindowsHookEx
Modifies registry class
Modifies data under HKEY_USERS
Uses Volume Shadow Copy service COM API
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Views/modifies file attributes
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Kills process with taskkill
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-14 07:18
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 07:18
Reported
2024-06-14 07:23
Platform
win7-20240508-en
Max time kernel
134s
Max time network
144s
Command Line
Signatures
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Stops running service(s)
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\iassist\MaterialDesignThemes.Wpf.xml | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\Solutions\16055\citrix.ankscpt | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\custom_scripts\657\maintainproxy.bat | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\custom_scripts\source\21\fix.vbs | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\Solutions\16024\showprofile.bmp | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\System.Net.Http.Primitives.xml | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\runner.exe | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\runtimes\win-x86\native\WebView2Loader.dll | C:\Windows\IAssist\runner.exe | N/A |
| File opened for modification | C:\Windows\Installer\f775227.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\iassist\log4net.dll | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\custom_scripts\2\enablepopupinchrome.bat | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\custom_scripts\662\clearfirefoxcookiescachehistory.bat | C:\Windows\IAssist\runner.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev1 | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\IAssist\HealITApp.exe.config | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\iassist\IAssistApp.png | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\proactiveDatabase.db | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\sqlite3.dll | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\StemmersNet.dll | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\cpprest_2_10.dll | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\runtimes\win-x64\native\WebView2Loader.dll | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\Solutions\16022\NewProfile.ankscpt | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\Solutions\18003\IssuesWithOpeningHyperlinkInOutlook.ankscpt | C:\Windows\IAssist\runner.exe | N/A |
| File opened for modification | C:\Windows\iassist\System.Net.Http.dll | C:\Windows\IAssist\runner.exe | N/A |
| File opened for modification | C:\Windows\iassist\System.Net.Http.Extensions.dll | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\Telerik.Windows.Controls.Navigation.DLL | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\Telerik.Windows.Data.DLL | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\IAssist\x64\SQLite.Interop.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\iassist\CampaignLogo.png | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\Microsoft.Web.WebView2.Wpf.xml | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\Solutions\18001\NodeJS.ankscpt | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\custom_scripts\21\deletechromebrowsinghistory.bat | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\custom_scripts\678\iecookiesandtrustedsites.bat | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\Solutions\18005\PrinterTroubleshooter.ankscpt | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\Installer\{A2F25BA0-86AE-4357-ACF2-A283098FBF71}\_A4E76B87B556A45C6A7778.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\iassist\AnakageProactive.exe | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\ChatbotWelcome.png | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\Solutions\16020\delCredential.bat | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\Porter2Stemmer.dll | C:\Windows\IAssist\runner.exe | N/A |
| File opened for modification | C:\Windows\IAssist | C:\Windows\SysWOW64\attrib.exe | N/A |
| File created | C:\Windows\IAssist\System.Net.Http.Primitives.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\iassist\IAssistHelperN64.exe | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\MH64.dll | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\MHN64.dll | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\IAssist\HealITApp.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\iassist\banner.jpg | C:\Windows\IAssist\runner.exe | N/A |
| File opened for modification | C:\Windows\iassist\MaterialDesignColors.dll | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\Telerik.Windows.Controls.DLL | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\Microsoft.Web.WebView2.WinForms.dll | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\custom_scripts\674\mappednetworkdrive.bat | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\Installer\f775226.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\IAssist\x86\SQLite.Interop.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\IAssist\System.Data.SQLite.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\iassist\iAssist32.exe | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\HealITService.exe | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\iAssistN64.exe | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\Solutions\18002\MaintenanceTroubleshooter.ankscpt | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\IAssist\System.Net.Primitives.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{A2F25BA0-86AE-4357-ACF2-A283098FBF71}\_6FEFF9B68218417F98F549.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\iassist\Campaign.exe.config | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\custom_scripts.zip | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\IAssist\HealITService.InstallState | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Windows\iassist\AnakageProactivePackager.exe | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\custom_scripts\26\disablesystemrestart.bat | C:\Windows\IAssist\runner.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID0DA.tmp | C:\Windows\system32\msiexec.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\IAssist\runner.exe | N/A |
| N/A | N/A | C:\Windows\IAssist\runner.exe | N/A |
| N/A | N/A | C:\Windows\IAssist\HealITService.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{35786D3C-B075-49B9-88DD-029876E11C01} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 010000000000000020ae07a02bbeda01 | C:\Windows\IAssist\runner.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\cscript.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2B751294-F736-4FC7-8A15-590DC1B63F88}\c6-5a-ef-ec-97-44 | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{B155BDF8-02F0-451E-9A26-AE317CFD7779} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 010000000000000040d20ea02bbeda01 | C:\Windows\IAssist\runner.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Windows\IAssist\runner.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2B751294-F736-4FC7-8A15-590DC1B63F88}\WpadNetworkName = "Network 3" | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c6-5a-ef-ec-97-44 | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\IAssist\runner.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\IAssist\runner.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft | C:\Windows\SysWOW64\cscript.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\cscript.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2B751294-F736-4FC7-8A15-590DC1B63F88}\WpadDecisionTime = e07241a52bbeda01 | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2B751294-F736-4FC7-8A15-590DC1B63F88} | C:\Windows\SysWOW64\cscript.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c6-5a-ef-ec-97-44\WpadDecisionTime = e07241a52bbeda01 | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Windows\IAssist\runner.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2B751294-F736-4FC7-8A15-590DC1B63F88}\WpadDecision = "0" | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Windows\IAssist\runner.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\SysWOW64\cscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SysWOW64\cscript.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2B751294-F736-4FC7-8A15-590DC1B63F88}\WpadDecisionReason = "1" | C:\Windows\SysWOW64\cscript.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Windows\SysWOW64\cscript.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Windows\IAssist\runner.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Net.Http.Extensions.dll\System.Net.Http.Extensions,Version="2.2.29.0",Culture="neutral",PublicKeyToken="B03F5F7F11D50A3A",ProcessorArchitecture="MSIL" = 65005500540047005d004d00250065005f0039004300790031004200520047005700500057004c003e003f006a00560058004c003f007e007b006c006c00340068006f004000330060007e0067006c00700000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\PackageCode = "69E5F2D9D6074DD4F8444A206B511434" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|MaterialDesignColors.dll\MaterialDesignColors,Version="1.2.6.1513",Culture="neutral",ProcessorArchitecture="MSIL" = 65005500540047005d004d00250065005f0039004300790031004200520047005700500057004c003e00450035005a00640051007500260078005a004a006b007e003f00560043004b00460025007700370000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Net.Primitives.dll | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\AuthorizedLUAApp = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Net.Primitives.dll\System.Net.Primitives,Version="4.0.0.0",Culture="neutral",PublicKeyToken="B03F5F7F11D50A3A",ProcessorArchitecture="MSIL" = 65005500540047005d004d00250065005f0039004300790031004200520047005700500057004c003e002b002500620060004d002d005b0046004100660038002e0025007e005e0035006f0035003000600000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|HealITApp.exe\HealITApp,Version="1.0.0.0",Culture="neutral",ProcessorArchitecture="MSIL" = 65005500540047005d004d00250065005f0039004300790031004200520047005700500057004c003e0054003d0045007a00600041007600260021007600250039006e0044005300410025005e003100260000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Net.Http.Primitives.dll | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Runtime.InteropServices.dll\System.Runtime.InteropServices,Version="4.0.0.0",Culture="neutral",PublicKeyToken="B03F5F7F11D50A3A",ProcessorArchitecture="MSIL" = 65005500540047005d004d00250065005f0039004300790031004200520047005700500057004c003e0053004f004f00670062002b004f004e007300370028004e006500610031004f00610058003800680000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\Version = "16777216" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|log4net.dll\log4net,Version="2.0.8.0",Culture="neutral",PublicKeyToken="669E0DDF0BB1AA2A",ProcessorArchitecture="MSIL" = 65005500540047005d004d00250065005f0039004300790031004200520047005700500057004c003e002b00480029007d005f002b0075004e00510069004b005a0073006e00500037007e00770031004c0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|HealITService.exe\HealITService,Version="1.0.0.0",Culture="neutral",ProcessorArchitecture="MSIL" = 65005500540047005d004d00250065005f0039004300790031004200520047005700500057004c003e00700028005400410036003200770070002700660073005f004400720047006500240067003200710000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Net.Http.WebRequest.dll | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Runtime.dll\System.Runtime,Version="4.0.0.0",Culture="neutral",PublicKeyToken="B03F5F7F11D50A3A",ProcessorArchitecture="MSIL" = 65005500540047005d004d00250065005f0039004300790031004200520047005700500057004c003e00690049005f00670043007b004a004a0074005f00750052006e00370040007a00730034007600700000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\SourceList\PackageName = "iAssistInstaller.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|log4net.dll | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|MaterialDesignThemes.Wpf.dll | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|MaterialDesignThemes.Wpf.dll\MaterialDesignThemes.Wpf,Version="2.3.1.953",Culture="neutral",ProcessorArchitecture="MSIL" = 65005500540047005d004d00250065005f0039004300790031004200520047005700500057004c003e004f00650063003f003100250071007e0044005300620064002700260078006800580070002800550000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|MaterialDesignColors.dll | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Net.Http.WebRequest.dll\System.Net.Http.WebRequest,Version="4.0.0.0",Culture="neutral",PublicKeyToken="B03F5F7F11D50A3A",ProcessorArchitecture="MSIL" = 65005500540047005d004d00250065005f0039004300790031004200520047005700500057004c003e003d0052006c003f0041002e00390053007a0026002b00430073007300720059004400400021002a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|HealITApp.exe | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Runtime.InteropServices.dll | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Net.Http.dll | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|HealITService.exe | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Data.SQLite.dll\System.Data.SQLite,Version="1.0.113.0",Culture="neutral",PublicKeyToken="DB937BC2D44FF139",ProcessorArchitecture="MSIL" = 65005500540047005d004d00250065005f0039004300790031004200520047005700500057004c003e0076007e00240024002d0057004800340050006c007e006a006c00430072003d00300058007d00740000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Net.Http.Primitives.dll\System.Net.Http.Primitives,Version="4.2.29.0",Culture="neutral",PublicKeyToken="B03F5F7F11D50A3A",ProcessorArchitecture="MSIL" = 65005500540047005d004d00250065005f0039004300790031004200520047005700500057004c003e00760032002c006100260041006c005d004c0045005800270048004b003500580027002d005a004b0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\AdvertiseFlags = "388" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Data.SQLite.dll | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0AB52F2AEA687534CA2F2A3890F8FB17 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\05B419C9DAA35234196526056BB4144A | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Runtime.dll | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\05B419C9DAA35234196526056BB4144A\0AB52F2AEA687534CA2F2A3890F8FB17 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0AB52F2AEA687534CA2F2A3890F8FB17\DefaultFeature | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\ProductName = "Heal-IT" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\Language = "1033" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Net.Http.dll\System.Net.Http,Version="4.0.0.0",Culture="neutral",PublicKeyToken="B03F5F7F11D50A3A",ProcessorArchitecture="MSIL" = 65005500540047005d004d00250065005f0039004300790031004200520047005700500057004c003e00270035007900510032002a007b0075005b0070002e005800400064004a004c007b0039003800300000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Net.Http.Extensions.dll | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\ProductIcon = "C:\\Windows\\Installer\\{A2F25BA0-86AE-4357-ACF2-A283098FBF71}\\_6FEFF9B68218417F98F549.exe" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\SourceList\Media\1 = ";" | C:\Windows\system32\msiexec.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\iAssistInstaller.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding A3DFDBBA3481DE1CBB4A81491BC07412 C
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005A8" "0000000000000060"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding DBB7C95C25D7B2479685274E4824A5CE
C:\Windows\IAssist\runner.exe
"C:\Windows\IAssist\runner.exe" 9
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM Campaign.exe /T
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM HealITApp.exe /T
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM iAssist32.exe /T
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM iAssist64.exe /T
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM IAssistHelper.exe /T
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM IAssistHelper64.exe /T
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM AnakageProactive.exe /T
C:\Windows\SysWOW64\taskkill.exe
TASKKILL /F /IM HealITApp.exe /T
C:\Windows\SysWOW64\taskkill.exe
TASKKILL /F /IM Campaign.exe /T
C:\Windows\SysWOW64\taskkill.exe
TASKKILL /F /IM iAssist32.exe /T
C:\Windows\SysWOW64\taskkill.exe
TASKKILL /F /IM iAssist64.exe /T
C:\Windows\SysWOW64\taskkill.exe
TASKKILL /F /IM IAssistHelper.exe /T
C:\Windows\SysWOW64\taskkill.exe
TASKKILL /F /IM AnakageProactive.exe /T
C:\Windows\SysWOW64\taskkill.exe
TASKKILL /F /IM IAssistHelper64.exe /T
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\atemp.bat"
C:\Windows\SysWOW64\net.exe
net stop HealITService
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop HealITService
C:\Windows\SysWOW64\sc.exe
sc delete HealITService
C:\Windows\SysWOW64\taskkill.exe
TASKKILL /F /IM HealITService.exe /T
C:\Windows\SysWOW64\taskkill.exe
TASKKILL /F /IM Heal-IT.exe /T
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Schtasks /delete /TN AnkActionManager /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Schtasks /delete /TN AnkAnalyticsManager /f
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 96D917C31503435FB3204DB1329C6324 M Global\MSI0000
C:\Windows\SysWOW64\schtasks.exe
Schtasks /delete /TN AnkAnalyticsManager /f
C:\Windows\SysWOW64\schtasks.exe
Schtasks /delete /TN AnkActionManager /f
C:\Windows\IAssist\runner.exe
"C:\Windows\IAssist\runner.exe" 0
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C echo 14:06:2024.07:22:35 ExtractBinResource = C:\Users\Admin\AppData\Local\Temp\\ >> %TEMP%\AnakageInstaller.log
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\atemp.bat"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\IAssist" /grant Users:(OI)(CI)F
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Windows\IAssist"
C:\Windows\SysWOW64\net.exe
net start HealITService
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start HealITService
C:\Windows\IAssist\HealITService.exe
"C:\Windows\IAssist\HealITService.exe"
C:\Windows\SysWOW64\sc.exe
SC failure "HealITService" reset= 0 actions= restart/0/restart/0/restart/0
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\IAssist\HealITService.exe" /inheritance:d
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\IAssist\HealITService.exe" /remove:g Users
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\IAssist\HealITService.exe" /grant Users:RX
C:\Windows\SysWOW64\schtasks.exe
Schtasks /delete /TN AnkActionManager /f
C:\Windows\SysWOW64\schtasks.exe
Schtasks /delete /TN AnkAnalyticsManager /f
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /F /TN AnkAnalyticsManager /XML atemp1.xml
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /F /TN AnkActionManager /XML atemp.xml
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /F /TN AnkRebootManager /XML atemp2.xml
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C echo 14:06:2024.07:22:35 ExtractBinResource = C:\Users\Admin\AppData\Local\Temp\\ >> %TEMP%\AnakageInstaller.log
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\System32\cmd.exe /c cscript //NOLOGO C:\Users\Admin\AppData\Local\Temp\\atemp1.vbs
C:\Windows\SysWOW64\cscript.exe
cscript //NOLOGO C:\Users\Admin\AppData\Local\Temp\\atemp1.vbs
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\System32\cmd.exe /c cscript //NOLOGO C:\Users\Admin\AppData\Local\Temp\\atemp2.vbs https://aiops.anakage.com/api/license/?userName=&hostName=Uhrqkjcp&macAddress&facility=fpt
C:\Windows\SysWOW64\cscript.exe
cscript //NOLOGO C:\Users\Admin\AppData\Local\Temp\\atemp2.vbs https://aiops.anakage.com/api/license/?userName=
C:\Windows\SysWOW64\HOSTNAME.EXE
hostName =Uhrqkjcp
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C echo 14:06:2024.07:22:35 server license = >> %TEMP%\AnakageInstaller.log
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C echo 14:06:2024.07:22:35 Failed to send license >> %TEMP%\AnakageInstaller.log
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | crl.comodoca.com | udp |
| US | 8.8.8.8:53 | crl.sectigo.com | udp |
| US | 8.8.8.8:53 | crl.sectigo.com | udp |
| US | 8.8.8.8:53 | crl.comodoca.com | udp |
| US | 8.8.8.8:53 | crl.sectigo.com | udp |
| US | 8.8.8.8:53 | crl.sectigo.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | aiops.anakage.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab955F.tmp
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\TarC48C.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6dbfe3a4423efa10a0650ffccf2000fd |
| SHA1 | 459c54030134556041a2c3262f76e3cf12ac7364 |
| SHA256 | 4b8ffaf80e80e16b0af1786e8a5045f6fd0ce62288d40a100c063bad9346e6a3 |
| SHA512 | 0322922ffdf8f0e8141695f3bf5a14c118e95ed125dd28a018d9cfbc5d0a96f18c5264a7e722111509c6fefdf06be0989f2c16c47f56e03f061a9a936713e6e6 |
C:\Users\Admin\AppData\Local\Temp\MSIF446.tmp
| MD5 | 684f2d21637cb5835172edad55b6a8d9 |
| SHA1 | 5eac3b8d0733aa11543248b769d7c30d2c53fcdb |
| SHA256 | da1fe86141c446921021bb26b6fe2bd2d1bb51e3e614f46f8103ffad8042f2c0 |
| SHA512 | 7b626c2839ac7df4dd764d52290da80f40f7c02cb70c8668a33ad166b0bcb0c1d4114d08a8754e0ae9c0210129ae7e885a90df714ca79bd946fbd8009848538c |
C:\Windows\Installer\{A2F25BA0-86AE-4357-ACF2-A283098FBF71}\_02ABC302708F8D56C0169B.exe
| MD5 | c1452013e9e2355ee7bafe892b4699bb |
| SHA1 | ae87fca94a0be253ced08dded980189288abaa76 |
| SHA256 | 2ad34df853ee9363bfe124751a3a5b1184115127f972b88a4403c482d0022862 |
| SHA512 | b1bcaa7afd70bc72dbeb568019cfe4a61912bd05812ac1d0fab7b77546532d5cad6cab59f8b17283b3d15d281a1610751461f8b6fb49aab94189c8f12e3def1c |
C:\Windows\IAssist\runner.exe
| MD5 | 3397446c7090eccabc67c9ed1e2b9ff7 |
| SHA1 | 4e869a09a8c4b59e924938664544332de6d45dc1 |
| SHA256 | 556cd71a538e7ae200f571ea7722afc692e044e814127ee5d67111780608b206 |
| SHA512 | 96f840f2a0cd15d95f16610f2eb7d0f574527eff46c2fb436bb0a48b3afa29801f63eab75b2f4f1fc46eaf81ce3ee11e22b4f36e7f1e13cef4388385caf5e6d3 |
C:\Users\Admin\AppData\Local\Temp\atemp.bat
| MD5 | 542a3f3d2d3e38d9ee58c70e743d6aef |
| SHA1 | 832577ce0808e6a9bb1625fdd9aa21748a54d490 |
| SHA256 | dabcc7a2aeb0b9d6f340e770a4c124519e4b9a33031b7cee7dd0a064ff5e74dc |
| SHA512 | 0b70a295a116af8e5fa6a17c548106fa21d7eb83c0b099b209f6ebed9cb56ee039a1ca7612fb8b673b429796e2e0101ec15d8c81e90c021f6ce9722ff510320b |
C:\Windows\Installer\MSID530.tmp
| MD5 | 3941ccf542c241226104ac61fd1cd373 |
| SHA1 | 636332a86c0c476977f3d9b7eb5d88e40a1a0f07 |
| SHA256 | 1d1191207b4acccda55db6ec688ffc606af1ebb3053060ae04e7edae0f80ce7b |
| SHA512 | 7034a6a17e45dbef45950a41f60b31c295b7299ced5a34b6a8e98e9698b5a45b3a2d8eb9df845822540802999df244e53a3a264ac2c23d042efca4b946ba28a1 |
C:\Users\Admin\AppData\Local\Temp\CFGD059.tmp
| MD5 | fdbbdb01ebc78a136a78f17e1e2e40d8 |
| SHA1 | 955db341bacbe1a4f3fa6225c9576b90c07e9499 |
| SHA256 | a0314ff4cb7d286bcf94cf5b862e96122ddf6fea6af1014b71253e04cf67c94b |
| SHA512 | 5492a71f6a9e9f55f57c32ea9a632e090daf32103bcf996ea6b5939b984ceb32fb6e786b5abda6e8ef6432eba3cec06092d6f7ddbe5b8299594a59ffd7848065 |
\Windows\IAssist\HealITService.exe
| MD5 | 5828b1def77255e28d4bbab6af0fecaa |
| SHA1 | 7838bd801aba18235be5b7fc46c4a9de9f375892 |
| SHA256 | 4d385bdb2e1cf6fbdbe80d8910b4876f202628c838707f68d7291e7c26453465 |
| SHA512 | a6f5b7fcb34f022955aaf5a127ec52efb97095f41ce90b4ede63db8b6b0cf40ad3ba9cfd197182208e035316b97fe5ea66134cfdb9122fbe7eb3c2b14d61804a |
memory/1408-122-0x0000000000630000-0x000000000063A000-memory.dmp
C:\Windows\iassist\AnakageFiles.zip
| MD5 | d9109f8f976cd2045646701991fc8cdf |
| SHA1 | 9c4d2e3b8ca32aa21f56cdcbf13364e1f3fde919 |
| SHA256 | 1494cd02bbafbb7518c7eea9f33b1af6da2e2ae2ca9a11e64e24329af6065127 |
| SHA512 | 0d4c98aa6fcb6f7b53e906d27abfb16239c614d1cfe4460d68790371eb04cf134e18909a8bc5a710961eeb81e8469cf69c269848578445c211e0c4d4b851659c |
C:\Windows\iassist\HealITApp.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Windows\iassist\HealITApp.ico
| MD5 | d01fdba81ab16eacb785ed15fa1e2545 |
| SHA1 | 1cdb43cc816ee91d369b36f898ecfa7d650d8693 |
| SHA256 | 4b1d13881de2e6d3742785dfc96d7ec955da93c07371093a097fb0e2c0b29d2f |
| SHA512 | fcca162266bca6fe029d8f97d5741e7f9a92b0d3be8177b30bc7d84c878b7daace01ab605eb6fc33ffbec04e2dec11744d6158752137f01b4b8a389a0daa3d2f |
C:\Windows\iassist\HealITApp.exe.config
| MD5 | 8dc3899df72a2bdfc027682048422a37 |
| SHA1 | 9f6c657d2ba08068b2bcae443b817d54f3dac574 |
| SHA256 | 7a6a763e21ca205bf7da8134088fe1978a8c2efbcf1c251ba93cdcf00e59ff57 |
| SHA512 | 24c3ef86bbcc57ddbde2d1e323056091d52cb21dba2e143029396b0256ce0fb53879b161a4a874f949bc5da0986d84b293002006ba9f3a06cdf5fdedc1cc8b18 |
C:\Windows\iassist\IAssistApp.png
| MD5 | 6ffe8470d26c128e046375b381f419db |
| SHA1 | f03da4ed457191f5d1baee0a7ec8ddd4c2e984e3 |
| SHA256 | 5546ecc26122d3929397dcbf40f8b65679646e3735223e2f73562da5e9ed1d66 |
| SHA512 | 8a673633b1688eb152f8b14bcdbba4fd3dd1abd49762c60d182d41074e56ebf67f6a5d23616c5b2687b75e555f1eeb74475229bcd5c478b4198b6bca5a82f1fd |
C:\Windows\iassist\log4net.dll
| MD5 | 25f95594ac292cadf79c8390aa458dd6 |
| SHA1 | c2cfbf45cfcf0bde29894ce0736c6558cab784e7 |
| SHA256 | ee19cb9c05fc6aaa81f77d4ff9b0114afc16dd9765074806e7078382e8c416ba |
| SHA512 | 0950df285e510a3da20eae2e15f03a218e59fb26a1533b20795fa1bf720a1dc613eaad98ccaac816080f40e3e947f18bd85cbca62b915083796fb55d5ee5a356 |
C:\Windows\iassist\MaterialDesignThemes.Wpf.dll
| MD5 | 21f54409dd443367b07c1641d6874417 |
| SHA1 | 1a757140c2f3a9edf5b3c9c7edccc438f8d2378f |
| SHA256 | 22163445e2e3249739bfe19afa009e9946ab6dcf90dbeea7a576316be9ccdd9e |
| SHA512 | ac8136324d9afb9ac12783649d17bd87c20a24f2c55ab3d47b1edfb59d314c49ec0dc853453b7094745af71386a9ee4dfa7b08b7b6635a4b56e4a30b905b09dc |
C:\Windows\iassist\MaterialDesignColors.dll
| MD5 | e2e62b30056dcc4283d7d2abce686bef |
| SHA1 | 17973122a58474d38a49a07a2d60517450a23aad |
| SHA256 | d8c0107204e4540ab24125f684660b7b87545a58c4a94a89746897383038a274 |
| SHA512 | d0ead99c2fe213f165bc0c86bb5d044e9ce344f7433b0d9ddfa165f22341ab616bc45e3e80caaf7a43312d6bd9f5d1768f595a665c0d2835e40920dc5069d5eb |
C:\Windows\iassist\System.Data.SQLite.dll
| MD5 | 5c1392fa9dd90f66cffd7e111568e5ea |
| SHA1 | 09581a7af51ed183f4c698f36588dd03cc483f38 |
| SHA256 | 1e37284c26f08db40910d989dd9a7b917500b0c24280c8a71f16325ff265d177 |
| SHA512 | 1e1c8553a307b06bff34b422e5cfdd0230162b4c3dd97bc0d736ed5069352692462ba1bc81595711e16d97e25111be93ce9b3b6411f99f12071cad34532f163d |
C:\Windows\iassist\System.Net.Http.Primitives.dll
| MD5 | b43fd28dfec4d3b81d7fa0f10a2fb62c |
| SHA1 | 0ce6ea5928ba26ff31276f3dbe229b0a9a0149ce |
| SHA256 | e9b535f4460c76d67df629ce2cbb84c435a712ca948b61ddaaf31309506b8604 |
| SHA512 | 1d56a3bf36788265a546f7a2280b206febaea17195397ab165ef328b10c29da6ada53182be9a6190d48b4f3c7ad64fc4bf1fa573bad99f7ca400bda073431c02 |
C:\Windows\iassist\System.Runtime.InteropServices.dll
| MD5 | bedad87015d1c9207ba20052b4af9a1e |
| SHA1 | 1ac0320ec5531c78d45f197f024091226153e546 |
| SHA256 | 202bab731eb36d0b3bd4dfc75b97c5f0e3f64e34e9c06a76a9bf678b037ec59d |
| SHA512 | afd35e962fe396ce6540bc03943952d2621d4a80d22b7240e565278154ab79e39fd4dd0c22edb3a5f866f1772441929433caa51385a4ea5fe9e8a4026b7e7ac9 |
C:\Windows\iassist\System.Runtime.dll
| MD5 | 469b0b8f124b0cd3bb4154820e7a6e4e |
| SHA1 | 695d5d9bf7238f39ab08bcfe2dbbf7a6095f62af |
| SHA256 | 5527ea385f5f46ef317221cc68b61dcae41892b7b45d8cbf6453b7e920fbddf9 |
| SHA512 | 75a49560ddf4905964f787da98baa81d5d9809f71b8411f2ad12807e5c65aa645cf0ca1a12170d7e02f8b04a4e23013ca9edece4425acfb2dc52e6ce66ab1e4e |
C:\Windows\iassist\System.Net.Primitives.dll
| MD5 | b78f49383a0ef23d80b5c96273faf678 |
| SHA1 | f58d6327c99e52c4a71aca1cc60050ed62defb7d |
| SHA256 | 6cafc6949abe5ab3563aba18c051b4eb705a4f67e88a65bf9e565f56db5c0b49 |
| SHA512 | 3aab36588f78abe9f6f7a61490b92b7194a0c28b32ade72d7067720e7f1e42677dcaa04a46f49f799f7f7b0a012c3e4cfdff380da000da7c73605fcb7a8d78f2 |
C:\Windows\iassist\System.Net.Http.Extensions.dll
| MD5 | 7f86a47acd4d810ad673af81369f2f26 |
| SHA1 | cea8da1478f2dee41ed2ecd2059b73d1c161734e |
| SHA256 | 9c8b87e9a950deb7f28752f875ea82f1b55a70996ac8c12073fcea33664b2048 |
| SHA512 | 372a61489665bd37c552c383faff971fdb2d581d45664a37e5d58dbd894b26b5cc8403800a559f489bb4fa47f088e6e06553eca65efb16ab9867e5a80a0a7aa9 |
C:\Windows\iassist\System.Net.Http.dll
| MD5 | 6243b50b07cdd14d260680ce5d0872b3 |
| SHA1 | d85a6450bae0bcf9c80f498a49bf60c556674386 |
| SHA256 | bab8785a6656f202b4153c887f5f19fa0075afafe728c24af50bd24342e76f75 |
| SHA512 | a3dd79cc1dda248b8ebee949cd375da99ac46eee6d93adb2172e63ae051fa295ead63b1846cafbb922c92367afbc43cef74c3c64cf095a01cd84eabef53f4b1c |
C:\Windows\iassist\x86\SQLite.Interop.dll
| MD5 | 9d766cf85c7a5b7d7286633cf8a0474b |
| SHA1 | 35b41e7064691080d39f4c66a7f3ab5941e9ebdd |
| SHA256 | 30d0c8c8be4397e39acdc8e74d9921a8ee24c6a88411a2eb98eace513e216d36 |
| SHA512 | 087c918420574642af8dec566648ccaa0e25e3a597b3be8204ff82c40e35a48597640f8ad16f24e657ccd7c5e696ab20fbcfec8ab68775c2f3afaa97ba5f4852 |
C:\Windows\iassist\x64\SQLite.Interop.dll
| MD5 | 20bf56090460aa02f2294b4c897f6895 |
| SHA1 | 55cb7c759f5b5ae4db482b5fdf85ae5dc0a1cd48 |
| SHA256 | 386d9f73dc2b527327d0b9d8c0a6700b901b7e69d9db35ea5c5ea52354b83a9c |
| SHA512 | 36c704f3cea5042ce242b3152a2ec38918adea14a9ae02f943215e3956c83f891ae6e2e4bb3e64480bf0b85e72d941b928d42be253ed49c21391abb6ed6621a1 |
C:\Users\Admin\AppData\Local\Temp\atemp.bat
| MD5 | e4a5ef6526bcc16e97e83da01f4ebf03 |
| SHA1 | 5046ed1e16bd147491f70a9089848860e85e072f |
| SHA256 | 0c3ee6c475599034bb0ada3015df76fc399aa26c5c87ae4da62b20da1f37039e |
| SHA512 | 420f6991457e68e7149fdb946d2f191ba581ae91ba86a1a56bc505fb73c6b791aeb3c2094abf25592a1dfe8f3a2cf814b9cad615796bcd192053ce9daa36b4b6 |
C:\Windows\IAssist\Anakage.ankscpt
| MD5 | 9d0c6bf00d6ea0d444f8e5df8034a15e |
| SHA1 | 5cf14b0238cec3b8f03cde8659b2f9efa7772974 |
| SHA256 | e4b3a9af656f2dbab1a4bb11c6f5a3661b0e029751351a398506ae30eeb1daa2 |
| SHA512 | 739a76c6f28e1ba4ee4b44e1f338bfb79dd8f07c7793820d5feb86b89b60f5a45c85051c605ff6c4a5b675394008a86b121400af004f97117e1211fb8aa0dfbd |
C:\Windows\IAssist\custom_scripts\2\enablepopupinie.bat
| MD5 | 359c8fe8d3aedb58f1f6ac12ec71fceb |
| SHA1 | 7c131d5449909ad08a722077f876dd09ce8597bc |
| SHA256 | 48385e54acb365b08bc45e7a415a00061a50fe477fc1971477182bb5d1f4059c |
| SHA512 | 62c65953c632f56f62644b35b3857e1b8a568e31f8e2875c4c5c9b296997ce1e7dfdebcc3746c9b3fe339e11fcf78eaa5644f9954fa6ffd5736aeb4767108135 |
C:\Windows\IAssist\custom_scripts\2\enablepopupinchrome.bat
| MD5 | 451168cab68f4ab6a2b4781d0dc08783 |
| SHA1 | 016103a27a226afa6fd13c198d820bafc101696e |
| SHA256 | faf8e3f9fae824e21065fe719e54417bda07c956ea9ebf3b0bbac1f0e0879fc6 |
| SHA512 | 3ee55d8f494a8d1bf238baa1d3b514ff62e8be52096cd7d134b6bc21671e4240ed7fe7d177f44a66a623865e18fcc72b3ab97d0af8b48a2b597c503649dbbf41 |
C:\Windows\IAssist\cpprest_2_10.dll
| MD5 | 4f8a4a0ad6c94b60db955ba3e7033e8e |
| SHA1 | 90d68a63b629f39a49d69968df16cb1221550fcf |
| SHA256 | b69a3d5ed7fd451d9fa6e16813785a3d5630e0940a8eb16dff241c2639310da9 |
| SHA512 | 6f639540349bab213c3f6cd06163e1bf5a2164374bac1f3cf99641d15a1303cf9e3b758d34986bd29b69db6b27543ddd349b763067e31b0adac9a7580ff43569 |
C:\Windows\IAssist\custom_scripts.zip
| MD5 | 1f4b1208d1c6c974e333ca455f9bbf0e |
| SHA1 | a1c62753d2088b57c9de41bba63acde66d8dec8d |
| SHA256 | 11a807394cab631531465d91964f0fbeb33ada9f80fd0be70009d6cdc8994a50 |
| SHA512 | 7315b7c2259334c210b3b25a948fa3f40a1ec246fbef9c48c252f0ab25ce008875106ed39f6d07cb9f2c4740dd0e4d028df221696a6eafe64e150c2f875e6ac6 |
C:\Windows\IAssist\custom_scripts\source\21\fix.vbs
| MD5 | 2d9a034020c26454e8850de89ffccf89 |
| SHA1 | 2fe7659d9aae5a19eb56ec0288aa06b915bfc41a |
| SHA256 | 90a1b8ca73d051198360f0999697a1d695f798a326ff472bf7e34acb4df38ae3 |
| SHA512 | 81a4f9538279f9fb21b88c4b7544625e45d62e366fc1bd885093107ea848768ce6b7a015a790c952f3c395611c5ead022a25136f68b50885b528c55b18722a8c |
C:\Windows\IAssist\custom_scripts\990\GPUpdateRemediation.ps1
| MD5 | 7b0068d0a420ef3b57feaca71a0c3c67 |
| SHA1 | 1fdfce4422deae183a2820c83aa7fc6e637bf0c7 |
| SHA256 | 7619f5ee908dab0746d0348c40af64ce12723cbb66171875c56bad0e03d93420 |
| SHA512 | 51eeb17c3d6d2ee8937dbb6678d95b01d0408346a78afcdfebf6149cacf500081fa215d1f4eded4b9b683a950c9b5c48057b2eaafeb7d8fca69183311ff7ce9c |
C:\Windows\IAssist\custom_scripts\902\902.ps1
| MD5 | fa9d05115cae5c2d8867df46ff9610f4 |
| SHA1 | d75eb025dec040fe22accf8def8b5c13004f4405 |
| SHA256 | e0d1ada7761793f3b91cbba6b318b6ca8f71b0e4ad81cc80d87d9b25a8184e55 |
| SHA512 | a6a973fe9ca9ad96ca7baf1415f864f629429c2b4d72b4e60c20323eade4af44328d6faf248b94d2c181611fa56ba4d2e29e6d9452ed5104ef29393d7deec3f8 |
C:\Windows\IAssist\custom_scripts\901\901.ps1
| MD5 | 3d8a8a5f2770ee6f32dbbb342081b332 |
| SHA1 | 6628d97bc9aa2c43597e2e55c0efad85cc2384a3 |
| SHA256 | af5aaf70f3bd7006bf366900df19ab4da708172963f493e299b8f5f8739a4a6c |
| SHA512 | 037a30a0bc770cb98619ab68d6b5e9c983099e21d8b775fce41e65841b62dfe66a896d37d5cb54d4bb59277240d2b4331ed63eec6d0bca8dcf26a69bf885455c |
C:\Windows\IAssist\custom_scripts\682\delCredential.bat
| MD5 | 5a7e73d99a8b0cb8cc59a7de28d7f41d |
| SHA1 | a6cc77b275ae89d29e1bb7b845659bf4079f035b |
| SHA256 | e0c415c1cec75f438b7694a0f9a3f337773b231cfa22ae6a913004cfcb94d2d5 |
| SHA512 | 4d6aea98b5f6ef238cf1b7ecd7ac31a2e90e9e9eae571f0d0daa4fed68f81114510273e6dbff73663c5bfd70b22f4a5c007df3cf14db4e770011438a69903c82 |
C:\Windows\IAssist\custom_scripts\678\iecookiesandtrustedsites.bat
| MD5 | 9add21e567084f717a9e9cd9d9a68098 |
| SHA1 | 5f3c2f9bc6870dd081b27e6112dcf4f67e2b60a7 |
| SHA256 | 93db3d7a8201ed67a7570048f78b67a5261a713c9713d1df84a4efa12f3da474 |
| SHA512 | 431525f4e81ec911d7a83b12550edd25ef6482e51e55841f47b13dd37b8e6b57cec44965f0e2aab1eab356faebf3d2ba06ef44ce517d1587806cc73625a68c97 |
C:\Windows\IAssist\custom_scripts\674\mappednetworkdrive.bat
| MD5 | 7c575203045e08d227c0195bd71f4a18 |
| SHA1 | b510d1b4a668b0145f7448edfda496ba11c9abdc |
| SHA256 | 34a14c7ebb3fa6e841bea6059f634b47e3dfc09d59331e9a234ac51407c2adac |
| SHA512 | 79e97176c40d1c4cbb6820031797a55b7b409ed83cb0ef90854f10ee701d5a9ee4d790bae73abdaa416b9072252cea81991be1cf7bfdb178d178774147812833 |
C:\Windows\IAssist\custom_scripts\663\deletechromebrowsinghistory.bat
| MD5 | d636cfecf3dffd81ec0aa21f082bb979 |
| SHA1 | 3efc9f524520202c6636a167cd1aa2a4dee45f65 |
| SHA256 | 63b7384e2cdbbd0be6d51adb6cd35d1dbc4635220820fd08820ade3ccdb07b98 |
| SHA512 | 2b91141641ece514a8fd692a261a46c5771fff7ab94d5ebfc87722e15119e16b321df515b5e780a79638f159c008fcf70dd822b84067dcbe47d7a9c74488881d |
C:\Windows\IAssist\custom_scripts\662\clearfirefoxcookiescachehistory.bat
| MD5 | 4d38aade6327e6e68a30ed66e14b859e |
| SHA1 | 7930eece118941528247e36181436f040815a9d0 |
| SHA256 | bcf79cd5e78b91020322b3b12a885b7d11a18e72b5b15ba0906efbf5a3d92cfb |
| SHA512 | 398d0a18497c640c912ba739e84ab3957d9e59a07a93f05481ce99c7aee84d25abdb531a1a8cac59d4279016cea5dc4bfa30399ce09bade6b01fac9790a28353 |
C:\Windows\IAssist\custom_scripts\657\maintainproxy.bat
| MD5 | e002711daf08cb7759d3dc8698d4697a |
| SHA1 | 91943f90129a0120b852620b0c5fbe0a4ac45778 |
| SHA256 | 097e3c4633121032aee95250fdd82336023fd9c10b3df29e183eff9967fa607c |
| SHA512 | 58c4faf6227efc80c98c690df739fe60ac9d03c7e76f99bc9086ae80acf2d9d70d3567c857568c83cd5f8bf4dcd42c808afb8f3ab34ce80636cc4eb41f20a74b |
C:\Windows\IAssist\custom_scripts\26\disablesystemrestart.bat
| MD5 | 15e7325ab895c6883e065028bfe4073b |
| SHA1 | 80716821669c7f0e20838163ee0a69f9df29c8de |
| SHA256 | ffe366dda2cac1f1371f6ce701043bb7ff60540f4752821d82676b433a88d4ac |
| SHA512 | dc358d20e5b398a20bed1f73ff1d35a9896992ddf2b80044b755be9ae9eacf006d727d636d2f5f5613c453c828a1ac07fd126778ec7d8d2293e68e6be4de2917 |
C:\Windows\IAssist\ChatbotWelcome.png
| MD5 | 111dd3382e71828ec2a96ac5679ed44b |
| SHA1 | 44eec2e255517bad36d69a0b268c039fad1d4af3 |
| SHA256 | cfcbcc0e8de1a8dfa10186e47400ac598cf5136a9f16b89a13e6155b021bbf88 |
| SHA512 | e285d3823c5daa8476c33ff7187559fe22e3f912b19e3e3716931084585f71c959eb21b3c2ced2dda916c15f90b1fecff68aa357507fa4bd1b7c3f8fdb2bb09b |
C:\Windows\IAssist\Campaign.pdb
| MD5 | 1818f9ea0069636728dcb60f9096098e |
| SHA1 | 0e841decb0f995629bf86b5a68a9c98d7c962671 |
| SHA256 | 65a96a8134f1071d1c042034ecd35949cc49b941a96c067ad310bf3ff897d122 |
| SHA512 | ce97d67a34b67edbc677b885327c85bcb33d06542b0919f8ce61129718287f7de1e2d28a5062ce9038378545be65c7055e32b5aa6067673abceea2430e0aa963 |
C:\Windows\IAssist\Campaign.exe.config
| MD5 | ef0181de18ef3951806c0ad63b897ba4 |
| SHA1 | 4b6a4b0f7fbbbd1dceab385e7fac74a35fc132cb |
| SHA256 | e8decc96235b5494880083eb79c22c84c6d9ef312828baf9490bee7782c350ec |
| SHA512 | b1816817e8deaa7b22bc51966e9debed46b254be6463f2ac0204be348baefb751c5d846a5353d43cce66a005a73f6226462b8ec8b59d4e16a54130c327c68b79 |
C:\Windows\IAssist\Campaign.exe
| MD5 | 50ded9235a03b899c17c5d69287ceb91 |
| SHA1 | dbe0356e44b8b842d4a38fc02e37e0816b7ef448 |
| SHA256 | d9445e06f8d3a1364bf710c4060f1efdecb9d3371dc6cedc4a3ed33e7ab7eb44 |
| SHA512 | dd5f2f29560f5f1de6051eee5dc0d0f0be74e31445dfb97dd1d36f2c692ff89969c79188d4329a53f25ede0bc31d3d912fa787ab94f12aa8ffb06f54cec5a6a2 |
C:\Windows\IAssist\banner.jpg
| MD5 | a05f57db2637ab9d369b514f095d8bb7 |
| SHA1 | a6da636f526039d9a25faa39fda0859af2e5cfa3 |
| SHA256 | bb83cce0d9db3bc829e680e12bdda6204b7b6af2776c7bb9d0988c7ab0a46aec |
| SHA512 | 0dfec886106836d236dd6a1b36496bd43bc1785fd7c6355723d76dbd38a5a2455e1ee59effa077bfc3cacf6a1d272d1cf724ff761d5d64e57c1aec79a2fdc81b |
C:\Windows\IAssist\AnakageTest.ankscpt
| MD5 | 9ae1589235924ca09ca772c85d5b09d5 |
| SHA1 | 349b79111169fe4599ff6206cb702d9889a13f53 |
| SHA256 | 56a2ff0cbc50211c27e8e1dbc6dac1ea959987dc21bbd3ca5cfdadcb0534181a |
| SHA512 | f07e406cc2ca62e966c2a3284f4a870f5e429c45ca16cdd4d74e3f853756409fd0ff4ec5da18511e10fe60344f3ddc5fce4c264737820290000874c10db5bace |
C:\Windows\IAssist\AnakageProactivePackager.exe
| MD5 | 8e6fec9071a1084873bcce13fe064a42 |
| SHA1 | efee18f56d892723d75427ad290fbeeabb7b1888 |
| SHA256 | 01da7957ee307cb02732acf294d3bd3560a51a0d1d0afeee6cd4e5c0cf455cf8 |
| SHA512 | 4fd6fd9706db498d2467e43f38341187442f174d5b9b4e152a721e4f6ba1f010678a1bca2e770875dc44f5c5cdc9f6a1ceab99ae14d8c02f07ca27f638aa355c |
C:\Windows\IAssist\AnakageProactive.exe
| MD5 | 92256b73a07831c012896ef89a836656 |
| SHA1 | 69ff4ce667c9a0d12f9467d4bf6c521ae81ccf9e |
| SHA256 | 5019a5e128a7a65c86df69b819235b636dcc73a47d730a1bb4c183cad8c4a550 |
| SHA512 | ff277549220b75176070d5b29fb2abf4b08fc8b356c98544ec7c3526f736a6c8d99111ed94df45e6428d8436750581b5e1df5c3a604438c6de4c36bcede04180 |
memory/2356-291-0x0000000000EB0000-0x0000000000EBA000-memory.dmp
C:\Config.Msi\f775228.rbs
| MD5 | 093b06c98ef3d3e6ce254e50a880e748 |
| SHA1 | 59ebcd81c4de58fd7aed21cffc42ab7411429bac |
| SHA256 | 27b5e65faf8137505da008bbac9cf839e80a1201070fbf23e9bf581f3b769d42 |
| SHA512 | 77a0590a9c1f24a3f8bd56c5a2785849fd4d24fc802a8aaac0ad96a38f018707a80d7b2896a5789ae52f4e16bec4ee89e08a0d24f8c26f9df4b3e22bb489a9eb |
C:\Windows\Installer\f775226.msi
| MD5 | 1d0e56b37600e01a44929ad918d21d74 |
| SHA1 | 1bdf869933ed3e7f1196f2a2fd8a021adc2e86c5 |
| SHA256 | b512f37f19537645ded040070d6be27aa8539d8e007bb71527cef4b1c8f20f32 |
| SHA512 | 1199055ba8de84a1f94ab55f0504eb7570e88837897e2e3219fd20ee83c7f3b73f031201787e7bdac5075a10b6313858fd95094035ae8dd946eb4f788ed287c1 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 07:18
Reported
2024-06-14 07:23
Platform
win10v2004-20240508-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Stops running service(s)
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of web browsers
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\{A2F25BA0-86AE-4357-ACF2-A283098FBF71}\_02ABC302708F8D56C0169B.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\iassist\HealITApp.ico | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\IAssistHelper.exe | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\Solutions\16055\citrix.ankscpt | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\Telerik.Windows.Controls.DLL | C:\Windows\IAssist\runner.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIED30.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\iassist\IAssistApp.png | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\MHN64.dll | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\Solutions\18003\IssuesWithOpeningHyperlinkInOutlook.ankscpt | C:\Windows\IAssist\runner.exe | N/A |
| File opened for modification | C:\Windows\IAssist\proactiveDatabase.db | C:\Windows\IAssist\AnakageProactive.exe | N/A |
| File opened for modification | C:\Windows\IAssist\logs\iAssistHelper_06142024.log | C:\Windows\IAssist\IAssistHelper.exe | N/A |
| File opened for modification | C:\Windows\Installer\{A2F25BA0-86AE-4357-ACF2-A283098FBF71}\_A4E76B87B556A45C6A7778.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF6C7.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\iassist\System.Runtime.InteropServices.dll | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\Telerik.Windows.Controls.Input.DLL | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\custom_scripts.zip | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\Porter2Stemmer.dll | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\StemmersNet.dll | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\IAssist\System.Net.Http.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\IAssist\HealITApp.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\iassist\Campaign.exe | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\ChatbotWelcome.png | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\log4net.xml | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\Microsoft.Web.WebView2.Core.xml | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\IAssist\MaterialDesignThemes.Wpf.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\IAssist\System.Net.Http.Primitives.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\iassist\Solutions\18000\GitInstallation.ankscpt | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\custom_scripts\682\delCredential.bat | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\Installer\e57ea71.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\iassist\MaterialDesignThemes.Wpf.pdb | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\Microsoft.Web.WebView2.WinForms.xml | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\runtimes\win-arm64\native\WebView2Loader.dll | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\Solutions\16008\7zipInstall.ankscpt | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\System.Net.Http.Primitives.xml | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\custom_scripts\26\disablesystemrestart.bat | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\custom_scripts\662\clearfirefoxcookiescachehistory.bat | C:\Windows\IAssist\runner.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\iassist\MaterialDesignThemes.Wpf.dll | C:\Windows\IAssist\runner.exe | N/A |
| File opened for modification | C:\Windows\IAssist\logs\iAssistHelper_06142024.log | C:\Windows\IAssist\IAssistHelper.exe | N/A |
| File opened for modification | C:\Windows\iassist\HealITApp.exe | C:\Windows\IAssist\runner.exe | N/A |
| File opened for modification | C:\Windows\IAssist\logs\iAssistHelper_06142024.log | C:\Windows\IAssist\IAssistHelper.exe | N/A |
| File created | C:\Windows\iassist\runtimes\win-x86\native\WebView2Loader.dll | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\Solutions\16024\showprofile.bmp | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\custom_scripts\2\enablepopupinie.bat | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\IAssist\log4net.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\iassist\IAssistHelperN.exe | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\Telerik.Windows.Data.DLL | C:\Windows\IAssist\runner.exe | N/A |
| File opened for modification | C:\Windows\iassist\x86\SQLite.Interop.dll | C:\Windows\IAssist\runner.exe | N/A |
| File opened for modification | C:\Windows\IAssist\iAssistStatus.ll | C:\Windows\IAssist\IAssistHelper.exe | N/A |
| File created | C:\Windows\IAssist\IAssistApp.png | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\iassist\iAssist32.exe | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\Solutions\16051\AddSignatureToOutlook.ankscpt | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\Installer\{A2F25BA0-86AE-4357-ACF2-A283098FBF71}\_02ABC302708F8D56C0169B.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\iassist\Microsoft.Web.WebView2.Wpf.xml | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\iAssist64.exe | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\Solutions\16023\outlookNotConnected.ankscpt | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\Solutions\16024\teamsStatus.ankscpt | C:\Windows\IAssist\runner.exe | N/A |
| File opened for modification | C:\Windows\iassist\System.Net.Http.Extensions.dll | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\iassist\custom_scripts\901\901.ps1 | C:\Windows\IAssist\runner.exe | N/A |
| File opened for modification | C:\Windows\IAssist\signature.log | C:\Windows\IAssist\HealITService.exe | N/A |
| File created | C:\Windows\IAssist\System.Runtime.InteropServices.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\iassist\HealITApp.exe.config | C:\Windows\IAssist\runner.exe | N/A |
| File created | C:\Windows\IAssist\iAssistStatus.ll | C:\Windows\IAssist\IAssistHelper.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\IAssist\runner.exe | N/A |
| N/A | N/A | C:\Windows\IAssist\runner.exe | N/A |
| N/A | N/A | C:\Windows\IAssist\HealITService.exe | N/A |
| N/A | N/A | C:\Windows\IAssist\AnakageProactive.exe | N/A |
| N/A | N/A | C:\Windows\IAssist\IAssistHelper.exe | N/A |
| N/A | N/A | C:\Windows\IAssist\IAssistHelper.exe | N/A |
| N/A | N/A | C:\Windows\IAssist\IAssistHelper.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\IAssist\AnakageProactive.exe | N/A |
| N/A | N/A | C:\Windows\IAssist\AnakageProactive.exe | N/A |
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000c9712a8ab103c3e30000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000c9712a8a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900c9712a8a000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dc9712a8a000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000c9712a8a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings | C:\Windows\SysWOW64\cscript.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\IAssist\runner.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\SysWOW64\cscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached | C:\Windows\IAssist\runner.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Net.Http.Extensions.dll | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Runtime.dll | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Data.SQLite.dll | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|log4net.dll | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Data.SQLite.dll\System.Data.SQLite,Version="1.0.113.0",Culture="neutral",PublicKeyToken="DB937BC2D44FF139",ProcessorArchitecture="MSIL" = 65005500540047005d004d00250065005f0039004300790031004200520047005700500057004c003e0076007e00240024002d0057004800340050006c007e006a006c00430072003d00300058007d00740000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\SourceList\PackageName = "iAssistInstaller.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|MaterialDesignColors.dll | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|HealITService.exe | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\SourceList\Media\1 = ";" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Net.Primitives.dll\System.Net.Primitives,Version="4.0.0.0",Culture="neutral",PublicKeyToken="B03F5F7F11D50A3A",ProcessorArchitecture="MSIL" = 65005500540047005d004d00250065005f0039004300790031004200520047005700500057004c003e002b002500620060004d002d005b0046004100660038002e0025007e005e0035006f0035003000600000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\05B419C9DAA35234196526056BB4144A | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Net.Http.WebRequest.dll\System.Net.Http.WebRequest,Version="4.0.0.0",Culture="neutral",PublicKeyToken="B03F5F7F11D50A3A",ProcessorArchitecture="MSIL" = 65005500540047005d004d00250065005f0039004300790031004200520047005700500057004c003e003d0052006c003f0041002e00390053007a0026002b00430073007300720059004400400021002a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Net.Http.Primitives.dll\System.Net.Http.Primitives,Version="4.2.29.0",Culture="neutral",PublicKeyToken="B03F5F7F11D50A3A",ProcessorArchitecture="MSIL" = 65005500540047005d004d00250065005f0039004300790031004200520047005700500057004c003e00760032002c006100260041006c005d004c0045005800270048004b003500580027002d005a004b0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\Version = "16777216" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|log4net.dll\log4net,Version="2.0.8.0",Culture="neutral",PublicKeyToken="669E0DDF0BB1AA2A",ProcessorArchitecture="MSIL" = 65005500540047005d004d00250065005f0039004300790031004200520047005700500057004c003e002b00480029007d005f002b0075004e00510069004b005a0073006e00500037007e00770031004c0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Net.Primitives.dll | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Net.Http.dll | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|MaterialDesignThemes.Wpf.dll\MaterialDesignThemes.Wpf,Version="2.3.1.953",Culture="neutral",ProcessorArchitecture="MSIL" = 65005500540047005d004d00250065005f0039004300790031004200520047005700500057004c003e004f00650063003f003100250071007e0044005300620064002700260078006800580070002800550000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\AuthorizedLUAApp = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\ProductName = "Heal-IT" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|HealITApp.exe | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Net.Http.dll\System.Net.Http,Version="4.0.0.0",Culture="neutral",PublicKeyToken="B03F5F7F11D50A3A",ProcessorArchitecture="MSIL" = 65005500540047005d004d00250065005f0039004300790031004200520047005700500057004c003e00270035007900510032002a007b0075005b0070002e005800400064004a004c007b0039003800300000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|MaterialDesignColors.dll\MaterialDesignColors,Version="1.2.6.1513",Culture="neutral",ProcessorArchitecture="MSIL" = 65005500540047005d004d00250065005f0039004300790031004200520047005700500057004c003e00450035005a00640051007500260078005a004a006b007e003f00560043004b00460025007700370000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Net.Http.WebRequest.dll | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|MaterialDesignThemes.Wpf.dll | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\ProductIcon = "C:\\Windows\\Installer\\{A2F25BA0-86AE-4357-ACF2-A283098FBF71}\\_6FEFF9B68218417F98F549.exe" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Runtime.InteropServices.dll | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0AB52F2AEA687534CA2F2A3890F8FB17 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\PackageCode = "69E5F2D9D6074DD4F8444A206B511434" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\Language = "1033" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Runtime.dll\System.Runtime,Version="4.0.0.0",Culture="neutral",PublicKeyToken="B03F5F7F11D50A3A",ProcessorArchitecture="MSIL" = 65005500540047005d004d00250065005f0039004300790031004200520047005700500057004c003e00690049005f00670043007b004a004a0074005f00750052006e00370040007a00730034007600700000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\AdvertiseFlags = "388" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Runtime.InteropServices.dll\System.Runtime.InteropServices,Version="4.0.0.0",Culture="neutral",PublicKeyToken="B03F5F7F11D50A3A",ProcessorArchitecture="MSIL" = 65005500540047005d004d00250065005f0039004300790031004200520047005700500057004c003e0053004f004f00670062002b004f004e007300370028004e006500610031004f00610058003800680000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0AB52F2AEA687534CA2F2A3890F8FB17\DefaultFeature | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Net.Http.Extensions.dll\System.Net.Http.Extensions,Version="2.2.29.0",Culture="neutral",PublicKeyToken="B03F5F7F11D50A3A",ProcessorArchitecture="MSIL" = 65005500540047005d004d00250065005f0039004300790031004200520047005700500057004c003e003f006a00560058004c003f007e007b006c006c00340068006f004000330060007e0067006c00700000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|HealITService.exe\HealITService,Version="1.0.0.0",Culture="neutral",ProcessorArchitecture="MSIL" = 65005500540047005d004d00250065005f0039004300790031004200520047005700500057004c003e00700028005400410036003200770070002700660073005f004400720047006500240067003200710000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|System.Net.Http.Primitives.dll | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Windows|IAssist|HealITApp.exe\HealITApp,Version="1.0.0.0",Culture="neutral",ProcessorArchitecture="MSIL" = 65005500540047005d004d00250065005f0039004300790031004200520047005700500057004c003e0054003d0045007a00600041007600260021007600250039006e0044005300410025005e003100260000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\05B419C9DAA35234196526056BB4144A\0AB52F2AEA687534CA2F2A3890F8FB17 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AB52F2AEA687534CA2F2A3890F8FB17\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\IAssist\AnakageProactive.exe | N/A |
| N/A | N/A | C:\Windows\IAssist\AnakageProactive.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\iAssistInstaller.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 00FE852D6741C14C0AF6BB93EFDD10A6 C
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 7DEE8A9BC591A205F5054123A3BE1E47
C:\Windows\IAssist\runner.exe
"C:\Windows\IAssist\runner.exe" 9
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM Campaign.exe /T
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM HealITApp.exe /T
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM iAssist32.exe /T
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM iAssist64.exe /T
C:\Windows\SysWOW64\taskkill.exe
TASKKILL /F /IM Campaign.exe /T
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM IAssistHelper.exe /T
C:\Windows\SysWOW64\taskkill.exe
TASKKILL /F /IM HealITApp.exe /T
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM IAssistHelper64.exe /T
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM AnakageProactive.exe /T
C:\Windows\SysWOW64\taskkill.exe
TASKKILL /F /IM iAssist32.exe /T
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\atemp.bat"
C:\Windows\SysWOW64\taskkill.exe
TASKKILL /F /IM iAssist64.exe /T
C:\Windows\SysWOW64\taskkill.exe
TASKKILL /F /IM IAssistHelper64.exe /T
C:\Windows\SysWOW64\taskkill.exe
TASKKILL /F /IM AnakageProactive.exe /T
C:\Windows\SysWOW64\taskkill.exe
TASKKILL /F /IM IAssistHelper.exe /T
C:\Windows\SysWOW64\net.exe
net stop HealITService
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop HealITService
C:\Windows\SysWOW64\sc.exe
sc delete HealITService
C:\Windows\SysWOW64\taskkill.exe
TASKKILL /F /IM HealITService.exe /T
C:\Windows\SysWOW64\taskkill.exe
TASKKILL /F /IM Heal-IT.exe /T
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Schtasks /delete /TN AnkActionManager /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Schtasks /delete /TN AnkAnalyticsManager /f
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding F9DFFB1260F3448765056BB548F7B5AC E Global\MSI0000
C:\Windows\SysWOW64\schtasks.exe
Schtasks /delete /TN AnkActionManager /f
C:\Windows\SysWOW64\schtasks.exe
Schtasks /delete /TN AnkAnalyticsManager /f
C:\Windows\IAssist\runner.exe
"C:\Windows\IAssist\runner.exe" 0
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C echo 14:06:2024.07:21:25 ExtractBinResource = C:\Users\Admin\AppData\Local\Temp\\ >> %TEMP%\AnakageInstaller.log
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\atemp.bat"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\IAssist" /grant Users:(OI)(CI)F
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Windows\IAssist"
C:\Windows\SysWOW64\net.exe
net start HealITService
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start HealITService
C:\Windows\IAssist\HealITService.exe
"C:\Windows\IAssist\HealITService.exe"
C:\Windows\SysWOW64\sc.exe
SC failure "HealITService" reset= 0 actions= restart/0/restart/0/restart/0
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\IAssist\HealITService.exe" /inheritance:d
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\IAssist\HealITService.exe" /remove:g Users
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\IAssist\HealITService.exe" /grant Users:RX
C:\Windows\SysWOW64\schtasks.exe
Schtasks /delete /TN AnkActionManager /f
C:\Windows\SysWOW64\schtasks.exe
Schtasks /delete /TN AnkAnalyticsManager /f
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /F /TN AnkAnalyticsManager /XML atemp1.xml
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /F /TN AnkActionManager /XML atemp.xml
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /F /TN AnkRebootManager /XML atemp2.xml
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C echo 14:06:2024.07:21:25 ExtractBinResource = C:\Users\Admin\AppData\Local\Temp\\ >> %TEMP%\AnakageInstaller.log
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\System32\cmd.exe /c cscript //NOLOGO C:\Users\Admin\AppData\Local\Temp\\atemp1.vbs
C:\Windows\SysWOW64\cscript.exe
cscript //NOLOGO C:\Users\Admin\AppData\Local\Temp\\atemp1.vbs
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\System32\cmd.exe /c cscript //NOLOGO C:\Users\Admin\AppData\Local\Temp\\atemp2.vbs https://aiops.anakage.com/api/license/?userName=&hostName=Bvrkipts&macAddress&facility=fpt
C:\Windows\SysWOW64\cscript.exe
cscript //NOLOGO C:\Users\Admin\AppData\Local\Temp\\atemp2.vbs https://aiops.anakage.com/api/license/?userName=
C:\Windows\SysWOW64\HOSTNAME.EXE
hostName =Bvrkipts
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C echo 14:06:2024.07:21:25 server license = >> %TEMP%\AnakageInstaller.log
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C echo 14:06:2024.07:21:25 Failed to send license >> %TEMP%\AnakageInstaller.log
C:\Windows\IAssist\AnakageProactive.exe
C:\Windows\IAssist\AnakageProactive.exe action
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\System32\cmd.exe /c %SystemRoot%\System32\wbem\WMIC.exe bios get serialnumber
C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe bios get serialnumber
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\System32\cmd.exe /c %SystemRoot%\System32\wbem\WMIC.exe bios get serialnumber
C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe bios get serialnumber
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\System32\cmd.exe /c %SystemRoot%\System32\wbem\WMIC.exe bios get serialnumber
C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe bios get serialnumber
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\System32\cmd.exe /c net user Admin /DOMAIN | find "Password last set"
C:\Windows\SysWOW64\net.exe
net user Admin /DOMAIN
C:\Windows\SysWOW64\find.exe
find "Password last set"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user Admin /DOMAIN
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\System32\cmd.exe /c %SystemRoot%\System32\wbem\WMIC.exe bios get serialnumber
C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe bios get serialnumber
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\System32\cmd.exe /c %SystemRoot%\System32\wbem\WMIC.exe bios get serialnumber
C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe bios get serialnumber
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\System32\cmd.exe /c %SystemRoot%\System32\wbem\WMIC.exe bios get serialnumber
C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe bios get serialnumber
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\System32\cmd.exe /c %SystemRoot%\System32\wbem\WMIC.exe bios get serialnumber
C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe bios get serialnumber
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\System32\cmd.exe /c %SystemRoot%\System32\wbem\WMIC.exe bios get serialnumber
C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe bios get serialnumber
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\System32\cmd.exe /c %SystemRoot%\System32\wbem\WMIC.exe bios get serialnumber
C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe bios get serialnumber
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\System32\cmd.exe /c %SystemRoot%\System32\wbem\WMIC.exe bios get serialnumber
C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe bios get serialnumber
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\System32\cmd.exe /c %SystemRoot%\System32\wbem\WMIC.exe bios get serialnumber
C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe bios get serialnumber
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\System32\cmd.exe /c %SystemRoot%\System32\wbem\WMIC.exe bios get serialnumber
C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe bios get serialnumber
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\System32\cmd.exe /c %SystemRoot%\System32\wbem\WMIC.exe bios get serialnumber
C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe bios get serialnumber
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\System32\cmd.exe /c powershell -ExecutionPolicy ByPass -File C:\Users\Admin\AppData\Local\Temp\Anakage\config\ank.ps1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy ByPass -File C:\Users\Admin\AppData\Local\Temp\Anakage\config\ank.ps1
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\System32\cmd.exe /c %SystemRoot%\System32\wbem\WMIC.exe bios get serialnumber
C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe bios get serialnumber
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\System32\cmd.exe /c %SystemRoot%\System32\wbem\WMIC.exe bios get serialnumber
C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe bios get serialnumber
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\System32\cmd.exe /c %SystemRoot%\System32\wbem\WMIC.exe computersystem get model
C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe computersystem get model
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\System32\cmd.exe /c %SystemRoot%\System32\wbem\WMIC.exe computersystem get manufacturer
C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe computersystem get manufacturer
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\System32\cmd.exe /c wmic os get Caption
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic os get Caption
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\System32\cmd.exe /c wmic os get Version
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic os get Version
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\System32\cmd.exe /c wmic diskdrive get status
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic diskdrive get status
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\System32\cmd.exe /c powershell.exe -ExecutionPolicy Bypass -Command "Get-TimeZone"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -Command "Get-TimeZone"
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\System32\cmd.exe /c net user Admin| find /I "password last set"
C:\Windows\SysWOW64\net.exe
net user Admin
C:\Windows\SysWOW64\find.exe
find /I "password last set"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user Admin
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\System32\cmd.exe /c powershell.exe -ExecutionPolicy Bypass -Command "Get-WmiObject Win32_USBController"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -Command "Get-WmiObject Win32_USBController"
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\System32\cmd.exe /c %SystemRoot%\System32\wbem\WMIC.exe bios get serialnumber
C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe bios get serialnumber
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\System32\cmd.exe /c %SystemRoot%\System32\wbem\WMIC.exe bios get serialnumber
C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe bios get serialnumber
C:\Windows\IAssist\IAssistHelper.exe
"IAssistHelper" 136
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\System32\cmd.exe /c powershell -ExecutionPolicy ByPass -File C:\windows\iassist\logs\Ank.ps1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy ByPass -File C:\windows\iassist\logs\Ank.ps1
C:\Windows\IAssist\IAssistHelper.exe
"IAssistHelper" 136
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\System32\cmd.exe /c powershell -ExecutionPolicy ByPass -File C:\windows\iassist\logs\Ank.ps1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy ByPass -File C:\windows\iassist\logs\Ank.ps1
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\System32\cmd.exe /c %SystemRoot%\System32\wbem\WMIC.exe bios get serialnumber
C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe bios get serialnumber
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\System32\cmd.exe /c %SystemRoot%\System32\wbem\WMIC.exe qfe get Hotfixid,InstalledOn
C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe qfe get Hotfixid,InstalledOn
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\System32\cmd.exe /c powershell.exe -ExecutionPolicy Bypass "Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 3 HotFixID | Format-Table -AutoSize"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass "Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 3 HotFixID | Format-Table -AutoSize"
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\System32\cmd.exe /c powershell.exe -ExecutionPolicy Bypass "(Get-Service -Name wuauserv).StartType"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass "(Get-Service -Name wuauserv).StartType"
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\System32\cmd.exe /c %SystemRoot%\System32\wbem\WMIC.exe bios get serialnumber
C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe bios get serialnumber
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\System32\cmd.exe /c wmic path Win32_Battery get DeviceID
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path Win32_Battery get DeviceID
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\System32\cmd.exe /c %SystemRoot%\System32\wbem\WMIC.exe bios get serialnumber
C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe bios get serialnumber
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\System32\cmd.exe /c %SystemRoot%\System32\wbem\WMIC.exe bios get serialnumber
C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe bios get serialnumber
C:\Windows\IAssist\IAssistHelper.exe
"IAssistHelper" 136
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\System32\cmd.exe /c powershell -ExecutionPolicy ByPass -File C:\windows\iassist\logs\Ank.ps1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy ByPass -File C:\windows\iassist\logs\Ank.ps1
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\System32\cmd.exe /c powershell.exe -ExecutionPolicy Bypass -Command "(Get-CimInstance Win32_ReliabilityStabilityMetrics | Measure-Object -Average -Maximum -Minimum -Property SystemStabilityIndex).Average"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -Command "(Get-CimInstance Win32_ReliabilityStabilityMetrics | Measure-Object -Average -Maximum -Minimum -Property SystemStabilityIndex).Average"
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\System32\cmd.exe /c powershell.exe -ExecutionPolicy Bypass -Command " (Get-WinEvent -LogName "Application" | Where-Object { $_.Id -eq 1000 -and $_.TimeCreated -ge (Get-Date).AddMonths(-1) }) | Measure-Object | Select-Object -ExpandProperty Count"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -Command " (Get-WinEvent -LogName "Application" | Where-Object { $_.Id -eq 1000 -and $_.TimeCreated -ge (Get-Date).AddMonths(-1) }) | Measure-Object | Select-Object -ExpandProperty Count"
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\System32\cmd.exe /c powershell.exe -ExecutionPolicy Bypass -Command "Get-WinEvent -LogName System | Where-Object { $_.Id -eq 1001 } | Sort-Object -Property TimeCreated -Descending | Select-Object -First 1 |Select-object TimeCreated ,Message
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -Command "Get-WinEvent -LogName System | Where-Object { $_.Id -eq 1001 } | Sort-Object -Property TimeCreated -Descending | Select-Object -First 1 |Select-object TimeCreated ,Message
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\System32\cmd.exe /c powershell.exe -ExecutionPolicy Bypass -Command "Get-WinEvent -LogName System | Where-Object { $_.Id -eq 6005 -or $_.Id -eq 6006 } | Sort-Object -Property TimeCreated -Descending | Select-Object -First 1 | select-object TimeCreated
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -Command "Get-WinEvent -LogName System | Where-Object { $_.Id -eq 6005 -or $_.Id -eq 6006 } | Sort-Object -Property TimeCreated -Descending | Select-Object -First 1 | select-object TimeCreated
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\System32\cmd.exe /c %SystemRoot%\System32\wbem\WMIC.exe bios get serialnumber
C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe bios get serialnumber
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\System32\cmd.exe /c %systemroot%\sysnative\windowspowershell\v1.0\powershell.exe -ExecutionPolicy Bypass -Command "Get-CimInstance Win32_WinSat"
C:\Windows\system32\windowspowershell\v1.0\powershell.exe
C:\Windows\sysnative\windowspowershell\v1.0\powershell.exe -ExecutionPolicy Bypass -Command "Get-CimInstance Win32_WinSat"
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\System32\cmd.exe /c %SystemRoot%\System32\wbem\WMIC.exe bios get serialnumber
C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe bios get serialnumber
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\System32\cmd.exe /c powershell -ExecutionPolicy ByPass -File C:\Users\Admin\AppData\Local\Temp\Anakage\config\ank.ps1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy ByPass -File C:\Users\Admin\AppData\Local\Temp\Anakage\config\ank.ps1
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\System32\cmd.exe /c %SystemRoot%\System32\wbem\WMIC.exe bios get serialnumber
C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe bios get serialnumber
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\System32\cmd.exe /c %SystemRoot%\System32\wbem\WMIC.exe bios get serialnumber
C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe bios get serialnumber
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\MSIAC7C.tmp
| MD5 | 684f2d21637cb5835172edad55b6a8d9 |
| SHA1 | 5eac3b8d0733aa11543248b769d7c30d2c53fcdb |
| SHA256 | da1fe86141c446921021bb26b6fe2bd2d1bb51e3e614f46f8103ffad8042f2c0 |
| SHA512 | 7b626c2839ac7df4dd764d52290da80f40f7c02cb70c8668a33ad166b0bcb0c1d4114d08a8754e0ae9c0210129ae7e885a90df714ca79bd946fbd8009848538c |
\??\Volume{8a2a71c9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{ba0b025c-2174-4398-81cd-47867113b28e}_OnDiskSnapshotProp
| MD5 | b6c20a7721637987c39121c36d0aa6bd |
| SHA1 | cbdae2d96fba575e57f9bbb108f47a6e64a10780 |
| SHA256 | 88f7be95e9a4a43886fd5fcee4c5c7b848b09e89db20ed75d29198b27dd9fd5b |
| SHA512 | e92c72527c7de554b54e45f06cff1e1a1003d56d8c7a3036d131ae3fe0e068f5b52643872629bfcb98bc55717369724d082444df994066e25534866522ef6eaa |
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
| MD5 | d1e6da3a4699e3386c53d89351664cc8 |
| SHA1 | eb8da38d055bb3693383143c672e825db1ee804a |
| SHA256 | 1dd75280949fe18e03f8cf3e72e7d42cf2365c5139c82a701caf2c9a546237c3 |
| SHA512 | 8ce2798f01bbb58234f53fa2dfe6217e8312c6c6a5877dba9c21d25884e896cb306bbba96f895386759c70be9a4f93f14830f337a0295099f9e4d29cbe041779 |
C:\Windows\IAssist\runner.exe
| MD5 | 3397446c7090eccabc67c9ed1e2b9ff7 |
| SHA1 | 4e869a09a8c4b59e924938664544332de6d45dc1 |
| SHA256 | 556cd71a538e7ae200f571ea7722afc692e044e814127ee5d67111780608b206 |
| SHA512 | 96f840f2a0cd15d95f16610f2eb7d0f574527eff46c2fb436bb0a48b3afa29801f63eab75b2f4f1fc46eaf81ce3ee11e22b4f36e7f1e13cef4388385caf5e6d3 |
C:\Windows\Installer\{A2F25BA0-86AE-4357-ACF2-A283098FBF71}\_02ABC302708F8D56C0169B.exe
| MD5 | c1452013e9e2355ee7bafe892b4699bb |
| SHA1 | ae87fca94a0be253ced08dded980189288abaa76 |
| SHA256 | 2ad34df853ee9363bfe124751a3a5b1184115127f972b88a4403c482d0022862 |
| SHA512 | b1bcaa7afd70bc72dbeb568019cfe4a61912bd05812ac1d0fab7b77546532d5cad6cab59f8b17283b3d15d281a1610751461f8b6fb49aab94189c8f12e3def1c |
C:\Users\Admin\AppData\Local\Temp\atemp.bat
| MD5 | 542a3f3d2d3e38d9ee58c70e743d6aef |
| SHA1 | 832577ce0808e6a9bb1625fdd9aa21748a54d490 |
| SHA256 | dabcc7a2aeb0b9d6f340e770a4c124519e4b9a33031b7cee7dd0a064ff5e74dc |
| SHA512 | 0b70a295a116af8e5fa6a17c548106fa21d7eb83c0b099b209f6ebed9cb56ee039a1ca7612fb8b673b429796e2e0101ec15d8c81e90c021f6ce9722ff510320b |
C:\Windows\Installer\MSIF6C7.tmp
| MD5 | 3941ccf542c241226104ac61fd1cd373 |
| SHA1 | 636332a86c0c476977f3d9b7eb5d88e40a1a0f07 |
| SHA256 | 1d1191207b4acccda55db6ec688ffc606af1ebb3053060ae04e7edae0f80ce7b |
| SHA512 | 7034a6a17e45dbef45950a41f60b31c295b7299ced5a34b6a8e98e9698b5a45b3a2d8eb9df845822540802999df244e53a3a264ac2c23d042efca4b946ba28a1 |
C:\Users\Admin\AppData\Local\Temp\CFGED00.tmp
| MD5 | fdbbdb01ebc78a136a78f17e1e2e40d8 |
| SHA1 | 955db341bacbe1a4f3fa6225c9576b90c07e9499 |
| SHA256 | a0314ff4cb7d286bcf94cf5b862e96122ddf6fea6af1014b71253e04cf67c94b |
| SHA512 | 5492a71f6a9e9f55f57c32ea9a632e090daf32103bcf996ea6b5939b984ceb32fb6e786b5abda6e8ef6432eba3cec06092d6f7ddbe5b8299594a59ffd7848065 |
memory/1976-80-0x0000000004E60000-0x0000000004E7A000-memory.dmp
C:\Windows\IAssist\HealITService.exe
| MD5 | 5828b1def77255e28d4bbab6af0fecaa |
| SHA1 | 7838bd801aba18235be5b7fc46c4a9de9f375892 |
| SHA256 | 4d385bdb2e1cf6fbdbe80d8910b4876f202628c838707f68d7291e7c26453465 |
| SHA512 | a6f5b7fcb34f022955aaf5a127ec52efb97095f41ce90b4ede63db8b6b0cf40ad3ba9cfd197182208e035316b97fe5ea66134cfdb9122fbe7eb3c2b14d61804a |
memory/1976-84-0x0000000004FE0000-0x0000000004FEA000-memory.dmp
memory/1976-85-0x0000000005050000-0x0000000005072000-memory.dmp
memory/1976-86-0x0000000005630000-0x0000000005BD4000-memory.dmp
memory/1976-87-0x0000000005160000-0x00000000051F2000-memory.dmp
memory/1976-88-0x00000000050F0000-0x0000000005102000-memory.dmp
memory/1976-89-0x0000000005200000-0x000000000523C000-memory.dmp
C:\Windows\iassist\AnakageFiles.zip
| MD5 | d9109f8f976cd2045646701991fc8cdf |
| SHA1 | 9c4d2e3b8ca32aa21f56cdcbf13364e1f3fde919 |
| SHA256 | 1494cd02bbafbb7518c7eea9f33b1af6da2e2ae2ca9a11e64e24329af6065127 |
| SHA512 | 0d4c98aa6fcb6f7b53e906d27abfb16239c614d1cfe4460d68790371eb04cf134e18909a8bc5a710961eeb81e8469cf69c269848578445c211e0c4d4b851659c |
C:\Windows\iassist\HealITApp.exe
| MD5 | df651955f810b70bd9f0ba3a4a883cf0 |
| SHA1 | 069217d29d1ef7699e97c99af70d84d24993720b |
| SHA256 | 29f62c661c9c5f2ed4eae65bf76632dc0852716dc45867130fa3c12113b825ca |
| SHA512 | da21e81be3e50cfa31bbefd4e2be573ef26f56320ca00098d6dded009f4fd770a6f593a0c3ede8651be8a48b5ee6aeee46d589dd16bd126156aaf21f9156a728 |
C:\Windows\iassist\HealITApp.ico
| MD5 | d01fdba81ab16eacb785ed15fa1e2545 |
| SHA1 | 1cdb43cc816ee91d369b36f898ecfa7d650d8693 |
| SHA256 | 4b1d13881de2e6d3742785dfc96d7ec955da93c07371093a097fb0e2c0b29d2f |
| SHA512 | fcca162266bca6fe029d8f97d5741e7f9a92b0d3be8177b30bc7d84c878b7daace01ab605eb6fc33ffbec04e2dec11744d6158752137f01b4b8a389a0daa3d2f |
C:\Windows\iassist\HealITApp.exe.config
| MD5 | 8dc3899df72a2bdfc027682048422a37 |
| SHA1 | 9f6c657d2ba08068b2bcae443b817d54f3dac574 |
| SHA256 | 7a6a763e21ca205bf7da8134088fe1978a8c2efbcf1c251ba93cdcf00e59ff57 |
| SHA512 | 24c3ef86bbcc57ddbde2d1e323056091d52cb21dba2e143029396b0256ce0fb53879b161a4a874f949bc5da0986d84b293002006ba9f3a06cdf5fdedc1cc8b18 |
C:\Windows\iassist\IAssistApp.png
| MD5 | 6ffe8470d26c128e046375b381f419db |
| SHA1 | f03da4ed457191f5d1baee0a7ec8ddd4c2e984e3 |
| SHA256 | 5546ecc26122d3929397dcbf40f8b65679646e3735223e2f73562da5e9ed1d66 |
| SHA512 | 8a673633b1688eb152f8b14bcdbba4fd3dd1abd49762c60d182d41074e56ebf67f6a5d23616c5b2687b75e555f1eeb74475229bcd5c478b4198b6bca5a82f1fd |
C:\Windows\iassist\log4net.dll
| MD5 | 25f95594ac292cadf79c8390aa458dd6 |
| SHA1 | c2cfbf45cfcf0bde29894ce0736c6558cab784e7 |
| SHA256 | ee19cb9c05fc6aaa81f77d4ff9b0114afc16dd9765074806e7078382e8c416ba |
| SHA512 | 0950df285e510a3da20eae2e15f03a218e59fb26a1533b20795fa1bf720a1dc613eaad98ccaac816080f40e3e947f18bd85cbca62b915083796fb55d5ee5a356 |
C:\Windows\iassist\MaterialDesignColors.dll
| MD5 | e2e62b30056dcc4283d7d2abce686bef |
| SHA1 | 17973122a58474d38a49a07a2d60517450a23aad |
| SHA256 | d8c0107204e4540ab24125f684660b7b87545a58c4a94a89746897383038a274 |
| SHA512 | d0ead99c2fe213f165bc0c86bb5d044e9ce344f7433b0d9ddfa165f22341ab616bc45e3e80caaf7a43312d6bd9f5d1768f595a665c0d2835e40920dc5069d5eb |
C:\Windows\iassist\MaterialDesignThemes.Wpf.dll
| MD5 | 21f54409dd443367b07c1641d6874417 |
| SHA1 | 1a757140c2f3a9edf5b3c9c7edccc438f8d2378f |
| SHA256 | 22163445e2e3249739bfe19afa009e9946ab6dcf90dbeea7a576316be9ccdd9e |
| SHA512 | ac8136324d9afb9ac12783649d17bd87c20a24f2c55ab3d47b1edfb59d314c49ec0dc853453b7094745af71386a9ee4dfa7b08b7b6635a4b56e4a30b905b09dc |
C:\Windows\iassist\System.Data.SQLite.dll
| MD5 | 5c1392fa9dd90f66cffd7e111568e5ea |
| SHA1 | 09581a7af51ed183f4c698f36588dd03cc483f38 |
| SHA256 | 1e37284c26f08db40910d989dd9a7b917500b0c24280c8a71f16325ff265d177 |
| SHA512 | 1e1c8553a307b06bff34b422e5cfdd0230162b4c3dd97bc0d736ed5069352692462ba1bc81595711e16d97e25111be93ce9b3b6411f99f12071cad34532f163d |
C:\Windows\iassist\System.Runtime.InteropServices.dll
| MD5 | bedad87015d1c9207ba20052b4af9a1e |
| SHA1 | 1ac0320ec5531c78d45f197f024091226153e546 |
| SHA256 | 202bab731eb36d0b3bd4dfc75b97c5f0e3f64e34e9c06a76a9bf678b037ec59d |
| SHA512 | afd35e962fe396ce6540bc03943952d2621d4a80d22b7240e565278154ab79e39fd4dd0c22edb3a5f866f1772441929433caa51385a4ea5fe9e8a4026b7e7ac9 |
C:\Windows\iassist\System.Runtime.dll
| MD5 | 469b0b8f124b0cd3bb4154820e7a6e4e |
| SHA1 | 695d5d9bf7238f39ab08bcfe2dbbf7a6095f62af |
| SHA256 | 5527ea385f5f46ef317221cc68b61dcae41892b7b45d8cbf6453b7e920fbddf9 |
| SHA512 | 75a49560ddf4905964f787da98baa81d5d9809f71b8411f2ad12807e5c65aa645cf0ca1a12170d7e02f8b04a4e23013ca9edece4425acfb2dc52e6ce66ab1e4e |
C:\Windows\iassist\System.Net.Primitives.dll
| MD5 | b78f49383a0ef23d80b5c96273faf678 |
| SHA1 | f58d6327c99e52c4a71aca1cc60050ed62defb7d |
| SHA256 | 6cafc6949abe5ab3563aba18c051b4eb705a4f67e88a65bf9e565f56db5c0b49 |
| SHA512 | 3aab36588f78abe9f6f7a61490b92b7194a0c28b32ade72d7067720e7f1e42677dcaa04a46f49f799f7f7b0a012c3e4cfdff380da000da7c73605fcb7a8d78f2 |
C:\Windows\iassist\System.Net.Http.Primitives.dll
| MD5 | b43fd28dfec4d3b81d7fa0f10a2fb62c |
| SHA1 | 0ce6ea5928ba26ff31276f3dbe229b0a9a0149ce |
| SHA256 | e9b535f4460c76d67df629ce2cbb84c435a712ca948b61ddaaf31309506b8604 |
| SHA512 | 1d56a3bf36788265a546f7a2280b206febaea17195397ab165ef328b10c29da6ada53182be9a6190d48b4f3c7ad64fc4bf1fa573bad99f7ca400bda073431c02 |
C:\Windows\iassist\System.Net.Http.Extensions.dll
| MD5 | 7f86a47acd4d810ad673af81369f2f26 |
| SHA1 | cea8da1478f2dee41ed2ecd2059b73d1c161734e |
| SHA256 | 9c8b87e9a950deb7f28752f875ea82f1b55a70996ac8c12073fcea33664b2048 |
| SHA512 | 372a61489665bd37c552c383faff971fdb2d581d45664a37e5d58dbd894b26b5cc8403800a559f489bb4fa47f088e6e06553eca65efb16ab9867e5a80a0a7aa9 |
C:\Windows\iassist\System.Net.Http.dll
| MD5 | 6243b50b07cdd14d260680ce5d0872b3 |
| SHA1 | d85a6450bae0bcf9c80f498a49bf60c556674386 |
| SHA256 | bab8785a6656f202b4153c887f5f19fa0075afafe728c24af50bd24342e76f75 |
| SHA512 | a3dd79cc1dda248b8ebee949cd375da99ac46eee6d93adb2172e63ae051fa295ead63b1846cafbb922c92367afbc43cef74c3c64cf095a01cd84eabef53f4b1c |
C:\Windows\iassist\x64\SQLite.Interop.dll
| MD5 | 20bf56090460aa02f2294b4c897f6895 |
| SHA1 | 55cb7c759f5b5ae4db482b5fdf85ae5dc0a1cd48 |
| SHA256 | 386d9f73dc2b527327d0b9d8c0a6700b901b7e69d9db35ea5c5ea52354b83a9c |
| SHA512 | 36c704f3cea5042ce242b3152a2ec38918adea14a9ae02f943215e3956c83f891ae6e2e4bb3e64480bf0b85e72d941b928d42be253ed49c21391abb6ed6621a1 |
C:\Windows\iassist\x86\SQLite.Interop.dll
| MD5 | 9d766cf85c7a5b7d7286633cf8a0474b |
| SHA1 | 35b41e7064691080d39f4c66a7f3ab5941e9ebdd |
| SHA256 | 30d0c8c8be4397e39acdc8e74d9921a8ee24c6a88411a2eb98eace513e216d36 |
| SHA512 | 087c918420574642af8dec566648ccaa0e25e3a597b3be8204ff82c40e35a48597640f8ad16f24e657ccd7c5e696ab20fbcfec8ab68775c2f3afaa97ba5f4852 |
C:\Users\Admin\AppData\Local\Temp\atemp.bat
| MD5 | e4a5ef6526bcc16e97e83da01f4ebf03 |
| SHA1 | 5046ed1e16bd147491f70a9089848860e85e072f |
| SHA256 | 0c3ee6c475599034bb0ada3015df76fc399aa26c5c87ae4da62b20da1f37039e |
| SHA512 | 420f6991457e68e7149fdb946d2f191ba581ae91ba86a1a56bc505fb73c6b791aeb3c2094abf25592a1dfe8f3a2cf814b9cad615796bcd192053ce9daa36b4b6 |
C:\Windows\IAssist\custom_scripts\990\GPUpdateRemediation.ps1
| MD5 | 7b0068d0a420ef3b57feaca71a0c3c67 |
| SHA1 | 1fdfce4422deae183a2820c83aa7fc6e637bf0c7 |
| SHA256 | 7619f5ee908dab0746d0348c40af64ce12723cbb66171875c56bad0e03d93420 |
| SHA512 | 51eeb17c3d6d2ee8937dbb6678d95b01d0408346a78afcdfebf6149cacf500081fa215d1f4eded4b9b683a950c9b5c48057b2eaafeb7d8fca69183311ff7ce9c |
C:\Windows\IAssist\custom_scripts\902\902.ps1
| MD5 | fa9d05115cae5c2d8867df46ff9610f4 |
| SHA1 | d75eb025dec040fe22accf8def8b5c13004f4405 |
| SHA256 | e0d1ada7761793f3b91cbba6b318b6ca8f71b0e4ad81cc80d87d9b25a8184e55 |
| SHA512 | a6a973fe9ca9ad96ca7baf1415f864f629429c2b4d72b4e60c20323eade4af44328d6faf248b94d2c181611fa56ba4d2e29e6d9452ed5104ef29393d7deec3f8 |
C:\Windows\IAssist\custom_scripts\901\901.ps1
| MD5 | 3d8a8a5f2770ee6f32dbbb342081b332 |
| SHA1 | 6628d97bc9aa2c43597e2e55c0efad85cc2384a3 |
| SHA256 | af5aaf70f3bd7006bf366900df19ab4da708172963f493e299b8f5f8739a4a6c |
| SHA512 | 037a30a0bc770cb98619ab68d6b5e9c983099e21d8b775fce41e65841b62dfe66a896d37d5cb54d4bb59277240d2b4331ed63eec6d0bca8dcf26a69bf885455c |
C:\Windows\IAssist\custom_scripts\682\delCredential.bat
| MD5 | 5a7e73d99a8b0cb8cc59a7de28d7f41d |
| SHA1 | a6cc77b275ae89d29e1bb7b845659bf4079f035b |
| SHA256 | e0c415c1cec75f438b7694a0f9a3f337773b231cfa22ae6a913004cfcb94d2d5 |
| SHA512 | 4d6aea98b5f6ef238cf1b7ecd7ac31a2e90e9e9eae571f0d0daa4fed68f81114510273e6dbff73663c5bfd70b22f4a5c007df3cf14db4e770011438a69903c82 |
C:\Windows\IAssist\custom_scripts\678\iecookiesandtrustedsites.bat
| MD5 | 9add21e567084f717a9e9cd9d9a68098 |
| SHA1 | 5f3c2f9bc6870dd081b27e6112dcf4f67e2b60a7 |
| SHA256 | 93db3d7a8201ed67a7570048f78b67a5261a713c9713d1df84a4efa12f3da474 |
| SHA512 | 431525f4e81ec911d7a83b12550edd25ef6482e51e55841f47b13dd37b8e6b57cec44965f0e2aab1eab356faebf3d2ba06ef44ce517d1587806cc73625a68c97 |
C:\Windows\IAssist\custom_scripts\674\mappednetworkdrive.bat
| MD5 | 7c575203045e08d227c0195bd71f4a18 |
| SHA1 | b510d1b4a668b0145f7448edfda496ba11c9abdc |
| SHA256 | 34a14c7ebb3fa6e841bea6059f634b47e3dfc09d59331e9a234ac51407c2adac |
| SHA512 | 79e97176c40d1c4cbb6820031797a55b7b409ed83cb0ef90854f10ee701d5a9ee4d790bae73abdaa416b9072252cea81991be1cf7bfdb178d178774147812833 |
C:\Windows\IAssist\custom_scripts\663\deletechromebrowsinghistory.bat
| MD5 | d636cfecf3dffd81ec0aa21f082bb979 |
| SHA1 | 3efc9f524520202c6636a167cd1aa2a4dee45f65 |
| SHA256 | 63b7384e2cdbbd0be6d51adb6cd35d1dbc4635220820fd08820ade3ccdb07b98 |
| SHA512 | 2b91141641ece514a8fd692a261a46c5771fff7ab94d5ebfc87722e15119e16b321df515b5e780a79638f159c008fcf70dd822b84067dcbe47d7a9c74488881d |
C:\Windows\IAssist\custom_scripts\662\clearfirefoxcookiescachehistory.bat
| MD5 | 4d38aade6327e6e68a30ed66e14b859e |
| SHA1 | 7930eece118941528247e36181436f040815a9d0 |
| SHA256 | bcf79cd5e78b91020322b3b12a885b7d11a18e72b5b15ba0906efbf5a3d92cfb |
| SHA512 | 398d0a18497c640c912ba739e84ab3957d9e59a07a93f05481ce99c7aee84d25abdb531a1a8cac59d4279016cea5dc4bfa30399ce09bade6b01fac9790a28353 |
C:\Windows\IAssist\custom_scripts\657\maintainproxy.bat
| MD5 | e002711daf08cb7759d3dc8698d4697a |
| SHA1 | 91943f90129a0120b852620b0c5fbe0a4ac45778 |
| SHA256 | 097e3c4633121032aee95250fdd82336023fd9c10b3df29e183eff9967fa607c |
| SHA512 | 58c4faf6227efc80c98c690df739fe60ac9d03c7e76f99bc9086ae80acf2d9d70d3567c857568c83cd5f8bf4dcd42c808afb8f3ab34ce80636cc4eb41f20a74b |
C:\Windows\IAssist\custom_scripts\26\disablesystemrestart.bat
| MD5 | 15e7325ab895c6883e065028bfe4073b |
| SHA1 | 80716821669c7f0e20838163ee0a69f9df29c8de |
| SHA256 | ffe366dda2cac1f1371f6ce701043bb7ff60540f4752821d82676b433a88d4ac |
| SHA512 | dc358d20e5b398a20bed1f73ff1d35a9896992ddf2b80044b755be9ae9eacf006d727d636d2f5f5613c453c828a1ac07fd126778ec7d8d2293e68e6be4de2917 |
C:\Windows\IAssist\custom_scripts\21\fix.vbs
| MD5 | 2d9a034020c26454e8850de89ffccf89 |
| SHA1 | 2fe7659d9aae5a19eb56ec0288aa06b915bfc41a |
| SHA256 | 90a1b8ca73d051198360f0999697a1d695f798a326ff472bf7e34acb4df38ae3 |
| SHA512 | 81a4f9538279f9fb21b88c4b7544625e45d62e366fc1bd885093107ea848768ce6b7a015a790c952f3c395611c5ead022a25136f68b50885b528c55b18722a8c |
C:\Windows\IAssist\custom_scripts\2\enablepopupinie.bat
| MD5 | 359c8fe8d3aedb58f1f6ac12ec71fceb |
| SHA1 | 7c131d5449909ad08a722077f876dd09ce8597bc |
| SHA256 | 48385e54acb365b08bc45e7a415a00061a50fe477fc1971477182bb5d1f4059c |
| SHA512 | 62c65953c632f56f62644b35b3857e1b8a568e31f8e2875c4c5c9b296997ce1e7dfdebcc3746c9b3fe339e11fcf78eaa5644f9954fa6ffd5736aeb4767108135 |
C:\Windows\IAssist\custom_scripts\2\enablepopupinchrome.bat
| MD5 | 451168cab68f4ab6a2b4781d0dc08783 |
| SHA1 | 016103a27a226afa6fd13c198d820bafc101696e |
| SHA256 | faf8e3f9fae824e21065fe719e54417bda07c956ea9ebf3b0bbac1f0e0879fc6 |
| SHA512 | 3ee55d8f494a8d1bf238baa1d3b514ff62e8be52096cd7d134b6bc21671e4240ed7fe7d177f44a66a623865e18fcc72b3ab97d0af8b48a2b597c503649dbbf41 |
C:\Windows\IAssist\cpprest_2_10.dll
| MD5 | 4f8a4a0ad6c94b60db955ba3e7033e8e |
| SHA1 | 90d68a63b629f39a49d69968df16cb1221550fcf |
| SHA256 | b69a3d5ed7fd451d9fa6e16813785a3d5630e0940a8eb16dff241c2639310da9 |
| SHA512 | 6f639540349bab213c3f6cd06163e1bf5a2164374bac1f3cf99641d15a1303cf9e3b758d34986bd29b69db6b27543ddd349b763067e31b0adac9a7580ff43569 |
C:\Windows\IAssist\ChatbotWelcome.png
| MD5 | 111dd3382e71828ec2a96ac5679ed44b |
| SHA1 | 44eec2e255517bad36d69a0b268c039fad1d4af3 |
| SHA256 | cfcbcc0e8de1a8dfa10186e47400ac598cf5136a9f16b89a13e6155b021bbf88 |
| SHA512 | e285d3823c5daa8476c33ff7187559fe22e3f912b19e3e3716931084585f71c959eb21b3c2ced2dda916c15f90b1fecff68aa357507fa4bd1b7c3f8fdb2bb09b |
C:\Windows\IAssist\Campaign.pdb
| MD5 | 1818f9ea0069636728dcb60f9096098e |
| SHA1 | 0e841decb0f995629bf86b5a68a9c98d7c962671 |
| SHA256 | 65a96a8134f1071d1c042034ecd35949cc49b941a96c067ad310bf3ff897d122 |
| SHA512 | ce97d67a34b67edbc677b885327c85bcb33d06542b0919f8ce61129718287f7de1e2d28a5062ce9038378545be65c7055e32b5aa6067673abceea2430e0aa963 |
C:\Windows\IAssist\Campaign.exe.config
| MD5 | ef0181de18ef3951806c0ad63b897ba4 |
| SHA1 | 4b6a4b0f7fbbbd1dceab385e7fac74a35fc132cb |
| SHA256 | e8decc96235b5494880083eb79c22c84c6d9ef312828baf9490bee7782c350ec |
| SHA512 | b1816817e8deaa7b22bc51966e9debed46b254be6463f2ac0204be348baefb751c5d846a5353d43cce66a005a73f6226462b8ec8b59d4e16a54130c327c68b79 |
C:\Windows\IAssist\Campaign.exe
| MD5 | 50ded9235a03b899c17c5d69287ceb91 |
| SHA1 | dbe0356e44b8b842d4a38fc02e37e0816b7ef448 |
| SHA256 | d9445e06f8d3a1364bf710c4060f1efdecb9d3371dc6cedc4a3ed33e7ab7eb44 |
| SHA512 | dd5f2f29560f5f1de6051eee5dc0d0f0be74e31445dfb97dd1d36f2c692ff89969c79188d4329a53f25ede0bc31d3d912fa787ab94f12aa8ffb06f54cec5a6a2 |
C:\Windows\IAssist\banner.jpg
| MD5 | a05f57db2637ab9d369b514f095d8bb7 |
| SHA1 | a6da636f526039d9a25faa39fda0859af2e5cfa3 |
| SHA256 | bb83cce0d9db3bc829e680e12bdda6204b7b6af2776c7bb9d0988c7ab0a46aec |
| SHA512 | 0dfec886106836d236dd6a1b36496bd43bc1785fd7c6355723d76dbd38a5a2455e1ee59effa077bfc3cacf6a1d272d1cf724ff761d5d64e57c1aec79a2fdc81b |
C:\Windows\IAssist\AnakageTest.ankscpt
| MD5 | 9ae1589235924ca09ca772c85d5b09d5 |
| SHA1 | 349b79111169fe4599ff6206cb702d9889a13f53 |
| SHA256 | 56a2ff0cbc50211c27e8e1dbc6dac1ea959987dc21bbd3ca5cfdadcb0534181a |
| SHA512 | f07e406cc2ca62e966c2a3284f4a870f5e429c45ca16cdd4d74e3f853756409fd0ff4ec5da18511e10fe60344f3ddc5fce4c264737820290000874c10db5bace |
C:\Windows\IAssist\AnakageProactivePackager.exe
| MD5 | 8e6fec9071a1084873bcce13fe064a42 |
| SHA1 | efee18f56d892723d75427ad290fbeeabb7b1888 |
| SHA256 | 01da7957ee307cb02732acf294d3bd3560a51a0d1d0afeee6cd4e5c0cf455cf8 |
| SHA512 | 4fd6fd9706db498d2467e43f38341187442f174d5b9b4e152a721e4f6ba1f010678a1bca2e770875dc44f5c5cdc9f6a1ceab99ae14d8c02f07ca27f638aa355c |
C:\Windows\IAssist\AnakageProactive.exe
| MD5 | 92256b73a07831c012896ef89a836656 |
| SHA1 | 69ff4ce667c9a0d12f9467d4bf6c521ae81ccf9e |
| SHA256 | 5019a5e128a7a65c86df69b819235b636dcc73a47d730a1bb4c183cad8c4a550 |
| SHA512 | ff277549220b75176070d5b29fb2abf4b08fc8b356c98544ec7c3526f736a6c8d99111ed94df45e6428d8436750581b5e1df5c3a604438c6de4c36bcede04180 |
C:\Windows\IAssist\Anakage.ankscpt
| MD5 | 9d0c6bf00d6ea0d444f8e5df8034a15e |
| SHA1 | 5cf14b0238cec3b8f03cde8659b2f9efa7772974 |
| SHA256 | e4b3a9af656f2dbab1a4bb11c6f5a3661b0e029751351a398506ae30eeb1daa2 |
| SHA512 | 739a76c6f28e1ba4ee4b44e1f338bfb79dd8f07c7793820d5feb86b89b60f5a45c85051c605ff6c4a5b675394008a86b121400af004f97117e1211fb8aa0dfbd |
C:\Config.Msi\e57ea70.rbs
| MD5 | 60e2504a3d9fcb2aef0e9032e1272921 |
| SHA1 | 1acd8626a81113858bfab1d53258fecb5096bd99 |
| SHA256 | 25a11f35d1d84cf96a82d233d489d98480159b4c85f5e434a6f8816bb49c50eb |
| SHA512 | 7b368ce131ec75ea8a04cabf0c0bb4927e9a78a8c8f3fb1aa0ea28bc56e4ec7468c7c4490f3c64a29c4f244db49aabd45c9f3a7c24570cafa4ee60b7e6624074 |
C:\Windows\Installer\e57ea6f.msi
| MD5 | 1d0e56b37600e01a44929ad918d21d74 |
| SHA1 | 1bdf869933ed3e7f1196f2a2fd8a021adc2e86c5 |
| SHA256 | b512f37f19537645ded040070d6be27aa8539d8e007bb71527cef4b1c8f20f32 |
| SHA512 | 1199055ba8de84a1f94ab55f0504eb7570e88837897e2e3219fd20ee83c7f3b73f031201787e7bdac5075a10b6313858fd95094035ae8dd946eb4f788ed287c1 |
memory/4516-285-0x0000000004660000-0x0000000004696000-memory.dmp
memory/4516-286-0x0000000004DF0000-0x0000000005418000-memory.dmp
memory/4516-287-0x0000000004C50000-0x0000000004C72000-memory.dmp
memory/4516-289-0x0000000005490000-0x00000000054F6000-memory.dmp
memory/4516-288-0x0000000004CF0000-0x0000000004D56000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fslsm3tp.ibr.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4516-299-0x0000000005600000-0x0000000005954000-memory.dmp
memory/4516-300-0x0000000005BD0000-0x0000000005BEE000-memory.dmp
memory/4516-301-0x0000000005C20000-0x0000000005C6C000-memory.dmp
memory/4516-304-0x00000000060D0000-0x0000000006166000-memory.dmp
memory/4516-305-0x0000000008030000-0x00000000086AA000-memory.dmp
memory/4832-313-0x0000000005BD0000-0x0000000005F24000-memory.dmp
memory/332-352-0x0000000004300000-0x0000000004654000-memory.dmp
memory/332-353-0x00000000058B0000-0x00000000058E2000-memory.dmp
memory/332-354-0x000000006F0B0000-0x000000006F0FC000-memory.dmp
memory/332-364-0x0000000004CC0000-0x0000000004CDE000-memory.dmp
memory/332-365-0x00000000058F0000-0x0000000005993000-memory.dmp
memory/332-366-0x0000000005A70000-0x0000000005A7A000-memory.dmp
memory/332-367-0x0000000005C50000-0x0000000005C7A000-memory.dmp
memory/332-368-0x0000000005C80000-0x0000000005CA4000-memory.dmp
memory/3800-389-0x00000000048F0000-0x0000000004C44000-memory.dmp
memory/3800-390-0x00000000052B0000-0x00000000052FC000-memory.dmp
memory/3800-391-0x00000000706B0000-0x00000000706FC000-memory.dmp
memory/3800-401-0x0000000005F20000-0x0000000005FC3000-memory.dmp
memory/2144-445-0x000000006F0B0000-0x000000006F0FC000-memory.dmp
memory/2144-455-0x0000000005CA0000-0x0000000005CB1000-memory.dmp
memory/4004-468-0x000000006F0B0000-0x000000006F0FC000-memory.dmp
memory/4004-478-0x000000006F370000-0x000000006F6C4000-memory.dmp
memory/2428-489-0x000000006F0B0000-0x000000006F0FC000-memory.dmp
memory/2428-499-0x0000000007E90000-0x0000000007EA1000-memory.dmp
memory/1208-510-0x000000006F0B0000-0x000000006F0FC000-memory.dmp
memory/60-530-0x000000006F0B0000-0x000000006F0FC000-memory.dmp
memory/1316-547-0x00000235AFE50000-0x00000235AFE72000-memory.dmp
memory/1316-552-0x00000235B0310000-0x00000235B033A000-memory.dmp
memory/1316-553-0x00000235B0310000-0x00000235B0334000-memory.dmp