ddf3de44e56c08157de5bc3a34838fe38de85eea92f2b058b4031b58afc1cdfa

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/09/2024, 15:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ESETEndpointSecurity11.1.2052.0x64.exe
Size

50.0MB
MD5

482f59f6c048adfcd193425fbd789db3
SHA1

aa6f5c97d9c6188720f300993595c583c7e4457b
SHA256

ddf3de44e56c08157de5bc3a34838fe38de85eea92f2b058b4031b58afc1cdfa
SHA512

6f181e616b5c720147ae080afb55d41ba1db35083c6ed76207af1e069edde39eefe4f4ae30a7bd8703fd56c48b6df8d2fd068c1c7304ce72041fac0ea6d54f97
SSDEEP

1572864:uHJu7pkya3/lX0IyPJMHPI03ZnSRrjCBM0gupSD:OJu+n3/lX0NevJEGBMLupa

Score

8^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Drops file in Drivers directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\SETC4F.tmp	ekrn.exe
File opened for modification	C:\Windows\system32\DRIVERS\SETCFD.tmp	ekrn.exe
File opened for modification	C:\Windows\system32\DRIVERS\ehdrv.sys	ekrn.exe
File created	C:\Windows\system32\DRIVERS\SET106B.tmp	ekrn.exe
File created	C:\Windows\system32\DRIVERS\SETC4F.tmp	ekrn.exe
File opened for modification	C:\Windows\system32\DRIVERS\eelam.sys	ekrn.exe
File created	C:\Windows\system32\DRIVERS\SET100C.tmp	ekrn.exe
File created	C:\Windows\system32\DRIVERS\SETCFD.tmp	ekrn.exe
File created	C:\Windows\system32\DRIVERS\SETF7F.tmp	ekrn.exe
File opened for modification	C:\Windows\system32\DRIVERS\epfwwfp.sys	ekrn.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET100C.tmp	ekrn.exe
File opened for modification	C:\Windows\system32\DRIVERS\epfw.sys	ekrn.exe
File opened for modification	C:\Windows\system32\DRIVERS\SETF7F.tmp	ekrn.exe
File opened for modification	C:\Windows\system32\DRIVERS\eamonm.sys	ekrn.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET106B.tmp	ekrn.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 4 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe\MitigationOptions = "16777216"	MsiExec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	ESETEndpointSecurity11.1.2052.0x64.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 8 IoCs

pid	Process
3568	acstest.exe
3088	InstHelper.exe
4744	ekrn.exe
2668	efwd.exe
4084	InstHelper.exe
1964	InstHelper.exe
4260	eguiproxy.exe
5136	egui.exe

Loads dropped DLL 64 IoCs

pid	Process
1140	MsiExec.exe
1140	MsiExec.exe
1140	MsiExec.exe
1140	MsiExec.exe
1140	MsiExec.exe
1140	MsiExec.exe
1140	MsiExec.exe
1140	MsiExec.exe
1140	MsiExec.exe
1140	MsiExec.exe
1140	MsiExec.exe
1140	MsiExec.exe
1140	MsiExec.exe
1140	MsiExec.exe
1140	MsiExec.exe
1140	MsiExec.exe
1600	MsiExec.exe
1600	MsiExec.exe
1600	MsiExec.exe
1600	MsiExec.exe
1600	MsiExec.exe
1600	MsiExec.exe
1600	MsiExec.exe
1600	MsiExec.exe
1600	MsiExec.exe
1600	MsiExec.exe
1600	MsiExec.exe
1600	MsiExec.exe
1600	MsiExec.exe
1600	MsiExec.exe
1600	MsiExec.exe
1600	MsiExec.exe
1600	MsiExec.exe
1600	MsiExec.exe
1600	MsiExec.exe
1600	MsiExec.exe
1600	MsiExec.exe
1600	MsiExec.exe
1600	MsiExec.exe
1600	MsiExec.exe
1600	MsiExec.exe
1600	MsiExec.exe
1600	MsiExec.exe
1600	MsiExec.exe
1600	MsiExec.exe
1600	MsiExec.exe
1600	MsiExec.exe
1600	MsiExec.exe
3088	InstHelper.exe
3088	InstHelper.exe
4744	ekrn.exe
4744	ekrn.exe
4744	ekrn.exe
4744	ekrn.exe
4744	ekrn.exe
4744	ekrn.exe
4744	ekrn.exe
4744	ekrn.exe
4744	ekrn.exe
4744	ekrn.exe
4744	ekrn.exe
4744	ekrn.exe
4744	ekrn.exe
4744	ekrn.exe

Modifies system executable filetype association 2 TTPs 3 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\Shellex\ContextMenuHandlers	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ESET Security Shell	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ESET Security Shell\ = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"	MsiExec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\egui = "\"C:\\Program Files\\ESET\\ESET Security\\ecmds.exe\" /run /hide /proxy"	msiexec.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
33	244	msiexec.exe
34	244	msiexec.exe

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\ESET\NOD	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{ccc7a49e-c125-f54f-8d95-8b88a240ca61}\SETFBC.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\epfw.inf_amd64_a4162e4cbc857b5b\epfw.cat	DrvInst.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\ESET\ESET Security\registryFileStorage_userA.cfg	InstHelper.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5ff5afd2-1edc-0240-98b6-599d685d7b3c}\SETB28.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b3de3575-366b-5d4f-b1f5-bee081f2ac10}\SETC8F.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{d739eba9-da25-2448-8d48-6de9d12e490a}\SETE72.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{d739eba9-da25-2448-8d48-6de9d12e490a}\SETE72.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\epfwwfp.inf_amd64_b3a8f5bf1a5acec7\epfwwfp.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b3de3575-366b-5d4f-b1f5-bee081f2ac10}\ehdrv.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{d739eba9-da25-2448-8d48-6de9d12e490a}\eamonm.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ccc7a49e-c125-f54f-8d95-8b88a240ca61}\SETFBB.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{d0f88151-92dc-3f44-8898-01cf0140455f}\SETEA2.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ccc7a49e-c125-f54f-8d95-8b88a240ca61}\epfw.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\eamonm.inf_amd64_32d6ee07d1118ba0\eamonm.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{d739eba9-da25-2448-8d48-6de9d12e490a}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{5ff5afd2-1edc-0240-98b6-599d685d7b3c}\SETB26.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\eelam.inf_amd64_558ab54140135969\eelam.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ehdrv.inf_amd64_b4d29ed62c91464a\ehdrv.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{d739eba9-da25-2448-8d48-6de9d12e490a}\SETE74.tmp	DrvInst.exe
File created	C:\Windows\system32\NOTICE_mod	eguiproxy.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{d0f88151-92dc-3f44-8898-01cf0140455f}\epfwwfp.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ccc7a49e-c125-f54f-8d95-8b88a240ca61}\SETFAB.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ccc7a49e-c125-f54f-8d95-8b88a240ca61}\epfw.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\epfw.inf_amd64_a4162e4cbc857b5b\epfw.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5ff5afd2-1edc-0240-98b6-599d685d7b3c}\SETB27.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\eelam.inf_amd64_558ab54140135969\eelam.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b3de3575-366b-5d4f-b1f5-bee081f2ac10}\ehdrv.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ehdrv.inf_amd64_b4d29ed62c91464a\ehdrv.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ccc7a49e-c125-f54f-8d95-8b88a240ca61}\SETFBC.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\epfw.inf_amd64_a4162e4cbc857b5b\epfw.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5ff5afd2-1edc-0240-98b6-599d685d7b3c}\SETB26.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5ff5afd2-1edc-0240-98b6-599d685d7b3c}\eelam.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b3de3575-366b-5d4f-b1f5-bee081f2ac10}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\epfwwfp.inf_amd64_b3a8f5bf1a5acec7\epfwwfp.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5ff5afd2-1edc-0240-98b6-599d685d7b3c}\eelam.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5ff5afd2-1edc-0240-98b6-599d685d7b3c}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{d739eba9-da25-2448-8d48-6de9d12e490a}\eamonm.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{d739eba9-da25-2448-8d48-6de9d12e490a}\SETE73.tmp	DrvInst.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\ESET\ESET Security\registryFileStorage_userA.cfg	ekrn.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{d739eba9-da25-2448-8d48-6de9d12e490a}\eamonm.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{d0f88151-92dc-3f44-8898-01cf0140455f}\SETE82.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ccc7a49e-c125-f54f-8d95-8b88a240ca61}\epfw.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{5ff5afd2-1edc-0240-98b6-599d685d7b3c}\SETB27.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b3de3575-366b-5d4f-b1f5-bee081f2ac10}\SETC90.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ehdrv.inf_amd64_b4d29ed62c91464a\ehdrv.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\eelam.inf_amd64_558ab54140135969\eelam.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{d0f88151-92dc-3f44-8898-01cf0140455f}\SETEA2.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{b3de3575-366b-5d4f-b1f5-bee081f2ac10}\SETC7E.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{b3de3575-366b-5d4f-b1f5-bee081f2ac10}\SETC8F.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{ccc7a49e-c125-f54f-8d95-8b88a240ca61}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{5ff5afd2-1edc-0240-98b6-599d685d7b3c}\SETB28.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{d0f88151-92dc-3f44-8898-01cf0140455f}\SETE82.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{d0f88151-92dc-3f44-8898-01cf0140455f}\epfwwfp.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{d739eba9-da25-2448-8d48-6de9d12e490a}\SETE74.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{d0f88151-92dc-3f44-8898-01cf0140455f}\epfwwfp.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{d0f88151-92dc-3f44-8898-01cf0140455f}\SETEB3.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{d0f88151-92dc-3f44-8898-01cf0140455f}\SETEB3.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{d0f88151-92dc-3f44-8898-01cf0140455f}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{ccc7a49e-c125-f54f-8d95-8b88a240ca61}\SETFAB.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\eamonm.inf_amd64_32d6ee07d1118ba0\eamonm.cat	DrvInst.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\ESET\ESET Security\api-ms-win-core-processthreads-l1-1-1.dll	msiexec.exe
File created	C:\Program Files\ESET\ESET Security\msvcp140_1.dll	msiexec.exe
File opened for modification	C:\Program Files\ESET\ESET Security\Modules\tempAE16D5A9\NUP323.tmp	MsiExec.exe
File created	C:\Program Files\ESET\ESET Security\api-ms-win-core-rtlsupport-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\ESET\ESET Security\Drivers\eamonm\eamonm.sys	msiexec.exe
File created	C:\Program Files\ESET\ESET Security\ecmd.exe	msiexec.exe
File created	C:\Program Files\ESET\ESET Security\VAPM\libwalocal.dll	msiexec.exe
File created	C:\Program Files\ESET\ESET Security\VAPM\wa_3rd_party_host_32.exe	msiexec.exe
File created	C:\Program Files\ESET\ESET Security\api-ms-win-core-heap-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\ESET\ESET Security\cfgres.dll	msiexec.exe
File created	C:\Program Files\ESET\ESET Security\x86\eamsi.dll	msiexec.exe
File created	C:\Program Files\ESET\ESET Security\Drivers\edevmon\edevmon.inf	msiexec.exe
File created	C:\Program Files\ESET\ESET Security\ekrnHips.dll	msiexec.exe
File created	C:\Program Files\ESET\ESET Security\ekrnHipsLang.dll	msiexec.exe
File created	C:\Program Files\ESET\ESET Security\Help\plus_small.png	MsiExec.exe
File opened for modification	C:\Program Files\ESET\ESET Security\Modules\tempAE16D5A9\NUP141.tmp	MsiExec.exe
File opened for modification	C:\Program Files\ESET\ESET Security\Modules\tempAE16D5A9\NUP45E.tmp	MsiExec.exe
File created	C:\Program Files\ESET\ESET Security\api-ms-win-crt-time-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\ESET\ESET Security\ProtobufLite.dll	msiexec.exe
File created	C:\Program Files\ESET\ESET Security\sciter-x.dll	msiexec.exe
File created	C:\Program Files\ESET\ESET Security\Help\print.css	MsiExec.exe
File created	C:\Program Files\ESET\ESET Security\ehttpsrv.exe	msiexec.exe
File created	C:\Program Files\ESET\ESET Security\Drivers\eelam\eelam.inf	msiexec.exe
File created	C:\Program Files\ESET\ESET Security\eguiProxy.exe	msiexec.exe
File opened for modification	C:\Program Files\ESET\ESET Security\Modules\tempAE16D5A9\NUP291.tmp	MsiExec.exe
File created	C:\Program Files\ESET\ESET Security\api-ms-win-crt-environment-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\ESET\ESET Security\eamsi.dll	msiexec.exe
File created	C:\Program Files\ESET\ESET Security\ekrnScan.dll	msiexec.exe
File created	C:\Program Files\ESET\ESET Security\ekrnEcp.dll	msiexec.exe
File created	C:\Program Files\ESET\ESET Security\api-ms-win-crt-utility-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\ESET\ESET Security\Drivers\ekbdflt\ekbdflt.sys	msiexec.exe
File created	C:\Program Files\ESET\ESET Security\eguiAmonLang.dll	msiexec.exe
File created	C:\Program Files\ESET\ESET Security\Help\example.svg	MsiExec.exe
File created	C:\Program Files\ESET\ESET Security\Help\note.svg	MsiExec.exe
File created	C:\Program Files\ESET\ESET Security\ekrnMailPluginsLang.dll	msiexec.exe
File created	C:\Program Files\ESET\ESET Security\Help\hmcontent.html	MsiExec.exe
File created	C:\Program Files\ESET\ESET Security\api-ms-win-core-processthreads-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\ESET\ESET Security\api-ms-win-crt-conio-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\ESET\ESET Security\api-ms-win-crt-runtime-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\ESET\ESET Security\egui.exe	msiexec.exe
File created	C:\Program Files\ESET\ESET Security\ekrn.exe	msiexec.exe
File created	C:\Program Files\ESET\ESET Security\ekrnEi.dll	msiexec.exe
File created	C:\Program Files\ESET\ESET Security\vcruntime140.dll	msiexec.exe
File created	C:\Program Files\ESET\ESET Security\ekrnScanLang.dll	msiexec.exe
File opened for modification	C:\Program Files\ESET\ESET Security\Modules\tempAE16D5A9\NUP44D.tmp	MsiExec.exe
File created	C:\Program Files\ESET\ESET Security\api-ms-win-core-string-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\ESET\ESET Security\x86\edb.dll	msiexec.exe
File created	C:\Program Files\ESET\ESET Security\VAPM\libwautils.dll	msiexec.exe
File created	C:\Program Files\ESET\ESET Security\ekrnOppLang.dll	msiexec.exe
File created	C:\Program Files\ESET\ESET Security\ekrnOPP.dll	msiexec.exe
File created	C:\Program Files\ESET\ESET Security\ekrnScriptMon.dll	msiexec.exe
File created	C:\Program Files\ESET\ESET Security\ucrtbase.dll	msiexec.exe
File created	C:\Program Files\ESET\ESET Security\vcruntime140_1.dll	msiexec.exe
File created	C:\Program Files\ESET\ESET Security\Help\idh_wizard_activation_type.html	MsiExec.exe
File created	C:\Program Files\ESET\ESET Security\Help\layout.css	MsiExec.exe
File created	C:\Program Files\ESET\ESET Security\Drivers\epfwlwf\EpfwLwf.cat	msiexec.exe
File created	C:\Program Files\ESET\ESET Security\eplgOE.dll	msiexec.exe
File created	C:\Program Files\ESET\ESET Security\shellExt.dll	msiexec.exe
File opened for modification	C:\Program Files\ESET\ESET Security\Modules\em000_64\1113\em000_64.dll	MsiExec.exe
File created	C:\Program Files\ESET\ESET Security\api-ms-win-core-synch-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\ESET\ESET Security\api-ms-win-core-synch-l1-2-0.dll	msiexec.exe
File created	C:\Program Files\ESET\ESET Security\api-ms-win-crt-stdio-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\ESET\ESET Security\ekrnUpdate.dll	msiexec.exe
File created	C:\Program Files\ESET\ESET Security\Help\header_logo.png	MsiExec.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIEA1A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{E96886FF-EC69-4A16-AF40-540A146FE3FE}\Icon_License	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI780.tmp	msiexec.exe
File created	C:\Windows\INF\oem7.PNF	ekrn.exe
File opened for modification	C:\Windows\Installer\MSIE698.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE890.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF65D.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\INF\oem6.PNF	ekrn.exe
File opened for modification	C:\Windows\Installer\MSIF260.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFB61.tmp	msiexec.exe
File created	C:\Windows\Installer\{E96886FF-EC69-4A16-AF40-540A146FE3FE}\Icon_Help	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFE03.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFE62.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7A4.tmp	msiexec.exe
File created	C:\Windows\inf\oem6.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIE60A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE7A4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEC6E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF71A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI700.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	ekrn.exe
File opened for modification	C:\Windows\inf\oem7.inf	DrvInst.exe
File created	C:\Windows\inf\oem7.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIEB93.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF4C4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF60E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7C7.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\ESET\ESET Security\registryFileStorage_userA.cfg	ekrn.exe
File created	C:\Windows\INF\oem5.PNF	ekrn.exe
File created	C:\Windows\Installer\e57e37a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE831.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEAA7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF6BB.tmp	msiexec.exe
File created	C:\Windows\Installer\{E96886FF-EC69-4A16-AF40-540A146FE3FE}\Icon_Product	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\inf\oem4.inf	DrvInst.exe
File opened for modification	C:\Windows\inf\oem5.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI1412.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{E96886FF-EC69-4A16-AF40-540A146FE3FE}\Icon_Help	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI792.tmp	msiexec.exe
File opened for modification	C:\Windows\ELAMBKUP\eelam.sys	ekrn.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF107.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{E96886FF-EC69-4A16-AF40-540A146FE3FE}\Icon_Product	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFF6D.tmp	msiexec.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\Installer\e57e37e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE706.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE97C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF2DE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFBEF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFED0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7E8.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIECEC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEEF2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEF32.tmp	msiexec.exe
File created	C:\Windows\Installer\{E96886FF-EC69-4A16-AF40-540A146FE3FE}\Icon_Uninstall	msiexec.exe
File opened for modification	C:\Windows\Installer\{E96886FF-EC69-4A16-AF40-540A146FE3FE}\Icon_Uninstall	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7A3.tmp	msiexec.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\inf\oem5.inf	DrvInst.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DrvInst.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3484	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\ESET	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\ESET\Setup	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FF68869E96CE61A4FA0445A041F63EEF\PatchManagement = "_Base"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF68869E96CE61A4FA0445A041F63EEF\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip\OpenWithProgids\ESET.SysInspector	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F43F5136-AA90-4005-9368-F91F5C120D69}\ProgID	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\Shellex\ContextMenuHandlers	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FF68869E96CE61A4FA0445A041F63EEF\ThirdParty = "_Base"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ECC7E393-B680-4109-86BD-7779105DF1BF}	ekrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FF68869E96CE61A4FA0445A041F63EEF\_Distributor	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF68869E96CE61A4FA0445A041F63EEF\SourceList\Media\6 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF68869E96CE61A4FA0445A041F63EEF\SourceList\Media\5 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\ESET.SysInspector\shell\open	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B089FE88-FB52-11D3-BDF1-0050DA34150D}\InProcServer32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ESET Security Shell	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FF68869E96CE61A4FA0445A041F63EEF\HIPS = "_Base"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FF68869E96CE61A4FA0445A041F63EEF\_License	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ESET Security Shell\ = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\ESET Security Shell\ = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FF68869E96CE61A4FA0445A041F63EEF\RealtimeProtection = "Protections"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\79AA332A50D011E4585D700F695D0537	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF68869E96CE61A4FA0445A041F63EEF\SourceList\PackageName = "ees_nt64.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FF68869E96CE61A4FA0445A041F63EEF\Rmm	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF68869E96CE61A4FA0445A041F63EEF\ProductName = "ESET Endpoint Security"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ESET.OutlookAddin\CLSID\ = "{F43F5136-AA90-4005-9368-F91F5C120D69}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F43F5136-AA90-4005-9368-F91F5C120D69}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ECC7E393-B680-4109-86BD-7779105DF1BF}	ekrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FF68869E96CE61A4FA0445A041F63EEF\_WebAccessProtection = "Protections"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FF68869E96CE61A4FA0445A041F63EEF\OnlinePaymentProtection = "_WebAccessProtection"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F43F5136-AA90-4005-9368-F91F5C120D69}\ProgID	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ECC7E393-B680-4109-86BD-7779105DF1BF}\ = "EsetAmsiProvider"	ekrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FF68869E96CE61A4FA0445A041F63EEF\VulnerabilityManagement = "_Base"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B089FE88-FB52-11D3-BDF1-0050DA34150D}\ = "ESET Security Shell"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\Shellex\ContextMenuHandlers	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FF68869E96CE61A4FA0445A041F63EEF\Updater = "_Base"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FF68869E96CE61A4FA0445A041F63EEF\EmailClientProtection = "Protections"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drives\Shellex\ContextMenuHandlers\ESET Security Shell\ = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF68869E96CE61A4FA0445A041F63EEF\SourceList\Media\2 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drives\Shellex	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF68869E96CE61A4FA0445A041F63EEF\Version = "184616964"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ECC7E393-B680-4109-86BD-7779105DF1BF}\InprocServer32\ThreadingModel = "Both"	ekrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FF68869E96CE61A4FA0445A041F63EEF\Licensing = "_Base"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FF68869E96CE61A4FA0445A041F63EEF\EnterpriseInspector	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF68869E96CE61A4FA0445A041F63EEF\ProductIcon = "C:\\Windows\\Installer\\{E96886FF-EC69-4A16-AF40-540A146FE3FE}\\Icon_Product"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF68869E96CE61A4FA0445A041F63EEF\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.xml\OpenWithProgids	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F43F5136-AA90-4005-9368-F91F5C120D69}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drives	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FF68869E96CE61A4FA0445A041F63EEF\Firewall = "Network"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FF68869E96CE61A4FA0445A041F63EEF\ProtocolFiltering = "_WebAccessProtection"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ESET.OutlookAddin\CLSID	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B089FE88-FB52-11D3-BDF1-0050DA34150D}\InProcServer32\ = "C:\\Program Files\\ESET\\ESET Security\\shellExt.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B089FE88-FB52-11D3-BDF1-0050DA34150D}\InProcServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FF68869E96CE61A4FA0445A041F63EEF	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FF68869E96CE61A4FA0445A041F63EEF\Demeter = "_Base"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ESET.SysInspector\shell\open	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF68869E96CE61A4FA0445A041F63EEF\PackageCode = "C62CC2542C8B4604E85514F077FB12CF"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF68869E96CE61A4FA0445A041F63EEF\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ESET.SysInspector\shell	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F43F5136-AA90-4005-9368-F91F5C120D69}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\ESET Security Shell	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FF68869E96CE61A4FA0445A041F63EEF\Network = "Protections"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FF68869E96CE61A4FA0445A041F63EEF\Antispam = "EmailClientProtection"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ESET.SysInspector\	msiexec.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1140	MsiExec.exe
1140	MsiExec.exe
5324	msedge.exe
5324	msedge.exe
1560	msedge.exe
1560	msedge.exe
5872	identity_helper.exe
5872	identity_helper.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5136	egui.exe

Suspicious behavior: LoadsDriver 9 IoCs

pid	Process
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1616	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1616	msiexec.exe
Token: SeSecurityPrivilege	244	msiexec.exe
Token: SeCreateTokenPrivilege	1616	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1616	msiexec.exe
Token: SeLockMemoryPrivilege	1616	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1616	msiexec.exe
Token: SeMachineAccountPrivilege	1616	msiexec.exe
Token: SeTcbPrivilege	1616	msiexec.exe
Token: SeSecurityPrivilege	1616	msiexec.exe
Token: SeTakeOwnershipPrivilege	1616	msiexec.exe
Token: SeLoadDriverPrivilege	1616	msiexec.exe
Token: SeSystemProfilePrivilege	1616	msiexec.exe
Token: SeSystemtimePrivilege	1616	msiexec.exe
Token: SeProfSingleProcessPrivilege	1616	msiexec.exe
Token: SeIncBasePriorityPrivilege	1616	msiexec.exe
Token: SeCreatePagefilePrivilege	1616	msiexec.exe
Token: SeCreatePermanentPrivilege	1616	msiexec.exe
Token: SeBackupPrivilege	1616	msiexec.exe
Token: SeRestorePrivilege	1616	msiexec.exe
Token: SeShutdownPrivilege	1616	msiexec.exe
Token: SeDebugPrivilege	1616	msiexec.exe
Token: SeAuditPrivilege	1616	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1616	msiexec.exe
Token: SeChangeNotifyPrivilege	1616	msiexec.exe
Token: SeRemoteShutdownPrivilege	1616	msiexec.exe
Token: SeUndockPrivilege	1616	msiexec.exe
Token: SeSyncAgentPrivilege	1616	msiexec.exe
Token: SeEnableDelegationPrivilege	1616	msiexec.exe
Token: SeManageVolumePrivilege	1616	msiexec.exe
Token: SeImpersonatePrivilege	1616	msiexec.exe
Token: SeCreateGlobalPrivilege	1616	msiexec.exe
Token: SeBackupPrivilege	2156	vssvc.exe
Token: SeRestorePrivilege	2156	vssvc.exe
Token: SeAuditPrivilege	2156	vssvc.exe
Token: SeBackupPrivilege	244	msiexec.exe
Token: SeRestorePrivilege	244	msiexec.exe
Token: SeRestorePrivilege	244	msiexec.exe
Token: SeTakeOwnershipPrivilege	244	msiexec.exe
Token: SeRestorePrivilege	244	msiexec.exe
Token: SeTakeOwnershipPrivilege	244	msiexec.exe
Token: SeRestorePrivilege	244	msiexec.exe
Token: SeTakeOwnershipPrivilege	244	msiexec.exe
Token: SeRestorePrivilege	244	msiexec.exe
Token: SeTakeOwnershipPrivilege	244	msiexec.exe
Token: SeRestorePrivilege	244	msiexec.exe
Token: SeTakeOwnershipPrivilege	244	msiexec.exe
Token: SeRestorePrivilege	244	msiexec.exe
Token: SeTakeOwnershipPrivilege	244	msiexec.exe
Token: SeRestorePrivilege	244	msiexec.exe
Token: SeTakeOwnershipPrivilege	244	msiexec.exe
Token: SeRestorePrivilege	244	msiexec.exe
Token: SeTakeOwnershipPrivilege	244	msiexec.exe
Token: SeRestorePrivilege	244	msiexec.exe
Token: SeTakeOwnershipPrivilege	244	msiexec.exe
Token: SeRestorePrivilege	244	msiexec.exe
Token: SeTakeOwnershipPrivilege	244	msiexec.exe
Token: SeRestorePrivilege	244	msiexec.exe
Token: SeTakeOwnershipPrivilege	244	msiexec.exe
Token: SeRestorePrivilege	244	msiexec.exe
Token: SeTakeOwnershipPrivilege	244	msiexec.exe
Token: SeRestorePrivilege	244	msiexec.exe
Token: SeTakeOwnershipPrivilege	244	msiexec.exe
Token: SeRestorePrivilege	244	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1616	msiexec.exe
1616	msiexec.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
4260	eguiproxy.exe
1560	msedge.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
4260	eguiproxy.exe
1560	msedge.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe
4260	eguiproxy.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 1616	1712	ESETEndpointSecurity11.1.2052.0x64.exe	83
PID 1712 wrote to memory of 1616	1712	ESETEndpointSecurity11.1.2052.0x64.exe	83
PID 244 wrote to memory of 1316	244	msiexec.exe	94
PID 244 wrote to memory of 1316	244	msiexec.exe	94
PID 244 wrote to memory of 1140	244	msiexec.exe	96
PID 244 wrote to memory of 1140	244	msiexec.exe	96
PID 1140 wrote to memory of 3568	1140	MsiExec.exe	97
PID 1140 wrote to memory of 3568	1140	MsiExec.exe	97
PID 244 wrote to memory of 1600	244	msiexec.exe	100
PID 244 wrote to memory of 1600	244	msiexec.exe	100
PID 1600 wrote to memory of 3484	1600	MsiExec.exe	101
PID 1600 wrote to memory of 3484	1600	MsiExec.exe	101
PID 1600 wrote to memory of 3088	1600	MsiExec.exe	104
PID 1600 wrote to memory of 3088	1600	MsiExec.exe	104
PID 3052 wrote to memory of 4000	3052	svchost.exe	108
PID 3052 wrote to memory of 4000	3052	svchost.exe	108
PID 3052 wrote to memory of 2232	3052	svchost.exe	109
PID 3052 wrote to memory of 2232	3052	svchost.exe	109
PID 3052 wrote to memory of 4756	3052	svchost.exe	111
PID 3052 wrote to memory of 4756	3052	svchost.exe	111
PID 3052 wrote to memory of 808	3052	svchost.exe	112
PID 3052 wrote to memory of 808	3052	svchost.exe	112
PID 3052 wrote to memory of 1288	3052	svchost.exe	114
PID 3052 wrote to memory of 1288	3052	svchost.exe	114
PID 1140 wrote to memory of 4084	1140	MsiExec.exe	115
PID 1140 wrote to memory of 4084	1140	MsiExec.exe	115
PID 1140 wrote to memory of 1964	1140	MsiExec.exe	117
PID 1140 wrote to memory of 1964	1140	MsiExec.exe	117
PID 4744 wrote to memory of 4260	4744	ekrn.exe	119
PID 4744 wrote to memory of 4260	4744	ekrn.exe	119
PID 1712 wrote to memory of 1560	1712	ESETEndpointSecurity11.1.2052.0x64.exe	120
PID 1712 wrote to memory of 1560	1712	ESETEndpointSecurity11.1.2052.0x64.exe	120
PID 1560 wrote to memory of 2104	1560	msedge.exe	121
PID 1560 wrote to memory of 2104	1560	msedge.exe	121
PID 4744 wrote to memory of 5136	4744	ekrn.exe	122
PID 4744 wrote to memory of 5136	4744	ekrn.exe	122
PID 1560 wrote to memory of 5316	1560	msedge.exe	123
PID 1560 wrote to memory of 5316	1560	msedge.exe	123
PID 1560 wrote to memory of 5316	1560	msedge.exe	123
PID 1560 wrote to memory of 5316	1560	msedge.exe	123
PID 1560 wrote to memory of 5316	1560	msedge.exe	123
PID 1560 wrote to memory of 5316	1560	msedge.exe	123
PID 1560 wrote to memory of 5316	1560	msedge.exe	123
PID 1560 wrote to memory of 5316	1560	msedge.exe	123
PID 1560 wrote to memory of 5316	1560	msedge.exe	123
PID 1560 wrote to memory of 5316	1560	msedge.exe	123
PID 1560 wrote to memory of 5316	1560	msedge.exe	123
PID 1560 wrote to memory of 5316	1560	msedge.exe	123
PID 1560 wrote to memory of 5316	1560	msedge.exe	123
PID 1560 wrote to memory of 5316	1560	msedge.exe	123
PID 1560 wrote to memory of 5316	1560	msedge.exe	123
PID 1560 wrote to memory of 5316	1560	msedge.exe	123
PID 1560 wrote to memory of 5316	1560	msedge.exe	123
PID 1560 wrote to memory of 5316	1560	msedge.exe	123
PID 1560 wrote to memory of 5316	1560	msedge.exe	123
PID 1560 wrote to memory of 5316	1560	msedge.exe	123
PID 1560 wrote to memory of 5316	1560	msedge.exe	123
PID 1560 wrote to memory of 5316	1560	msedge.exe	123
PID 1560 wrote to memory of 5316	1560	msedge.exe	123
PID 1560 wrote to memory of 5316	1560	msedge.exe	123
PID 1560 wrote to memory of 5316	1560	msedge.exe	123
PID 1560 wrote to memory of 5316	1560	msedge.exe	123
PID 1560 wrote to memory of 5316	1560	msedge.exe	123
PID 1560 wrote to memory of 5316	1560	msedge.exe	123

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ESETEndpointSecurity11.1.2052.0x64.exe
"C:\Users\Admin\AppData\Local\Temp\ESETEndpointSecurity11.1.2052.0x64.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ees_nt64.msi" /qb CFG_POTENTIALLYUNWANTED_ENABLED=0 CFG_LIVEGRID_ENABLED=0 FIRSTSCAN_ENABLE=0 CFG_EPFW_MODE=0 ACTIVATION_DLG_SUPPRESS=0
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://ftuapps.dev/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd851b46f8,0x7ffd851b4708,0x7ffd851b4718
    3⤵
    PID:2104
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,6000338344621249479,2276887616385219304,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
    3⤵
    PID:5316
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,6000338344621249479,2276887616385219304,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5324
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,6000338344621249479,2276887616385219304,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
    3⤵
    PID:5352
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6000338344621249479,2276887616385219304,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
    3⤵
    PID:5436
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6000338344621249479,2276887616385219304,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
    3⤵
    PID:5448
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6000338344621249479,2276887616385219304,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
    3⤵
    PID:6084
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,6000338344621249479,2276887616385219304,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5904 /prefetch:8
    3⤵
    PID:4800
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,6000338344621249479,2276887616385219304,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5904 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5872
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6000338344621249479,2276887616385219304,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:1
    3⤵
    PID:6040
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6000338344621249479,2276887616385219304,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1
    3⤵
    PID:5448
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6000338344621249479,2276887616385219304,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4292 /prefetch:1
    3⤵
    PID:4240
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6000338344621249479,2276887616385219304,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
    3⤵
    PID:2652

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Event Triggered Execution: Image File Execution Options Injection
- Adds Run key to start application
- Blocklisted process makes network request
- Checks for any installed AV software in registry
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:244
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1316
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 3228655F155C131EC3D90102EEF76FA3
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1140
- - C:\Users\Admin\AppData\Local\Temp\{02D83BBE-4924-EC5F-8D20-45C3C52962FD}\acstest.exe
    "C:\Users\Admin\AppData\Local\Temp\{02D83BBE-4924-EC5F-8D20-45C3C52962FD}\acstest.exe"
    3⤵
    - Executes dropped EXE
    PID:3568
- - C:\Users\Admin\AppData\Local\Temp\eset.temp\{02D83BBE-DD36-E158-792C-45C3E13462FD}\InstHelper.exe
    "C:\Users\Admin\AppData\Local\Temp\eset.temp\{02D83BBE-DD36-E158-792C-45C3E13462FD}\InstHelper.exe" -gv
    3⤵
    - Executes dropped EXE
    PID:4084
- - C:\Users\Admin\AppData\Local\Temp\eset.temp\{02D83BBE-DD36-E158-792C-45C3E13462FD}\InstHelper.exe
    "C:\Users\Admin\AppData\Local\Temp\eset.temp\{02D83BBE-DD36-E158-792C-45C3E13462FD}\InstHelper.exe" -sd "C:\Windows\Temp\eset\bts.stats" "ESET Endpoint Security" "11.1.2052.0" "1033"
    3⤵
    - Executes dropped EXE
    PID:1964
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 62A42877BD83D10E295DF48F7E8C8883 E Global\MSI0000
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /F /T /IM ehttpsrv.exe
    3⤵
    - Kills process with taskkill
    PID:3484
- - C:\Users\Admin\AppData\Local\Temp\eset.temp\{02D83BBE-DD36-E158-792C-45C3E13462FD}\InstHelper.exe
    "C:\Users\Admin\AppData\Local\Temp\eset.temp\{02D83BBE-DD36-E158-792C-45C3E13462FD}\InstHelper.exe" -ci "C:\Users\Admin\AppData\Local\Temp\eset.temp\{02D83BBE-DD36-E158-792C-45C3E13462FD}\_InstData.xml"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    PID:3088

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Program Files\ESET\ESET Security\ekrn.exe
"C:\Program Files\ESET\ESET Security\ekrn.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4744
- C:\Program Files\ESET\ESET Security\eguiproxy.exe
  "C:\Program Files\ESET\ESET Security\eguiproxy.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4260
- C:\Program Files\ESET\ESET Security\egui.exe
  "C:\Program Files\ESET\ESET Security\egui.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  PID:5136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "9" "C:\Program Files\ESET\ESET Security\Drivers\eelam\eelam.inf" "9" "4d8859be3" "000000000000014C" "Service-0x0-3e7$\Default" "000000000000015C" "208" "C:\Program Files\ESET\ESET Security\Drivers\eelam"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:4000
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "9" "C:\Program Files\ESET\ESET Security\Drivers\ehdrv\ehdrv.inf" "9" "446a2f407" "0000000000000164" "Service-0x0-3e7$\Default" "0000000000000160" "208" "C:\Program Files\ESET\ESET Security\Drivers\ehdrv"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:2232
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "9" "C:\Program Files\ESET\ESET Security\Drivers\eamonm\eamonm.inf" "9" "4d14d0413" "0000000000000160" "Service-0x0-3e7$\Default" "0000000000000178" "208" "C:\Program Files\ESET\ESET Security\Drivers\eamonm"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:4756
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "9" "C:\Program Files\ESET\ESET Security\Drivers\epfwwfp\epfwwfp.inf" "9" "48fcaabe7" "000000000000014C" "Service-0x0-3e7$\Default" "0000000000000174" "208" "C:\Program Files\ESET\ESET Security\Drivers\epfwwfp"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:808
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "9" "C:\Program Files\ESET\ESET Security\Drivers\epfw\epfw.inf" "9" "456eea8cb" "0000000000000174" "Service-0x0-3e7$\Default" "000000000000015C" "208" "C:\Program Files\ESET\ESET Security\Drivers\epfw"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:1288

C:\Program Files\ESET\ESET Security\efwd.exe
"C:\Program Files\ESET\ESET Security\efwd.exe"
1⤵
- Executes dropped EXE
PID:2668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:232

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5712

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5828

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5780

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\ESET\ESET Security\SecurityProductInformation.ini
1⤵
PID:4060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57e37d.rbs

Filesize
10.0MB

MD5
ca170cb3646e082090fe6334ef824be6

SHA1
62083f401675ec62eaeff7a1c5cf7a4ce5169f35

SHA256
ac87843e513207313ee13754e3385845b131aef43d5be4866a8f87861acb963c

SHA512
15e475e3e06fad535f7da8254cb49be536760ebfc5725875022971ac422b857deb20a1e95e9ad1a1c127e3848751161953082c46e8cefd4d2f6768ff0f4fc992

Download Submit
C:\Program Files\ESET\ESET Security\Help\help.cab

Filesize
251KB

MD5
e9bc3d66fdae9f163923739a970c059e

SHA1
890fa99b0e1e2bb0e7681c0b585c343d2ef4206a

SHA256
376dfef7d9415000d1269c45cabd79cceb96ce84f737a488dfff226ffc57c59a

SHA512
612a6c004f13a892e01f773f7728aca0e81aef60cdb4da3d1a9fb09dd0285825e293b4065de1c76e3440aa0801353878da1c4bb14be9acc101e4e3a0e3638a92

Download Submit
C:\Program Files\ESET\ESET Security\Modules\em000_64\1113\em000_64.dll

Filesize
220KB

MD5
10013ab30e9b33af6171a094ebed27cc

SHA1
8a79cf3ff977d97ecdbb9f65127c61b5b513a882

SHA256
bb35315ad2a04a38565b2adbb12bcdcaf3afd22f5cdb2c29dbfa0e7b2593a5f9

SHA512
e45c8c8c0bfdc8112fd8d45543fa834eb8e0a4c396f3554ab2f4e084905ca8fbd4ae49e0bc6ee94808d482f07e864a4e70853641fac6eda5bbc8db07c15a9867

Download Submit
C:\Program Files\ESET\ESET Security\Modules\em000k_64\1024\em000k_64.dll

Filesize
54KB

MD5
32b123a74a0cd763ec9d88dbdf49e947

SHA1
5bc7d5c9729b70c7aa5362aad57facad8e3d793a

SHA256
1cb999282603d370a8a907d29f98c7300eadce3139817334f2a1ea7eac55200c

SHA512
0f125f0628bc0d7487a8a8f778f8ead63d43736e7333feee75598cb0756e01755fb7a0c78970470cc3225af748bfeece6b15ed8189f3f435bfb51de74010d309

Download Submit
C:\Program Files\ESET\ESET Security\Modules\em006_64\1249\em006_64.dll

Filesize
266KB

MD5
c391598c2dca1f460bb37476e2fdce17

SHA1
5b0a1ae5e2ba8895f5dcadd541dd0039036c392d

SHA256
b945fba86de2306943f93fa65e9c887604cc4a944535fe29c6ee740148837205

SHA512
16e7ff5d2193756e5d53b82098c741291aba2969d20b63e2f76af07c0df120444be5619c97c64438d94c382ea1d044f80bc9357fd743ee69a5d53934ff1455ad

Download Submit
C:\Program Files\ESET\ESET Security\Modules\em017_64\2127\em017_64.dll

Filesize
18.7MB

MD5
0c65f14bcd94162631bbb5b4676fcd2b

SHA1
4b8146ae834ed999df4dd915a738fca267282af8

SHA256
4e9b4204355715ea306035f9bc947e695c1509d33b5d4d24b2e1d306395cba9c

SHA512
fab44f09c47281c5b9ef11650de86e28587f8389c241fc64c49223e5e9c9e186df3a1b14e667714cfa4476ae5f3b0168f747a0fcbedea7c01ba0f71771bdbb01

Download Submit
C:\Program Files\ESET\ESET Security\Modules\em024_64\1138\em024_64.dll

Filesize
2.2MB

MD5
1ed3fcbd5a1a22ce6e3aa3f520e135b3

SHA1
0a5f1bfc03a03954244d43322c5674a9237e1751

SHA256
c7add46fedf42ae2a0564af90504c5fff11ea3595cdd59c68d7194398241fbb8

SHA512
f8ac32a9ac650442cd6d5661778996af16e5ac6b71dcbbeb3960e0b3aae01465811d89ef005dae0cb1128606087ec9feac7e86ee478d3a4a7d52a9804fbc890b

Download Submit
C:\Program Files\ESET\ESET Security\Modules\em039_64\2203\em039_64.dll

Filesize
7.7MB

MD5
88fc8d9550c733380b25c9175032acb0

SHA1
13248b2717d8af4023e13502e3b9450a0a0e0d3b

SHA256
a5cd0deb844ee0c10b84f455a89e69a030ebf8eae2b60f02c461871fcceb8c83

SHA512
47fda0e10860bb768fdddc0c5ddd9b9d9cf331fd9f868ff2dbdeac0c9826c586268d3c6fff62cbc5f0ce112b34f0beba9257a5c90da1ffc5ba6973be79ecefc1

Download Submit
C:\Program Files\ESET\ESET Security\Modules\em045_64\1093\em045_64.dll

Filesize
5.4MB

MD5
255de5a7d57be6ef7fa0878ebe49765c

SHA1
862ed12ca6c01d0547f5fa2594a8886bff2392fe

SHA256
44e57d861cd4ac53d09406cb2a287126db8f2c66fb0d5ee357450d325e0ef2b7

SHA512
3d1a93c28c5c8b26e17c1df93a7780aa61541b71af1e431d2da500c8f23a951c7a5a0e5cafc84b1277fc2e479e382821940d4b6d52ee0acd852459f5ec9c6a94

Download Submit
C:\Program Files\ESET\ESET Security\eula.cab

Filesize
603KB

MD5
653951b544027d99d6bdeab8e83af6d8

SHA1
b61ad2623df2a65756685e116b3286a8b68144be

SHA256
5746e05f5674ed583386a6e748f0ade20b906b1a10e17ecf2df2def0a26d7f08

SHA512
8b429872c1792be792b0ca1e5e0b4573295bd0b0144ac1693c46f71e1c93b7b2f7aee983453dc79bbb4429f9d9bc028da7e617d1b789ba1de34b79630b21487e

Download Submit
C:\ProgramData\ESET\ESET Security\Updfiles\upd.ver

Filesize
277KB

MD5
3bdc892ed277ac9f3433ff47a93e9e5f

SHA1
578312545d05084bcdf5302f3170f8bafeeab162

SHA256
8c5439bf5abab9a3aef115258fd8d519af5ebbecbf280cfec906c49ba7a98d6b

SHA512
20f6a57a8ce50f8758cc147b3a60677a157fb722a0b66406afb34283324eaa509304a28c0aeb7e002b47a2f0d6539c3514ab97e44d733f8f3aeee31279b26b42

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ESET\ESET Security\ESET Endpoint Security.lnk

Filesize
2KB

MD5
6c5158ac90c00a2c6eb975e846b04b78

SHA1
e6da2ff319be2817a6e775d543309378c58b8f25

SHA256
bba5e0a20c2c09eb1a1ee70c572081e5dd965939c68a9a8798d52468f87728c1

SHA512
4aeaf52569ef44098f73dce949a595c9a686eca3a8a53e1bf6420a6a2fb7775bb4d9cb4f27eaf5983b4fb48fd8da82c9653fd0558e4927aa435d24011b38cde8

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ESET\ESET Security\ESET Endpoint Security.lnk~RFe57fc90.TMP

Filesize
2KB

MD5
9d9db28d628ef29be5896a76cd41b12f

SHA1
a7ab1209b1ecb4ad7f9ab7cf961cc2385f653c67

SHA256
a51eb22f40039bf6ccc67c1d068244ea99ae734914300da0fa79f7758fc37713

SHA512
d6e2cb3ab1cb31fefa63faba9591dc06e44b257fdccc0e450023ce725afef9f7ba09da0932e60560f6dc5a59c6887a8147bfb48f019d2743fb78fddcdb1b1082

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ESET\ESET Security\ESET SysInspector.lnk

Filesize
1KB

MD5
edb820c37739607ef65a022927ae84d7

SHA1
a5945c8c74648aaca28fcebfe781a2e2de0bd8f9

SHA256
9356a9eecfafcd2b43708c3ce703098c73f513dce9b6ee7b3bfe19fd3fc5595c

SHA512
a7497d6f5604c278f3482fe80c7553ccb788915b26ba2392c581c264dc2724df440e7dd10197b6cd0db19747b13efacbc932b7b495f4ba6a24ca34fa20987af5

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ESET\ESET Security\ESET SysInspector.lnk

Filesize
1KB

MD5
99da8072bb78c2cca0b2ac94492c6506

SHA1
a9e61d20f0a471929bbb61c7e39ab71da33ea1b9

SHA256
879ccc910a5aeea0ac6b40e01254b907f7676048356f12f29203359c58b2e306

SHA512
945a1304357f32a40c55131162d98501a238e10a4e0706a9e4a4ede636c00b6472af4a187a479d08cc3e5cb1f0b3f8c80710d45b1c69e33d901cf648eaecf86f

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ESET\ESET Security\ESET SysInspector.lnk

Filesize
1KB

MD5
34f01a9f17ba046fcdf8109a43e291f5

SHA1
4e8d962140077384ee53b65d3e449f0855cba37d

SHA256
b66bcd5bedfdd0e1313521289f11af51da79c62a043e0c9e3d9b1c23ddecf35c

SHA512
724cd0a11463345e28c4e48659af16281c99429307bb1eaf73ec8b634ec017d166bb6c6b19439a7f7a0f9d645f27661e9b9f32f8ee0b3371e50bebd4628f23ad

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ESET\ESET Security\ESET SysInspector.lnk~RFe57fca0.TMP

Filesize
1KB

MD5
a355552248c1cff1ca902558f05c13e2

SHA1
da647f448975d1ed43b23521dd7dd304c9173386

SHA256
f56651002d122447b71fd33cdaab0e65403667ca4942c9e0731e4380da95a56f

SHA512
c1f3e208e445a68cc010af1bf2ff1d0607e6e383b3550e451e8cd77f9269e6cbee3e835f850bd814737c32fb9f6bae97b14bc2e0f51e392103217ccf25325aa7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
847d47008dbea51cb1732d54861ba9c9

SHA1
f2099242027dccb88d6f05760b57f7c89d926c0d

SHA256
10292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1

SHA512
bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f9664c896e19205022c094d725f820b6

SHA1
f8f1baf648df755ba64b412d512446baf88c0184

SHA256
7121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e

SHA512
3fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
360B

MD5
bd4eb0e761b980d38524dc43c84372bb

SHA1
2008f94f0e64ec01d16c414755a55cbe7b37c51b

SHA256
86877043bd847837dbbb6a7c3e129599d7af7962d0d8b6f72c5e0e41535cf594

SHA512
aa0f0b3e52b9b493adaa22ae949ddf66c558898c79abee1242e5df62e348b4c19975acf175d3324d30cbda0be4b9aeb69f24a0e8f274977663dc8d9380f481df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
47b3db62356472efa5e8c2211e91b647

SHA1
eddccec9549950f18bd9582d9371d5017b0b18a5

SHA256
614fba017a3fb6b86681d1c752ccb99513b592272157d948b75ada03ae0b583c

SHA512
fcc3f5ad061f5514fbc7b18f655a35ce7e7359120ca1ff1f6def33d0a06df44f1c5df6e791c03f591bc490b9df47fd52babb2d1271f275e858d966e5c1cddd46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
dc60ce78bda9fa060b1bcc381aa7ec47

SHA1
2f339ffcfc07640c4ddd73b15cb3c639d2b634b8

SHA256
659ef794cde073e704ad903c1d5c536bcad7211483ddb5d0070be42ce084dc44

SHA512
af795ecf78452bb1e237b9389ef134b46532a7d54043174c20aad18a97626fb547448875df2d95b6577c3b6cded4a78721a94e236ec8e9195b586b6077d037a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b49b8ce1ba4feefce005e0c896f2db9b

SHA1
7227422aa42b91d614155cbd8825815837db6088

SHA256
e59c272c474c104ce2524fb1939e660346bacc0cafdbae520971abd8d8bfacf6

SHA512
09f39c7a33a8be87a7c4ae2df321411f651adc1fd470402deeccf050d76339c55405316545e985b016657003f372f00b35833f46086ff0b51345627e4ae43302

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6b70752666ff4dd93f7f3f99cbd93b2e

SHA1
9a62b4b07a1177eeeed7ee9757b92fc8cd7954b1

SHA256
7781d4460730e992fef033a89c58db06e46938102ee988d17586193b80e42560

SHA512
290fa77b8e606bb6521d9e54bc3cc5057ff3bad28d62384451dab537015e8972f6500e2062239501555cbd69c797d75b0e0e52f7f400f0de0dacb8b50d1d3851

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
717836789e6a6266d929b458961487f3

SHA1
31db38f06f241b340dde6ee25ea2d816281cee72

SHA256
9e3afb22b0a6711a7a9600922610ec5f12bbbe4b0dbd5d7d0d630c481f40020d

SHA512
c94bfb85ab841eb5bcb11f87a9406bfd18bcbec77d5e30c9c1d2f20e8f474d8982313f3981023bd05acd179aaf36f12ef955c5b38c912d5f69521c983f76ef1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
54b3636934d3811c5b4beb51c73f2278

SHA1
6284d219e18e1be924436ccba37a2d94d9189004

SHA256
b94503c635e0e49c499f165435983e3f64886d0d9bbfa8e27b321bd1d6b0c2e3

SHA512
2de402867232672a9d18cdcb81095bf443677dd42fa49aa33a04c2bf3f7a6e99832c0c0141cbf92de5740ed37be27daf35c70afb69ad5533b403c2c1bf1c7a5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7b41d.LOG

Filesize
2KB

MD5
b571e66416de3ea433928fce1f56ee95

SHA1
d917e71acf38b0eaf4081caf272b4eb4c04310d3

SHA256
720d98705c570cdf957ffeb89424f12a63539d1305473986243eb65293d8cb39

SHA512
86050f718ca90dbbcbf6dfb59ad7dfa8e5bfecdef354a6756ab997060ff02bc6c26fca912b07f015bcebd0f0b0d9bb3ef8ca5ce5ca575d9438e05c50562e9ffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\NSF27.tmp

Filesize
240B

MD5
d753f05546a08a941346ab73f3501101

SHA1
9b5bd8d61e242b62856a6dd01784dbb71e1adda5

SHA256
8181bb19f41d6ee859ce5318908383f4f5473ba9e8ba9e78cce59d1d43149417

SHA512
dc8a55765230e54e8e29412d4762bd478b5ad41c9f8d2ec2f99fd4be8fe417501101464272ce0d523ea5879c5660a83fc53ad922af8dc0539fe45f315970ac79

Download Submit
C:\Users\Admin\AppData\Local\Temp\NSF28C.tmp

Filesize
232B

MD5
1e41b2744c4a8390eb2df0742922d5d0

SHA1
78382c540ada4f1d5178e05379f6f8324f99a070

SHA256
5f357213eba26280f735f323ce258814c6f1dd2f063937084ef6d659492ad13e

SHA512
9ad7d0a138b15bb01988c6d7cd0730f4de5f48d4683d7dc7ded0516bae12b4c105a4b7fce719f22296f92aa288736eaaa9c9eee3567d08f837f0721200455650

Download Submit
C:\Users\Admin\AppData\Local\Temp\NSF28E.tmp

Filesize
226B

MD5
cb8191b547a73e24f7f1c61ed221e488

SHA1
0c6e798ba897add17005d6428794ab453b9663b0

SHA256
9f450af6d8616d3fa52f2b07084464d439a0814138b762a435fe47c4f23557df

SHA512
d7b04a710c0c74d57b47b17518ad38c4f78fc644e7b16383f15356930f380ed2c40db86663b7663ff1d51953eb7aa6aa8786c89a43187d6fc7b9f395e6525976

Download Submit
C:\Users\Admin\AppData\Local\Temp\NSF290.tmp

Filesize
228B

MD5
57a328103bfa80fd36ee0f702daebba0

SHA1
6eaa2c13931963498b7fef6eda49cdc99a3750b7

SHA256
73f32bfa966e9cf3dd576c7bae905a0ccc11c9ebd2cb57a6c3383331dc5080d6

SHA512
43fd11a0e6c169811c85936d360ed70493a4b62bde956720bdbd92066e8e4695d6fc2ee9c43af8265f26362f6b27e8d2932673c34b2eac931e9205f73b945ac4

Download Submit
C:\Users\Admin\AppData\Local\Temp\NSF312.tmp

Filesize
262B

MD5
83f6a429d967830bbd8f5148d7f0fa22

SHA1
b8f2b6ddc59a5249f08075746e57e57254c4440d

SHA256
ac2daec6be27ff79c95758b0d5325171b6fe2bfebfa26905ead09e59a2d4573d

SHA512
1eacb4e4eaa6b0745a8020fab49771b99b91f218b8a3dc67a0dc6e29d44a9c3dc87c027a36da5952afbd5b3419764c24f55bcf8cbc6a0fc420afb45ea2b3592b

Download Submit
C:\Users\Admin\AppData\Local\Temp\NSF44E.tmp

Filesize
227B

MD5
24dc5284c3a49eae5e2236120d9b20f8

SHA1
1fffaaa513d1d00f458b8bf7f0eda9813e1fef48

SHA256
31ed6064156f70975023021962091bb1b591bf3b5747fdf78c387015bb900136

SHA512
1d6020800d27004b07fa08ffa304586a21fae1af560cb847a539f48c072d5eff3885e17794354311a8c6f9f3c33c112e49ca1ebfba19e528b4cc4c9675c016a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\NSF58.tmp

Filesize
242B

MD5
cbce462a14af0d1602e2ac3d3a136547

SHA1
f4ae8cf1560ba5bc53433f15dec56f509860545c

SHA256
ab95c0e076590d081f7ae8442e384742e8bf0f95176353d2cab11b1b334d8968

SHA512
601b95e8eb74af3183e813c633289c8d81e3bf9fdc8ab382e8266abf8eff600a5407fd11f3e0aa68cfac468bd389ed8dee930eeb909c6e3380c87f82d8c76c71

Download Submit
C:\Users\Admin\AppData\Local\Temp\NSF5A.tmp

Filesize
224B

MD5
2c7e1fcab74f2a6f026131078bd4c91c

SHA1
bdd7ad4fcb3e2f44dc33ce50d3474169dd257dd6

SHA256
3993708208c2b2f89c51a60c5b76dd80e0b9d83ddb9538b282da2a93e129c30d

SHA512
d5ba6db8d79e815043492d9cb34cd4b97b78af41de0772109b83fc1c2defd7239c57487df5e97f99892d7024872838c0dc8df9eade4f22915b449b0cef379c5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\NSF5C.tmp

Filesize
218B

MD5
761bfeed5ca6bd40c6b967e7eebfed9b

SHA1
f718b09eb4538626d741a84e35d8bce2c62a8de2

SHA256
a94a02a11ef9f9bc2c3d1683719402da32bdadc70d2be1e045747f9de999a0a7

SHA512
4938e3acc75f1b727f00cc7a6bfeab88a9e5a6f6880ef4b11556ed7ccea74299f57d854899fe5246a0bc0a57bd77f3402f955d57dd0ca1bd7175c3bbbbf42e03

Download Submit
C:\Users\Admin\AppData\Local\Temp\NSF8F.tmp

Filesize
231B

MD5
ab02346d7e3be7b50a7d89b55676b0bc

SHA1
ffc4830b2d7025cd5e4fb5ef3006d99866aec169

SHA256
1c5117f337e05c65619c4660e1cbd79871b16167787c3a29964fa9c32b87d44f

SHA512
8b0862df162959b39911939ceefb11078c5e20b66a9e0ebebd2163c1dd677f7c7807e63201ade1735c1791362d89a4192d5c6d2bc2f45b90a7ddd6870e374e3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\NSFB0.tmp

Filesize
224B

MD5
d3542fd600c1f6ce6ccfcbf3294e95b6

SHA1
74bc39e1083766aee99f6cf99b4105165a9e6956

SHA256
5fb452b55434b40054ff3ad7944748d5184e0b82e1e38dc32a9d95a7a373fd39

SHA512
95d2393946a428735fbd5408398759b841011106558dc46821a122af73a362454edb598299cbad74ff040484ca3192a2735e0464cdb2df2ed741ee54109e8baf

Download Submit
C:\Users\Admin\AppData\Local\Temp\NSFB2.tmp

Filesize
225B

MD5
ce3798dba4756453b8a92ba5690bcd7a

SHA1
4cc7a26110dd7e43cc5ae4b909d92598d99091bd

SHA256
3b3a01bb26fa3be7d6b9b7a6bd4786324490d42865fd8f807d6ba077effa2ba6

SHA512
63bab97b5d1e45336d82aec545cf37bda7c305847d73764625ec6987aa872852f26fd9d5a4c8c224afa0a2a6e4a5c4fbd02d069f89aedb1be9980243f6bcda54

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\CyberMania.url

Filesize
110B

MD5
afe46d7e46a902f1286c4d6eaa067183

SHA1
2a8efc9c6aecb1ed0c1a36d860200fa681936924

SHA256
3aa697f2559d375c31374fd5e7383ea542ad3daa8a714307240ed9762b376762

SHA512
5e6a1cf578ed6f121c895bcb720db8e827dd6a6a65797eba364310d2f6d7b58b15742be2f2066737dab76ac3f2ece0b45d96cb72f6c04427ef64a6dd4b674d3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\eset.temp\{02D83BBE-DD36-E158-792C-45C3E13462FD}\_InstData.xml

Filesize
17KB

MD5
4fb7040c6b9702f37f84d061cdfc5cc0

SHA1
73cd83902406a90e2b59b639d0d66d5b639ff4f6

SHA256
d04b1193a4c004c3ab9be041ee0ad7982ce6c4b82b7b5c1232dbeae782aade94

SHA512
977c6e092be398161c72b67d6885ad3fa3e92b891181c1eb6d91fb6f9d72475fa3109e87ac8adbcbf96eec7371474266ac36960df5290e2611391bdef4be5533

Download Submit
C:\Users\Admin\AppData\Local\Temp\{02D83BBE-4924-EC5F-8D20-45C3C52962FD}\acstest.exe

Filesize
18KB

MD5
54a78a379c58cb3a037a3666c8cb684f

SHA1
27f8521966a69779b5fe1914e9712eee8392b8f6

SHA256
0ea36e4b5e1ea43d14a195a36374290bf781cf5f5deba6da0cd15bad52e6bfc8

SHA512
abbc81605e85ad76ec1a01d8e520ff6bd15d05c14b8fd770f7daea1fcb9f572ca3b19351de7edf034ff192224ab338b94deaff9d4c32dbbd97a31a6854c9849b

Download Submit
C:\Windows\Installer\MSIE60A.tmp

Filesize
1.2MB

MD5
1a74667eb45ba69cf95ae0d792110f15

SHA1
0a75928a17b1896de435f0a062320abe306bae65

SHA256
11926ae11d9f90e138896a4312a0b01760969e26a157dfb3422b068e52fc6637

SHA512
9f7cfe2fec5cb4d1236f043f2cde32d4ea64b6dd3e167a17ecd3232a996a240d7175e7a3977df15cb2779832cf23386d6d7f97de57aae41276dab66b586c6d77

Download Submit
C:\Windows\System32\DriverStore\Temp\{5ff5afd2-1edc-0240-98b6-599d685d7b3c}\eelam.cat

Filesize
11KB

MD5
11d905d5f5782b5e15b0fa70f613b862

SHA1
2fd16cb9ae82246c682fb8d6506a05a6df3364ee

SHA256
339d3b56db804fb5c6312f27c58d4e102dff527e8ba414586f116f7033eeaa20

SHA512
bacbee932783db40bc75eb60673f6220506d80d1c14e8bd207d4da5adfdac70d4839ef209cae803ea8f38d4a448851f583a45c5af919b32790b155eeae63fec0

Download Submit
C:\Windows\System32\DriverStore\Temp\{5ff5afd2-1edc-0240-98b6-599d685d7b3c}\eelam.inf

Filesize
1KB

MD5
a7d5c0c73d05acdffa664557874e7008

SHA1
3a98033c84a31e593ca4f27723dd70774c2674d0

SHA256
17af5930daa149addf4f3092516ca1cc9af8018a792de967193b391e99516a8d

SHA512
ca91643f28dca94cb25cc3af688f224139cedd0276c5b764b9c81b228854b8b7dc8a4ba87682681b020d93eb0d38e929bb0b247fab68bf88a16604048d9cfb62

Download Submit
C:\Windows\System32\DriverStore\Temp\{5ff5afd2-1edc-0240-98b6-599d685d7b3c}\eelam.sys

Filesize
15KB

MD5
6482645cefe3e5237d154470e3e66ca7

SHA1
8048b5607ffbaee37e0a7b94091a2457181cda81

SHA256
56af45ea19ea3aaf91121cae00748f533041bf4071949d270be530568a0e9c45

SHA512
2b42a3e1ed6918d6a0a98739349cfc92596fb4f00c8acd901e57a3759cfa9e8da07da19386b6060af90bccb0e69df57e1e64fe0e310f6168f17dbf6e8e97da2e

Download Submit
C:\Windows\System32\DriverStore\Temp\{b3de3575-366b-5d4f-b1f5-bee081f2ac10}\ehdrv.cat

Filesize
11KB

MD5
61841fa3b0740c3e0e6577f6d9e76945

SHA1
8df888fcd2592d6e4b734402088eae79445c568f

SHA256
a7da17c1d4879cb473ec49d3d311b84f49c0b738e6b7feaf86d711f53b3ec63a

SHA512
fb9245e89e2c7e1425c4a093fe603cced291c411906aaa0bf6bb4eda08988659a871079286bd98772eae3c5f0788682a3c5bbbf2e1c4c569c3d9a5fe8bbd8f13

Download Submit
C:\Windows\System32\DriverStore\Temp\{b3de3575-366b-5d4f-b1f5-bee081f2ac10}\ehdrv.inf

Filesize
1KB

MD5
b87bf438dce5f5a91fce70b1d699db84

SHA1
638f27dc129363087812c93c49450190b653ba7b

SHA256
920c547b4b95da8adfc7fedda0fe194021c7ffa9aaa6ddb7fd598bb093f29256

SHA512
be8bdef7c5b4554a229ba1a008d7c27862bb9c8df06df251df9792a6b197b29f72ffff5f279811f9e455bea97600abea40722eda5a9c4e51855bf8eacd1d72b0

Download Submit
C:\Windows\System32\DriverStore\Temp\{b3de3575-366b-5d4f-b1f5-bee081f2ac10}\ehdrv.sys

Filesize
259KB

MD5
acb9ce58b276029b9cda043424d40a35

SHA1
5c1adb79ad70faf7b624218a996d1d93ef106ae4

SHA256
47f81c93abd96d3a9ddf25b669c3e943ce7d85fbac61500687dd115d4489e04c

SHA512
7b38e5ab7f81dcd794e3322b04873f787daabef73b68a5ceb9e072b337a7562d070da89bd197d6cf84c86d2c090627369814e6441a5cde4f242cc1b72cbd5d26

Download Submit
C:\Windows\System32\DriverStore\Temp\{ccc7a49e-c125-f54f-8d95-8b88a240ca61}\epfw.cat

Filesize
11KB

MD5
d98f841d3da556e2bc8683f39c59a1b0

SHA1
3d45decb3a83e9d353f4a2eefcde27d51775c5c7

SHA256
c65e7922edd57822e962fa75607c1958962ef5d1e1a0d7afa1dd27d2ea248d60

SHA512
2f41752bd30a2d2aa37c7698942e31131b53dad6dc75a82155836ac80ed1b7ff54679a813bcf6164cc7b1511ff340cfc5c7ecf3a15d932b00329278f7ceaaf27

Download Submit
C:\Windows\System32\DriverStore\Temp\{ccc7a49e-c125-f54f-8d95-8b88a240ca61}\epfw.inf

Filesize
1KB

MD5
328e03493b37c3ad4a9533b2dee5fae8

SHA1
3edf9241ea4f296574ede5ebb5b07d39bc15d540

SHA256
5b309636d2c5faa9ec534604c71b408646c05997e5ec85ad4dc8832b0f194be4

SHA512
c564bb03116998656e75aaed07a352611ab07ce464671b3c170fa561d7c26288969c65c2372f5b3f79dd5ad683a91ce9afff180cb6f849fd90dfb3ec05b32b05

Download Submit
C:\Windows\System32\DriverStore\Temp\{ccc7a49e-c125-f54f-8d95-8b88a240ca61}\epfw.sys

Filesize
82KB

MD5
fefd7ad8c5a1a900b2438777964071de

SHA1
594a3dfa88dcea443036c326ed85cac444ab6614

SHA256
345284c346d41700ba2e691733db56cd5ed83498b91743526cc2ca9d7a27028c

SHA512
adb14114226d32e9eb6b16cf7109874aa8a028b70dc7a643e8ce2eaa08dd55bea6daa99c18f2db24e63f9ed5511518fa6e92fe70e634a9a124be9d9af1384849

Download Submit
C:\Windows\System32\DriverStore\Temp\{d0f88151-92dc-3f44-8898-01cf0140455f}\epfwwfp.cat

Filesize
11KB

MD5
492c4a69947cd83ebedecab2207ad1a2

SHA1
5cef8d298e29bf4e9583a949c5f340d4eef10a06

SHA256
4e2897c6e74f092a954b2f187526e4608a0c27da96a8ac22a948453bf534b100

SHA512
bebfa2cc8096f874097a3fa6fb42bba9b7069a59b391c7b830b80f4bbd04735b62fb752a49b06e2fd873ca712ada4e6b7006f091155a027dbf62e227288adaee

Download Submit
C:\Windows\System32\DriverStore\Temp\{d0f88151-92dc-3f44-8898-01cf0140455f}\epfwwfp.inf

Filesize
1KB

MD5
14e67cc778b8803e64b2a9354d0acac3

SHA1
6049082c351b40a151390e342b10828bcdd6b011

SHA256
b931fa1dd7a799d2202e83720c1e262533b449e1c24fbc9a1af81a907e83ecc6

SHA512
5bb4968e37f39350b688385ad068dc358857d4d19826767b25c82ecc3447071674b005fea1c3adc933c15a44efc350a3c19a43848896668d0af01b6392aa15b5

Download Submit
C:\Windows\System32\DriverStore\Temp\{d0f88151-92dc-3f44-8898-01cf0140455f}\epfwwfp.sys

Filesize
123KB

MD5
2022aa7027af02133dee344a874a3041

SHA1
e34918646f52d3322d61d27c81a7f7718f0f2072

SHA256
40a6b3b6a61ed9ec436eb50d8b93bc6a3942f93c66076d4059bd6f12939d1e92

SHA512
f9b0c551970c8ca203171fb2821f118cdd952571d23d9b31fbb11069b6c8eca79b5e16f509130505b167f2f9c9ce1ab48c95ec352033d3187c5229590f523c3c

Download Submit
C:\Windows\System32\DriverStore\Temp\{d739eba9-da25-2448-8d48-6de9d12e490a}\eamonm.cat

Filesize
11KB

MD5
392e0864cf48411536a368430b335815

SHA1
510ba669937b726b1aa7d8e584eda8c6674574f3

SHA256
35c18ddd139f5c411c05f0a7676f4f02fe263db7f67c3c2c48a6247821ad5dee

SHA512
0e6ceee8347e930633aa720bfd675cb0baf230cb8171dbaae4aa30661d27b70a5c41e8ddea7bb342ed7b053a590bb6f9f08da739a6f46a07dceb027d64186cd2

Download Submit
C:\Windows\System32\DriverStore\Temp\{d739eba9-da25-2448-8d48-6de9d12e490a}\eamonm.inf

Filesize
2KB

MD5
1b94d2e1883e0a7b2c07da8ea1e5e623

SHA1
3bbc02ecfd35e53effa9cb9fb28126bd9c9fc968

SHA256
a6e1bf5d388ece7743a810400e0d8655feceac30a594487f90eaab458efda19c

SHA512
68801095e962357cd3dec1f7dc70d62d11fac9e3d8f395646d6e2708539bc9371203fe0c3305dd7b54fad618c7b575ff078615024e500e9e216b9757f96f81c9

Download Submit
C:\Windows\System32\DriverStore\Temp\{d739eba9-da25-2448-8d48-6de9d12e490a}\eamonm.sys

Filesize
213KB

MD5
b1c7b628372da0a8b4d62b0f2b45a657

SHA1
2cfd8219f2981b8bdd5c16d094d3a7b8c612c1ce

SHA256
7e2dc50cd7d80ab99ae8726a73046a138c217cd8d1b43e0efd33241c9efcb5ff

SHA512
a0847b0d42e9bd53a8be1be9677de61e6ae16f1cee72c93c96106d6caabba5679cf5aff3c6d5d531be591a4e6aab7ac658b028113b8125ba8430d03dc2f84455

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
19KB

MD5
d37d411267f4a3394f4a4ff9b8ce9d1d

SHA1
611b86d017dee06acb8ce9c6bc488afaa7e3092a

SHA256
bdcb576751ed4328f92201f47d5229e5a03bb0c9ecdce6fc2a566079862251e0

SHA512
e42f8a6937d53c238772d328d0de9d01df9f4c1cf155b0eb435630c38ab00c7721fdcdacb70f5a3669c651175bc4f2fe5e3644a59dc8abc0e733139ca6bc9559

Download Submit
memory/3088-704-0x00007FF7CB2A0000-0x00007FF7CB375000-memory.dmp

Filesize
852KB

Download
memory/3568-48-0x00007FF6828B0000-0x00007FF6828B4000-memory.dmp

Filesize
16KB

Download
memory/4084-1057-0x00007FF7CB2A0000-0x00007FF7CB375000-memory.dmp

Filesize
852KB

Download