Analysis
-
max time kernel
44s -
max time network
47s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
29/09/2024, 15:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ESETEndpointSecurity11.1.2052.0x64.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
30 signatures
150 seconds
Behavioral task
behavioral2
Sample
ESETEndpointSecurity11.1.2052.0x64.exe
Resource
win11-20240802-en
windows11-21h2-x64
30 signatures
150 seconds
Errors
Reason
Machine shutdown
General
-
Target
ESETEndpointSecurity11.1.2052.0x64.exe
-
Size
50.0MB
-
MD5
482f59f6c048adfcd193425fbd789db3
-
SHA1
aa6f5c97d9c6188720f300993595c583c7e4457b
-
SHA256
ddf3de44e56c08157de5bc3a34838fe38de85eea92f2b058b4031b58afc1cdfa
-
SHA512
6f181e616b5c720147ae080afb55d41ba1db35083c6ed76207af1e069edde39eefe4f4ae30a7bd8703fd56c48b6df8d2fd068c1c7304ce72041fac0ea6d54f97
-
SSDEEP
1572864:uHJu7pkya3/lX0IyPJMHPI03ZnSRrjCBM0gupSD:OJu+n3/lX0NevJEGBMLupa
Malware Config
Signatures
-
Drops file in Drivers directory 15 IoCs
description ioc Process File created C:\Windows\system32\DRIVERS\SETB0E1.tmp ekrn.exe File opened for modification C:\Windows\system32\DRIVERS\eelam.sys ekrn.exe File opened for modification C:\Windows\system32\DRIVERS\ehdrv.sys ekrn.exe File opened for modification C:\Windows\system32\DRIVERS\epfwwfp.sys ekrn.exe File opened for modification C:\Windows\system32\DRIVERS\SETB4BD.tmp ekrn.exe File created C:\Windows\system32\DRIVERS\SETB4BD.tmp ekrn.exe File opened for modification C:\Windows\system32\DRIVERS\SETB50D.tmp ekrn.exe File opened for modification C:\Windows\system32\DRIVERS\epfw.sys ekrn.exe File opened for modification C:\Windows\system32\DRIVERS\SETB0E1.tmp ekrn.exe File opened for modification C:\Windows\system32\DRIVERS\SETB1CD.tmp ekrn.exe File opened for modification C:\Windows\system32\DRIVERS\SETB44F.tmp ekrn.exe File created C:\Windows\system32\DRIVERS\SETB44F.tmp ekrn.exe File created C:\Windows\system32\DRIVERS\SETB50D.tmp ekrn.exe File created C:\Windows\system32\DRIVERS\SETB1CD.tmp ekrn.exe File opened for modification C:\Windows\system32\DRIVERS\eamonm.sys ekrn.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe\MitigationOptions = "16777216" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe msiexec.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe msiexec.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 7 IoCs
pid Process 3164 InstHelper.exe 2544 ekrn.exe 3140 efwd.exe 5220 InstHelper.exe 4408 InstHelper.exe 4880 eguiproxy.exe 1404 egui.exe -
Loads dropped DLL 64 IoCs
pid Process 3392 MsiExec.exe 3392 MsiExec.exe 3392 MsiExec.exe 3392 MsiExec.exe 3392 MsiExec.exe 3392 MsiExec.exe 3392 MsiExec.exe 3392 MsiExec.exe 3392 MsiExec.exe 3392 MsiExec.exe 3392 MsiExec.exe 3392 MsiExec.exe 3392 MsiExec.exe 3392 MsiExec.exe 3392 MsiExec.exe 3392 MsiExec.exe 748 MsiExec.exe 748 MsiExec.exe 748 MsiExec.exe 748 MsiExec.exe 748 MsiExec.exe 748 MsiExec.exe 748 MsiExec.exe 748 MsiExec.exe 748 MsiExec.exe 748 MsiExec.exe 748 MsiExec.exe 748 MsiExec.exe 748 MsiExec.exe 748 MsiExec.exe 748 MsiExec.exe 748 MsiExec.exe 748 MsiExec.exe 748 MsiExec.exe 748 MsiExec.exe 748 MsiExec.exe 748 MsiExec.exe 748 MsiExec.exe 748 MsiExec.exe 748 MsiExec.exe 748 MsiExec.exe 748 MsiExec.exe 748 MsiExec.exe 748 MsiExec.exe 748 MsiExec.exe 748 MsiExec.exe 748 MsiExec.exe 748 MsiExec.exe 3164 InstHelper.exe 3164 InstHelper.exe 2544 ekrn.exe 2544 ekrn.exe 2544 ekrn.exe 2544 ekrn.exe 2544 ekrn.exe 2544 ekrn.exe 2544 ekrn.exe 2544 ekrn.exe 2544 ekrn.exe 2544 ekrn.exe 2544 ekrn.exe 2544 ekrn.exe 2544 ekrn.exe 2544 ekrn.exe -
Modifies system executable filetype association 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ESET Security Shell MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ESET Security Shell\ = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\Shellex\ContextMenuHandlers MsiExec.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\egui = "\"C:\\Program Files\\ESET\\ESET Security\\ecmds.exe\" /run /hide /proxy" msiexec.exe -
Blocklisted process makes network request 2 IoCs
flow pid Process 2 4828 msiexec.exe 4 4828 msiexec.exe -
Checks for any installed AV software in registry 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Software\Wow6432Node\ESET\NOD msiexec.exe -
pid Process 5804 powershell.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\System32\DriverStore\Temp\{a67cbe37-578d-a84a-bc34-d532f0e1ad1c}\SETB3B1.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{f0c741e1-f692-8f49-b173-7f297007807e}\SETB46C.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{f0c741e1-f692-8f49-b173-7f297007807e}\epfw.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{f2da6fb2-e911-8842-997b-1fd2631b61af}\ehdrv.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\ehdrv.inf_amd64_b4d29ed62c91464a\ehdrv.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{f0c741e1-f692-8f49-b173-7f297007807e}\SETB46C.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{40368b14-8806-a54b-8f7e-455860bac280}\SETB3B0.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{40368b14-8806-a54b-8f7e-455860bac280}\epfwwfp.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{a67cbe37-578d-a84a-bc34-d532f0e1ad1c}\SETB3B1.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\eelam.inf_amd64_558ab54140135969\eelam.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{f2da6fb2-e911-8842-997b-1fd2631b61af}\ehdrv.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\eamonm.inf_amd64_32d6ee07d1118ba0\eamonm.inf DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{f2da6fb2-e911-8842-997b-1fd2631b61af}\SETB112.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{f2da6fb2-e911-8842-997b-1fd2631b61af} DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{40368b14-8806-a54b-8f7e-455860bac280}\epfwwfp.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\epfwwfp.inf_amd64_b3a8f5bf1a5acec7\epfwwfp.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{5cd0b94e-dd74-1844-afcf-0c4769070486}\eelam.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{5cd0b94e-dd74-1844-afcf-0c4769070486}\SETAF7C.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{40368b14-8806-a54b-8f7e-455860bac280}\SETB3B0.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{f0c741e1-f692-8f49-b173-7f297007807e}\SETB46B.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{f0c741e1-f692-8f49-b173-7f297007807e}\SETB47D.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\epfw.inf_amd64_a4162e4cbc857b5b\epfw.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{f0c741e1-f692-8f49-b173-7f297007807e} DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{5cd0b94e-dd74-1844-afcf-0c4769070486}\SETAF7B.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{a67cbe37-578d-a84a-bc34-d532f0e1ad1c}\eamonm.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{f0c741e1-f692-8f49-b173-7f297007807e}\epfw.cat DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\ESET\ESET Security\registryFileStorage_userA.cfg ekrn.exe File created C:\Windows\System32\DriverStore\Temp\{40368b14-8806-a54b-8f7e-455860bac280}\SETB3C0.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{a67cbe37-578d-a84a-bc34-d532f0e1ad1c}\SETB3F0.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{f0c741e1-f692-8f49-b173-7f297007807e}\SETB47D.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{5cd0b94e-dd74-1844-afcf-0c4769070486}\eelam.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{5cd0b94e-dd74-1844-afcf-0c4769070486}\eelam.sys DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\epfwwfp.inf_amd64_b3a8f5bf1a5acec7\epfwwfp.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{f2da6fb2-e911-8842-997b-1fd2631b61af}\SETB111.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{a67cbe37-578d-a84a-bc34-d532f0e1ad1c}\SETB3A0.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{a67cbe37-578d-a84a-bc34-d532f0e1ad1c}\eamonm.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\epfw.inf_amd64_a4162e4cbc857b5b\epfw.inf DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\eelam.inf_amd64_558ab54140135969\eelam.sys DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{f2da6fb2-e911-8842-997b-1fd2631b61af}\SETB111.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\ehdrv.inf_amd64_b4d29ed62c91464a\ehdrv.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{40368b14-8806-a54b-8f7e-455860bac280}\SETB3C1.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{a67cbe37-578d-a84a-bc34-d532f0e1ad1c}\eamonm.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\epfwwfp.inf_amd64_b3a8f5bf1a5acec7\epfwwfp.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{f0c741e1-f692-8f49-b173-7f297007807e}\SETB46B.tmp DrvInst.exe File created C:\Windows\system32\NOTICE_mod eguiproxy.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\eelam.inf_amd64_558ab54140135969\eelam.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{5cd0b94e-dd74-1844-afcf-0c4769070486} DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{f2da6fb2-e911-8842-997b-1fd2631b61af}\SETB112.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{40368b14-8806-a54b-8f7e-455860bac280}\SETB3C0.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{a67cbe37-578d-a84a-bc34-d532f0e1ad1c} DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\epfw.inf_amd64_a4162e4cbc857b5b\epfw.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\eamonm.inf_amd64_32d6ee07d1118ba0\eamonm.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{5cd0b94e-dd74-1844-afcf-0c4769070486}\SETAF6A.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{5cd0b94e-dd74-1844-afcf-0c4769070486}\SETAF7B.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{f2da6fb2-e911-8842-997b-1fd2631b61af}\SETB100.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\ehdrv.inf_amd64_b4d29ed62c91464a\ehdrv.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{a67cbe37-578d-a84a-bc34-d532f0e1ad1c}\SETB3A0.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\ESET\ESET Security\ShellExtLang.dll msiexec.exe File created C:\Program Files\ESET\ESET Security\Drivers\epfwwfp\epfwwfp.cat msiexec.exe File created C:\Program Files\ESET\ESET Security\x86\eamsi.dll msiexec.exe File created C:\Program Files\ESET\ESET Security\egui.exe msiexec.exe File created C:\Program Files\ESET\ESET Security\Drivers\epfwwfp\EpfwWfp.inf msiexec.exe File created C:\Program Files\ESET\ESET Security\eguiDevmonLang.dll msiexec.exe File created C:\Program Files\ESET\ESET Security\api-ms-win-core-synch-l1-2-0.dll msiexec.exe File created C:\Program Files\ESET\ESET Security\api-ms-win-crt-process-l1-1-0.dll msiexec.exe File created C:\Program Files\ESET\ESET Security\SysInspector.exe msiexec.exe File created C:\Program Files\ESET\ESET Security\sciter-x.dll msiexec.exe File created C:\Program Files\ESET\ESET Security\ekrnScanLang.dll msiexec.exe File created C:\Program Files\ESET\ESET Security\api-ms-win-core-file-l1-1-0.dll msiexec.exe File created C:\Program Files\ESET\ESET Security\VAPM\libwaheap.dll msiexec.exe File created C:\Program Files\ESET\ESET Security\eguiHips.dll msiexec.exe File created C:\Program Files\ESET\ESET Security\Help\help.cab msiexec.exe File created C:\Program Files\ESET\ESET Security\api-ms-win-core-timezone-l1-1-0.dll msiexec.exe File created C:\Program Files\ESET\ESET Security\ekrnEpns.dll msiexec.exe File created C:\Program Files\ESET\ESET Security\ekrnEpfwLang.dll msiexec.exe File created C:\Program Files\ESET\ESET Security\api-ms-win-core-processthreads-l1-1-0.dll msiexec.exe File created C:\Program Files\ESET\ESET Security\eguiProxy.exe msiexec.exe File created C:\Program Files\ESET\ESET Security\Help\default_gw.png MsiExec.exe File opened for modification C:\Program Files\ESET\ESET Security\Modules\temp82848556\NUPA894.tmp MsiExec.exe File created C:\Program Files\ESET\ESET Security\api-ms-win-crt-heap-l1-1-0.dll msiexec.exe File created C:\Program Files\ESET\ESET Security\ekrnVapm.dll msiexec.exe File opened for modification C:\Program Files\ESET\ESET Security\Modules\temp82848556\NUPA8AA.tmp MsiExec.exe File opened for modification C:\Program Files\ESET\ESET Security\Modules\temp82848556\NUPA93B.tmp MsiExec.exe File created C:\Program Files\ESET\ESET Security\eplgOutlook.dll msiexec.exe File created C:\Program Files\ESET\ESET Security\eguiScanLang.dll msiexec.exe File created C:\Program Files\ESET\ESET Security\Help\note.svg MsiExec.exe File opened for modification C:\Program Files\ESET\ESET Security\Modules\em045_64\1093\em045_64.dll MsiExec.exe File opened for modification C:\Program Files\ESET\ESET Security\Modules\temp82848556\NUPA89A.tmp MsiExec.exe File created C:\Program Files\ESET\ESET Security\api-ms-win-core-fibers-l1-1-0.dll msiexec.exe File created C:\Program Files\ESET\ESET Security\api-ms-win-core-file-l2-1-0.dll msiexec.exe File created C:\Program Files\ESET\ESET Security\Drivers\ehdrv\ehdrv.sys msiexec.exe File created C:\Program Files\ESET\ESET Security\ekrnEi.dll msiexec.exe File created C:\Program Files\ESET\ESET Security\Drivers\epfwlwf\EpfwLwf.cat msiexec.exe File opened for modification C:\Program Files\ESET\ESET Security\Modules\em006_64\1249\em006_64.dll MsiExec.exe File created C:\Program Files\ESET\ESET Security\api-ms-win-core-libraryloader-l1-1-0.dll msiexec.exe File created C:\Program Files\ESET\ESET Security\api-ms-win-crt-locale-l1-1-0.dll msiexec.exe File created C:\Program Files\ESET\ESET Security\Drivers\eamonm\eamonm.sys msiexec.exe File created C:\Program Files\ESET\ESET Security\windowsperformancerecordercontrol.dll msiexec.exe File created C:\Program Files\ESET\ESET Security\ekrnDevmonLang.dll msiexec.exe File created C:\Program Files\ESET\ESET Security\Help\header_logo.png MsiExec.exe File created C:\Program Files\ESET\ESET Security\Help\images.css MsiExec.exe File created C:\Program Files\ESET\ESET Security\Drivers\epfwlwf\EpfwLwf.sys msiexec.exe File opened for modification C:\Program Files\ESET\ESET Security\Modules\em017_64\2127\em017_64.dll MsiExec.exe File opened for modification C:\Program Files\ESET\ESET Security\Modules\em039_64\2203\em039_64.dll MsiExec.exe File created C:\Program Files\ESET\ESET Security\api-ms-win-crt-multibyte-l1-1-0.dll msiexec.exe File created C:\Program Files\ESET\ESET Security\eamsi.dll msiexec.exe File created C:\Program Files\ESET\ESET Security\edb.dll msiexec.exe File created C:\Program Files\ESET\ESET Security\evapm.exe msiexec.exe File created C:\Program Files\ESET\ESET Security\ekrnAmonLang.dll msiexec.exe File created C:\Program Files\ESET\ESET Security\ekrnHipsLang.dll msiexec.exe File created C:\Program Files\ESET\ESET Security\NOTICE_mod ekrn.exe File created C:\Program Files\ESET\ESET Security\eeclnt.exe msiexec.exe File created C:\Program Files\ESET\ESET Security\ekrnEpfw.dll msiexec.exe File created C:\Program Files\ESET\ESET Security\SysRescue.url msiexec.exe File created C:\Program Files\ESET\ESET Security\ekrnEcp.dll msiexec.exe File created C:\Program Files\ESET\ESET Security\Help\hmprojectstyles.css MsiExec.exe File created C:\Program Files\ESET\ESET Security\Help\print.css MsiExec.exe File created C:\Program Files\ESET\ESET Security\Drivers\edevmon\edevmon.cat msiexec.exe File created C:\Program Files\ESET\ESET Security\Drivers\edevmonm\edevmonm.sys msiexec.exe File created C:\Program Files\ESET\ESET Security\ekrnAmon.dll msiexec.exe File created C:\Program Files\ESET\ESET Security\x86\eplgOE.dll msiexec.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI96E5.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9F73.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA4B7.tmp msiexec.exe File created C:\Windows\INF\oem4.PNF ekrn.exe File created C:\Windows\INF\oem5.PNF ekrn.exe File created C:\Windows\inf\oem6.inf DrvInst.exe File created C:\Windows\INF\oem6.PNF ekrn.exe File opened for modification C:\Windows\Installer\MSIABF1.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIAC48.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB789.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9C90.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\INF\oem7.PNF ekrn.exe File created C:\Windows\Installer\{E96886FF-EC69-4A16-AF40-540A146FE3FE}\Icon_License msiexec.exe File opened for modification C:\Windows\ELAMBKUP\eelam.sys ekrn.exe File opened for modification C:\Windows\inf\oem6.inf DrvInst.exe File opened for modification C:\Windows\Installer\MSIB759.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI96E4.tmp msiexec.exe File created C:\Windows\Installer\{E96886FF-EC69-4A16-AF40-540A146FE3FE}\Icon_Uninstall msiexec.exe File opened for modification C:\Windows\Installer\MSIAC02.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIAC13.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIAC47.tmp msiexec.exe File created C:\Windows\inf\oem4.inf DrvInst.exe File opened for modification C:\Windows\inf\oem5.inf DrvInst.exe File opened for modification C:\Windows\Installer\MSI96D2.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIAC25.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB847.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF7E32CD54FC33F7B1.TMP msiexec.exe File created C:\Windows\SystemTemp\~DFF469F328CAF9CBC8.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSIAC59.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIAC6B.tmp msiexec.exe File opened for modification C:\Windows\ELAMBKUP\SETB0E2.tmp ekrn.exe File created C:\Windows\inf\oem7.inf DrvInst.exe File opened for modification C:\Windows\Installer\MSI96D3.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9707.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI97D8.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{E96886FF-EC69-4A16-AF40-540A146FE3FE} msiexec.exe File opened for modification C:\Windows\Installer\MSI98E3.tmp msiexec.exe File opened for modification C:\Windows\Installer\{E96886FF-EC69-4A16-AF40-540A146FE3FE}\Icon_Uninstall msiexec.exe File opened for modification C:\Windows\inf\oem7.inf DrvInst.exe File opened for modification C:\Windows\Installer\MSI9706.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log ekrn.exe File created C:\Windows\inf\oem3.inf DrvInst.exe File created C:\Windows\INF\oem3.PNF ekrn.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI9F33.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9F74.tmp msiexec.exe File created C:\Windows\ELAMBKUP\SETB0E2.tmp ekrn.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\ESET\ESET Security\registryFileStorage_userA.cfg ekrn.exe File created C:\Windows\Installer\e57930c.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIB7C9.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA586.tmp msiexec.exe File created C:\Windows\Installer\e579308.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI9727.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9728.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI97B8.tmp msiexec.exe File created C:\Windows\Installer\{E96886FF-EC69-4A16-AF40-540A146FE3FE}\Icon_Product msiexec.exe File created C:\Windows\Installer\{E96886FF-EC69-4A16-AF40-540A146FE3FE}\Icon_Help msiexec.exe File opened for modification C:\Windows\Installer\{E96886FF-EC69-4A16-AF40-540A146FE3FE}\Icon_Help msiexec.exe File opened for modification C:\Windows\Installer\MSIAC9A.tmp msiexec.exe File opened for modification C:\Windows\inf\oem3.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom DrvInst.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DrvInst.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs DrvInst.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 1 IoCs
pid Process 5816 taskkill.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Drives\Shellex\ContextMenuHandlers\ESET Security Shell\ = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ECC7E393-B680-4109-86BD-7779105DF1BF}\InprocServer32\ThreadingModel = "Both" ekrn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FF68869E96CE61A4FA0445A041F63EEF\Rmm msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\ESET.SysInspector\shell\open msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FF68869E96CE61A4FA0445A041F63EEF\Ecp = "_Base" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FF68869E96CE61A4FA0445A041F63EEF\OnlinePaymentProtection = "_WebAccessProtection" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF68869E96CE61A4FA0445A041F63EEF msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\ESET.SysInspector msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F43F5136-AA90-4005-9368-F91F5C120D69}\InprocServer32\ = "C:\\Program Files\\ESET\\ESET Security\\x86\\eplgOutlook.dll" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FF68869E96CE61A4FA0445A041F63EEF\_WebAccessProtection = "Protections" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF68869E96CE61A4FA0445A041F63EEF\SourceList\PackageName = "ees_nt64.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FF68869E96CE61A4FA0445A041F63EEF\_Base msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FF68869E96CE61A4FA0445A041F63EEF\Antispam = "EmailClientProtection" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF68869E96CE61A4FA0445A041F63EEF\SourceList\Media\4 = ";" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\.esil msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ECC7E393-B680-4109-86BD-7779105DF1BF}\InprocServer32\ = "C:\\Program Files\\ESET\\ESET Security\\eamsi.dll" ekrn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FF68869E96CE61A4FA0445A041F63EEF\HIPS = "_Base" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FF68869E96CE61A4FA0445A041F63EEF\Licensing = "_Base" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B089FE88-FB52-11D3-BDF1-0050DA34150D}\InProcServer32 MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\Shellex\ContextMenuHandlers MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF68869E96CE61A4FA0445A041F63EEF\Language = "1033" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\79AA332A50D011E4585D700F695D0537 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ESET.SysInspector\shell msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\Shellex\ContextMenuHandlers MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\ESET Security Shell\ = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B089FE88-FB52-11D3-BDF1-0050DA34150D}\InProcServer32\ThreadingModel = "Apartment" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ECC7E393-B680-4109-86BD-7779105DF1BF}\InprocServer32\ = "C:\\Program Files\\ESET\\ESET Security\\x86\\eamsi.dll" ekrn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FF68869E96CE61A4FA0445A041F63EEF\Protections msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF68869E96CE61A4FA0445A041F63EEF\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F43F5136-AA90-4005-9368-F91F5C120D69}\InprocServer32 MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Drives\Shellex\ContextMenuHandlers\ESET Security Shell MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\Shellex\ContextMenuHandlers MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF68869E96CE61A4FA0445A041F63EEF\SourceList\Media\3 = ";" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ESET.SysInspector\shell\open msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ESET.OutlookAddin\CLSID\ = "{F43F5136-AA90-4005-9368-F91F5C120D69}" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FF68869E96CE61A4FA0445A041F63EEF\Scan msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FF68869E96CE61A4FA0445A041F63EEF\IdsAndBotnetProtection = "Network" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF68869E96CE61A4FA0445A041F63EEF\Version = "184616964" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ESET.SysInspector\shell\open\ = "Open" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B089FE88-FB52-11D3-BDF1-0050DA34150D} MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FF68869E96CE61A4FA0445A041F63EEF\EnterpriseInspector msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF68869E96CE61A4FA0445A041F63EEF\PackageCode = "C62CC2542C8B4604E85514F077FB12CF" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF68869E96CE61A4FA0445A041F63EEF\SourceList\Media\2 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.xml\OpenWithProgIds\ESET.SysInspector msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\Shellex\ContextMenuHandlers MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B089FE88-FB52-11D3-BDF1-0050DA34150D}\InProcServer32 MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FF68869E96CE61A4FA0445A041F63EEF\Laila = "_Base" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FF68869E96CE61A4FA0445A041F63EEF\Network = "Protections" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F43F5136-AA90-4005-9368-F91F5C120D69}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Key created \REGISTRY\MACHINE\Software\Classes\.json\OpenWithProgids msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B089FE88-FB52-11D3-BDF1-0050DA34150D}\InProcServer32\ThreadingModel = "Apartment" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Drives MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FF68869E96CE61A4FA0445A041F63EEF\DeviceControl = "Protections" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF68869E96CE61A4FA0445A041F63EEF\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ESET.SysInspector\ msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FF68869E96CE61A4FA0445A041F63EEF\Behmon = "_Base" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FF68869E96CE61A4FA0445A041F63EEF\Activation = "_Base" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FF68869E96CE61A4FA0445A041F63EEF\EDTD = "_Base" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF68869E96CE61A4FA0445A041F63EEF\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF68869E96CE61A4FA0445A041F63EEF\SourceList\Media\6 = ";" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\ESET.SysInspector\shell\open\command msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ESET.OutlookAddin MsiExec.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 3392 MsiExec.exe 3392 MsiExec.exe 5804 powershell.exe 5804 powershell.exe 5804 powershell.exe 5408 msedge.exe 5408 msedge.exe 4700 msedge.exe 4700 msedge.exe 5276 msedge.exe 5276 msedge.exe 2676 identity_helper.exe 2676 identity_helper.exe -
Suspicious behavior: LoadsDriver 9 IoCs
pid Process 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 4700 msedge.exe 4700 msedge.exe 4700 msedge.exe 4700 msedge.exe 4700 msedge.exe 4700 msedge.exe 4700 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2092 msiexec.exe Token: SeIncreaseQuotaPrivilege 2092 msiexec.exe Token: SeSecurityPrivilege 4828 msiexec.exe Token: SeCreateTokenPrivilege 2092 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2092 msiexec.exe Token: SeLockMemoryPrivilege 2092 msiexec.exe Token: SeIncreaseQuotaPrivilege 2092 msiexec.exe Token: SeMachineAccountPrivilege 2092 msiexec.exe Token: SeTcbPrivilege 2092 msiexec.exe Token: SeSecurityPrivilege 2092 msiexec.exe Token: SeTakeOwnershipPrivilege 2092 msiexec.exe Token: SeLoadDriverPrivilege 2092 msiexec.exe Token: SeSystemProfilePrivilege 2092 msiexec.exe Token: SeSystemtimePrivilege 2092 msiexec.exe Token: SeProfSingleProcessPrivilege 2092 msiexec.exe Token: SeIncBasePriorityPrivilege 2092 msiexec.exe Token: SeCreatePagefilePrivilege 2092 msiexec.exe Token: SeCreatePermanentPrivilege 2092 msiexec.exe Token: SeBackupPrivilege 2092 msiexec.exe Token: SeRestorePrivilege 2092 msiexec.exe Token: SeShutdownPrivilege 2092 msiexec.exe Token: SeDebugPrivilege 2092 msiexec.exe Token: SeAuditPrivilege 2092 msiexec.exe Token: SeSystemEnvironmentPrivilege 2092 msiexec.exe Token: SeChangeNotifyPrivilege 2092 msiexec.exe Token: SeRemoteShutdownPrivilege 2092 msiexec.exe Token: SeUndockPrivilege 2092 msiexec.exe Token: SeSyncAgentPrivilege 2092 msiexec.exe Token: SeEnableDelegationPrivilege 2092 msiexec.exe Token: SeManageVolumePrivilege 2092 msiexec.exe Token: SeImpersonatePrivilege 2092 msiexec.exe Token: SeCreateGlobalPrivilege 2092 msiexec.exe Token: SeBackupPrivilege 3096 vssvc.exe Token: SeRestorePrivilege 3096 vssvc.exe Token: SeAuditPrivilege 3096 vssvc.exe Token: SeBackupPrivilege 4828 msiexec.exe Token: SeRestorePrivilege 4828 msiexec.exe Token: SeRestorePrivilege 4828 msiexec.exe Token: SeTakeOwnershipPrivilege 4828 msiexec.exe Token: SeRestorePrivilege 4828 msiexec.exe Token: SeTakeOwnershipPrivilege 4828 msiexec.exe Token: SeRestorePrivilege 4828 msiexec.exe Token: SeTakeOwnershipPrivilege 4828 msiexec.exe Token: SeRestorePrivilege 4828 msiexec.exe Token: SeTakeOwnershipPrivilege 4828 msiexec.exe Token: SeRestorePrivilege 4828 msiexec.exe Token: SeTakeOwnershipPrivilege 4828 msiexec.exe Token: SeRestorePrivilege 4828 msiexec.exe Token: SeTakeOwnershipPrivilege 4828 msiexec.exe Token: SeRestorePrivilege 4828 msiexec.exe Token: SeTakeOwnershipPrivilege 4828 msiexec.exe Token: SeRestorePrivilege 4828 msiexec.exe Token: SeTakeOwnershipPrivilege 4828 msiexec.exe Token: SeRestorePrivilege 4828 msiexec.exe Token: SeTakeOwnershipPrivilege 4828 msiexec.exe Token: SeRestorePrivilege 4828 msiexec.exe Token: SeTakeOwnershipPrivilege 4828 msiexec.exe Token: SeRestorePrivilege 4828 msiexec.exe Token: SeTakeOwnershipPrivilege 4828 msiexec.exe Token: SeRestorePrivilege 4828 msiexec.exe Token: SeTakeOwnershipPrivilege 4828 msiexec.exe Token: SeRestorePrivilege 4828 msiexec.exe Token: SeTakeOwnershipPrivilege 4828 msiexec.exe Token: SeRestorePrivilege 4828 msiexec.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2092 msiexec.exe 2092 msiexec.exe 4700 msedge.exe 4700 msedge.exe 4700 msedge.exe 4700 msedge.exe 4700 msedge.exe 4700 msedge.exe 4700 msedge.exe 4700 msedge.exe 4700 msedge.exe 4700 msedge.exe 4700 msedge.exe 4700 msedge.exe 4700 msedge.exe 4700 msedge.exe 4700 msedge.exe 4700 msedge.exe 4700 msedge.exe 4700 msedge.exe 4700 msedge.exe 4700 msedge.exe 4700 msedge.exe 4700 msedge.exe 4700 msedge.exe 4700 msedge.exe 4700 msedge.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4700 msedge.exe 4700 msedge.exe 4700 msedge.exe 4700 msedge.exe 4700 msedge.exe 4700 msedge.exe 4700 msedge.exe 4700 msedge.exe 4700 msedge.exe 4700 msedge.exe 4700 msedge.exe 4700 msedge.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe 4880 eguiproxy.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5588 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5348 wrote to memory of 2092 5348 ESETEndpointSecurity11.1.2052.0x64.exe 79 PID 5348 wrote to memory of 2092 5348 ESETEndpointSecurity11.1.2052.0x64.exe 79 PID 4828 wrote to memory of 5144 4828 msiexec.exe 86 PID 4828 wrote to memory of 5144 4828 msiexec.exe 86 PID 4828 wrote to memory of 3392 4828 msiexec.exe 88 PID 4828 wrote to memory of 3392 4828 msiexec.exe 88 PID 4828 wrote to memory of 748 4828 msiexec.exe 89 PID 4828 wrote to memory of 748 4828 msiexec.exe 89 PID 748 wrote to memory of 5816 748 MsiExec.exe 90 PID 748 wrote to memory of 5816 748 MsiExec.exe 90 PID 748 wrote to memory of 3164 748 MsiExec.exe 93 PID 748 wrote to memory of 3164 748 MsiExec.exe 93 PID 3304 wrote to memory of 5056 3304 svchost.exe 97 PID 3304 wrote to memory of 5056 3304 svchost.exe 97 PID 3304 wrote to memory of 2892 3304 svchost.exe 98 PID 3304 wrote to memory of 2892 3304 svchost.exe 98 PID 3304 wrote to memory of 1236 3304 svchost.exe 100 PID 3304 wrote to memory of 1236 3304 svchost.exe 100 PID 3304 wrote to memory of 3176 3304 svchost.exe 101 PID 3304 wrote to memory of 3176 3304 svchost.exe 101 PID 2544 wrote to memory of 5804 2544 ekrn.exe 102 PID 2544 wrote to memory of 5804 2544 ekrn.exe 102 PID 3304 wrote to memory of 5516 3304 svchost.exe 104 PID 3304 wrote to memory of 5516 3304 svchost.exe 104 PID 3392 wrote to memory of 5220 3392 MsiExec.exe 106 PID 3392 wrote to memory of 5220 3392 MsiExec.exe 106 PID 3392 wrote to memory of 4408 3392 MsiExec.exe 108 PID 3392 wrote to memory of 4408 3392 MsiExec.exe 108 PID 5348 wrote to memory of 4700 5348 ESETEndpointSecurity11.1.2052.0x64.exe 110 PID 5348 wrote to memory of 4700 5348 ESETEndpointSecurity11.1.2052.0x64.exe 110 PID 4700 wrote to memory of 4624 4700 msedge.exe 111 PID 4700 wrote to memory of 4624 4700 msedge.exe 111 PID 4700 wrote to memory of 3940 4700 msedge.exe 112 PID 4700 wrote to memory of 3940 4700 msedge.exe 112 PID 4700 wrote to memory of 3940 4700 msedge.exe 112 PID 4700 wrote to memory of 3940 4700 msedge.exe 112 PID 4700 wrote to memory of 3940 4700 msedge.exe 112 PID 4700 wrote to memory of 3940 4700 msedge.exe 112 PID 4700 wrote to memory of 3940 4700 msedge.exe 112 PID 4700 wrote to memory of 3940 4700 msedge.exe 112 PID 4700 wrote to memory of 3940 4700 msedge.exe 112 PID 4700 wrote to memory of 3940 4700 msedge.exe 112 PID 4700 wrote to memory of 3940 4700 msedge.exe 112 PID 4700 wrote to memory of 3940 4700 msedge.exe 112 PID 4700 wrote to memory of 3940 4700 msedge.exe 112 PID 4700 wrote to memory of 3940 4700 msedge.exe 112 PID 4700 wrote to memory of 3940 4700 msedge.exe 112 PID 4700 wrote to memory of 3940 4700 msedge.exe 112 PID 4700 wrote to memory of 3940 4700 msedge.exe 112 PID 4700 wrote to memory of 3940 4700 msedge.exe 112 PID 4700 wrote to memory of 3940 4700 msedge.exe 112 PID 4700 wrote to memory of 3940 4700 msedge.exe 112 PID 4700 wrote to memory of 3940 4700 msedge.exe 112 PID 4700 wrote to memory of 3940 4700 msedge.exe 112 PID 4700 wrote to memory of 3940 4700 msedge.exe 112 PID 4700 wrote to memory of 3940 4700 msedge.exe 112 PID 4700 wrote to memory of 3940 4700 msedge.exe 112 PID 4700 wrote to memory of 3940 4700 msedge.exe 112 PID 4700 wrote to memory of 3940 4700 msedge.exe 112 PID 4700 wrote to memory of 3940 4700 msedge.exe 112 PID 4700 wrote to memory of 3940 4700 msedge.exe 112 PID 4700 wrote to memory of 3940 4700 msedge.exe 112 PID 4700 wrote to memory of 3940 4700 msedge.exe 112 PID 4700 wrote to memory of 3940 4700 msedge.exe 112 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ESETEndpointSecurity11.1.2052.0x64.exe"C:\Users\Admin\AppData\Local\Temp\ESETEndpointSecurity11.1.2052.0x64.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5348 -
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ees_nt64.msi" /qb CFG_POTENTIALLYUNWANTED_ENABLED=0 CFG_LIVEGRID_ENABLED=0 FIRSTSCAN_ENABLE=0 CFG_EPFW_MODE=0 ACTIVATION_DLG_SUPPRESS=02⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://ftuapps.dev/2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffd2ac43cb8,0x7ffd2ac43cc8,0x7ffd2ac43cd83⤵PID:4624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,4942903733062892162,1854552420251038756,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1936 /prefetch:23⤵PID:3940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1928,4942903733062892162,1854552420251038756,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:5408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1928,4942903733062892162,1854552420251038756,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2544 /prefetch:83⤵PID:1976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4942903733062892162,1854552420251038756,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:13⤵PID:2744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4942903733062892162,1854552420251038756,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:13⤵PID:5476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4942903733062892162,1854552420251038756,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4576 /prefetch:13⤵PID:4552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1928,4942903733062892162,1854552420251038756,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3616 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:5276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4942903733062892162,1854552420251038756,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:13⤵PID:1972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4942903733062892162,1854552420251038756,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:13⤵PID:4704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4942903733062892162,1854552420251038756,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:13⤵PID:2572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4942903733062892162,1854552420251038756,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:13⤵PID:2072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1928,4942903733062892162,1854552420251038756,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:2676
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Event Triggered Execution: Image File Execution Options Injection
- Adds Run key to start application
- Blocklisted process makes network request
- Checks for any installed AV software in registry
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:5144
-
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 26A5019DDD7F9CF40C60351482641C902⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Users\Admin\AppData\Local\Temp\eset.temp\{02D83BBE-34E6-7EB7-6D50-45C3212556F4}\InstHelper.exe"C:\Users\Admin\AppData\Local\Temp\eset.temp\{02D83BBE-34E6-7EB7-6D50-45C3212556F4}\InstHelper.exe" -gv3⤵
- Executes dropped EXE
PID:5220
-
-
C:\Users\Admin\AppData\Local\Temp\eset.temp\{02D83BBE-34E6-7EB7-6D50-45C3212556F4}\InstHelper.exe"C:\Users\Admin\AppData\Local\Temp\eset.temp\{02D83BBE-34E6-7EB7-6D50-45C3212556F4}\InstHelper.exe" -sd "C:\Windows\Temp\eset\bts.stats" "ESET Endpoint Security" "11.1.2052.0" "1033"3⤵
- Executes dropped EXE
PID:4408
-
-
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 1FECBC9F432A931AF3F75817214EE6F3 E Global\MSI00002⤵
- Event Triggered Execution: Image File Execution Options Injection
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /F /T /IM ehttpsrv.exe3⤵
- Kills process with taskkill
PID:5816
-
-
C:\Users\Admin\AppData\Local\Temp\eset.temp\{02D83BBE-34E6-7EB7-6D50-45C3212556F4}\InstHelper.exe"C:\Users\Admin\AppData\Local\Temp\eset.temp\{02D83BBE-34E6-7EB7-6D50-45C3212556F4}\InstHelper.exe" -ci "C:\Users\Admin\AppData\Local\Temp\eset.temp\{02D83BBE-34E6-7EB7-6D50-45C3212556F4}\_InstData.xml"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3164
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3096
-
C:\Program Files\ESET\ESET Security\ekrn.exe"C:\Program Files\ESET\ESET Security\ekrn.exe"1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -Command if (((Get-AppxPackage -Name 'EsetContextMenu').length -ne '1') -Or ((Get-AppxPackage -Name 'EsetContextMenu').version -ne '10.45.25.0')) { Get-AppxPackage -Name 'EsetContextMenu' | Remove-AppxPackage; Add-AppxPackage -Path 'C:\Program Files\ESET\ESET Security\EsetContextMenu.msix' -ExternalLocation 'C:\Program Files\ESET\ESET Security\' }2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5804
-
-
C:\Program Files\ESET\ESET Security\eguiproxy.exe"C:\Program Files\ESET\ESET Security\eguiproxy.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4880
-
-
C:\Program Files\ESET\ESET Security\egui.exe"C:\Program Files\ESET\ESET Security\egui.exe"2⤵
- Executes dropped EXE
PID:1404
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "9" "C:\Program Files\ESET\ESET Security\Drivers\eelam\eelam.inf" "9" "4d8859be3" "0000000000000150" "Service-0x0-3e7$\Default" "0000000000000160" "208" "C:\Program Files\ESET\ESET Security\Drivers\eelam"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:5056
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "9" "C:\Program Files\ESET\ESET Security\Drivers\ehdrv\ehdrv.inf" "9" "446a2f407" "0000000000000160" "Service-0x0-3e7$\Default" "0000000000000164" "208" "C:\Program Files\ESET\ESET Security\Drivers\ehdrv"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:2892
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "9" "C:\Program Files\ESET\ESET Security\Drivers\eamonm\eamonm.inf" "9" "4d14d0413" "0000000000000164" "Service-0x0-3e7$\Default" "000000000000015C" "208" "C:\Program Files\ESET\ESET Security\Drivers\eamonm"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:1236
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "9" "C:\Program Files\ESET\ESET Security\Drivers\epfwwfp\epfwwfp.inf" "9" "48fcaabe7" "000000000000016C" "Service-0x0-3e7$\Default" "0000000000000168" "208" "C:\Program Files\ESET\ESET Security\Drivers\epfwwfp"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:3176
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "9" "C:\Program Files\ESET\ESET Security\Drivers\epfw\epfw.inf" "9" "456eea8cb" "000000000000018C" "Service-0x0-3e7$\Default" "0000000000000168" "208" "C:\Program Files\ESET\ESET Security\Drivers\epfw"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:5516
-
-
C:\Program Files\ESET\ESET Security\efwd.exe"C:\Program Files\ESET\ESET Security\efwd.exe"1⤵
- Executes dropped EXE
PID:3140
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4136
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2912
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3a2e055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5588
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
3Change Default File Association
1Component Object Model Hijacking
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
3Change Default File Association
1Component Object Model Hijacking
1Image File Execution Options Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10.0MB
MD599070dc008c939199a6114f616e70eb6
SHA16c300bb423ae0d9846384caaf7d65a8dee1ead13
SHA256919e871872358d2acba8a955ad5e44b93f0943a96ce3ef603221ff837b563133
SHA512616b8237f3d6e204a86049607eacd31b4cf7ecbd42e2f847ce524a873147d6d373f6ca3861dc6364ce48aed2b7069cf776db99bc1f411efc4c4cd109d0629c68
-
Filesize
251KB
MD5e9bc3d66fdae9f163923739a970c059e
SHA1890fa99b0e1e2bb0e7681c0b585c343d2ef4206a
SHA256376dfef7d9415000d1269c45cabd79cceb96ce84f737a488dfff226ffc57c59a
SHA512612a6c004f13a892e01f773f7728aca0e81aef60cdb4da3d1a9fb09dd0285825e293b4065de1c76e3440aa0801353878da1c4bb14be9acc101e4e3a0e3638a92
-
Filesize
220KB
MD510013ab30e9b33af6171a094ebed27cc
SHA18a79cf3ff977d97ecdbb9f65127c61b5b513a882
SHA256bb35315ad2a04a38565b2adbb12bcdcaf3afd22f5cdb2c29dbfa0e7b2593a5f9
SHA512e45c8c8c0bfdc8112fd8d45543fa834eb8e0a4c396f3554ab2f4e084905ca8fbd4ae49e0bc6ee94808d482f07e864a4e70853641fac6eda5bbc8db07c15a9867
-
Filesize
54KB
MD532b123a74a0cd763ec9d88dbdf49e947
SHA15bc7d5c9729b70c7aa5362aad57facad8e3d793a
SHA2561cb999282603d370a8a907d29f98c7300eadce3139817334f2a1ea7eac55200c
SHA5120f125f0628bc0d7487a8a8f778f8ead63d43736e7333feee75598cb0756e01755fb7a0c78970470cc3225af748bfeece6b15ed8189f3f435bfb51de74010d309
-
Filesize
266KB
MD5c391598c2dca1f460bb37476e2fdce17
SHA15b0a1ae5e2ba8895f5dcadd541dd0039036c392d
SHA256b945fba86de2306943f93fa65e9c887604cc4a944535fe29c6ee740148837205
SHA51216e7ff5d2193756e5d53b82098c741291aba2969d20b63e2f76af07c0df120444be5619c97c64438d94c382ea1d044f80bc9357fd743ee69a5d53934ff1455ad
-
Filesize
18.7MB
MD50c65f14bcd94162631bbb5b4676fcd2b
SHA14b8146ae834ed999df4dd915a738fca267282af8
SHA2564e9b4204355715ea306035f9bc947e695c1509d33b5d4d24b2e1d306395cba9c
SHA512fab44f09c47281c5b9ef11650de86e28587f8389c241fc64c49223e5e9c9e186df3a1b14e667714cfa4476ae5f3b0168f747a0fcbedea7c01ba0f71771bdbb01
-
Filesize
2.2MB
MD51ed3fcbd5a1a22ce6e3aa3f520e135b3
SHA10a5f1bfc03a03954244d43322c5674a9237e1751
SHA256c7add46fedf42ae2a0564af90504c5fff11ea3595cdd59c68d7194398241fbb8
SHA512f8ac32a9ac650442cd6d5661778996af16e5ac6b71dcbbeb3960e0b3aae01465811d89ef005dae0cb1128606087ec9feac7e86ee478d3a4a7d52a9804fbc890b
-
Filesize
7.7MB
MD588fc8d9550c733380b25c9175032acb0
SHA113248b2717d8af4023e13502e3b9450a0a0e0d3b
SHA256a5cd0deb844ee0c10b84f455a89e69a030ebf8eae2b60f02c461871fcceb8c83
SHA51247fda0e10860bb768fdddc0c5ddd9b9d9cf331fd9f868ff2dbdeac0c9826c586268d3c6fff62cbc5f0ce112b34f0beba9257a5c90da1ffc5ba6973be79ecefc1
-
Filesize
5.4MB
MD5255de5a7d57be6ef7fa0878ebe49765c
SHA1862ed12ca6c01d0547f5fa2594a8886bff2392fe
SHA25644e57d861cd4ac53d09406cb2a287126db8f2c66fb0d5ee357450d325e0ef2b7
SHA5123d1a93c28c5c8b26e17c1df93a7780aa61541b71af1e431d2da500c8f23a951c7a5a0e5cafc84b1277fc2e479e382821940d4b6d52ee0acd852459f5ec9c6a94
-
Filesize
603KB
MD5653951b544027d99d6bdeab8e83af6d8
SHA1b61ad2623df2a65756685e116b3286a8b68144be
SHA2565746e05f5674ed583386a6e748f0ade20b906b1a10e17ecf2df2def0a26d7f08
SHA5128b429872c1792be792b0ca1e5e0b4573295bd0b0144ac1693c46f71e1c93b7b2f7aee983453dc79bbb4429f9d9bc028da7e617d1b789ba1de34b79630b21487e
-
Filesize
277KB
MD53bdc892ed277ac9f3433ff47a93e9e5f
SHA1578312545d05084bcdf5302f3170f8bafeeab162
SHA2568c5439bf5abab9a3aef115258fd8d519af5ebbecbf280cfec906c49ba7a98d6b
SHA51220f6a57a8ce50f8758cc147b3a60677a157fb722a0b66406afb34283324eaa509304a28c0aeb7e002b47a2f0d6539c3514ab97e44d733f8f3aeee31279b26b42
-
Filesize
265KB
MD5d9a2ef061614db0d8eaa47c1e0fa8bfb
SHA1c1d0dc45f0a90c900b8babc6df2406b2510673a2
SHA2560bfdfe45a85138c7071d4a3bce42753c98af9c309c3349bfc57be7b6839c6c41
SHA5123c63e00e5e5ec9a69c4482d43108500c83d5d73650c7c171f3d65c2e165db971bf6b2d96d7e0fc9e2d347c9310483ee7c13d1e7d59709f8d8233d6ae73daffc0
-
Filesize
2KB
MD5859bbd605fbfafc23572b3a34375778a
SHA188449307748157f5fadf9b4d7f7a3b6ed01fb133
SHA256915be0caec750fdbce75b999df2b375125339fa3fb70b3d18a05f4a154b4d432
SHA51213bb63b23cbf545ca207da30ec310f841d0f419483eab219b7174394ec41fbf00af7e3738fdf8ebfe3df598aec70be1430b4fe336151c3e240caaed5082c4d2a
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ESET\ESET Security\ESET Endpoint Security.lnk~RFe57a3f1.TMP
Filesize2KB
MD5555278c86eb8bd9f2ce1d7173e81a51f
SHA14392e7afd6e374095a6ff99d5f2257b07effeddc
SHA25636637512456d30d7dd6c4eaf110275a5fc1477dee860eb03d18f65253a6afccd
SHA512a6ce0c27fefe9196ad9cada5b0ccd7fe4310bf9264e042d39a4a1235daf804fac7bc863f1a30aa9f68b29c05b0ec5b8274baabc7693ee10ab8dbd28c342aadb8
-
Filesize
1KB
MD5eef32e15e69cfdbfa58a2ea167bee9b0
SHA1333d540b16fd9bd7e4e9b734001a777baac5ca9e
SHA256e93d978e56b19a397fa8d7a02cb0b77820d688908e14ba93a669014874c1d774
SHA512346657cced95eb16a395100bb6cd6fb0135516c5d68706edf9fc137b6e3d40ce97851ea593b22bf2088424373e4c47ee87691020fe8d6846dffb27ab245a0ed6
-
Filesize
1KB
MD508ed01789b5f344152e26db35c81358b
SHA1c43bc23d529a2063168cffc8137debe0eb2439bd
SHA256c581ab6cd1171a02d327b362b2315fb3c7f5da71d99b3a938cbeac858ae1955f
SHA51200570186cc0888e55c9b271832dbe369b4e2a31033b5578b2cdcb2068814d3321e9e418124eccba1e3b30a7c90dfb6a69318eb51f1452646abbb78c5ad392823
-
Filesize
1KB
MD5e23f2c718b1a4f1019031b16fcfbd72d
SHA160812ffb786219dfe4a89d095eb8a73f86a16513
SHA25670bbc7182ded55c377ed548083b87a537161ded2291c61079ea0051497b3253c
SHA512a7e7065984a5558e749b5f994a7e06b889d96215a8bf693766e91697b5f9baa92a2cc3a88e99c8af25cc10bd8bd31974b51c64bcc69b8d9ce780ce3e5335023b
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ESET\ESET Security\ESET SysInspector.lnk~RFe57a400.TMP
Filesize1KB
MD556a0cab07b0949bddc30fad26c91b98f
SHA1dbd799900bc51e0c9074ba9c66c278a6255dccc2
SHA25652fb2760942c09f41bb7402882731628d40c4f061b9ace7fd033e252ea91fe55
SHA512f68de069ff8c4a89d82b1d75cf49c1a91d09d66acdaa5f998a4044d2f2f82c2448d6b7ab2640058a78b2ac0f212f8e2af3d9ea07af07e852edd648933d14ea8b
-
Filesize
152B
MD5228fefc98d7fb5b4e27c6abab1de7207
SHA1ada493791316e154a906ec2c83c412adf3a7061a
SHA256448d09169319374935a249b1fc76bcf2430b4e1436611f3c2f3331b6eafe55a2
SHA512fa74f1cc5da8db978a7a5b8c9ebff3cd433660db7e91ce03c44a1d543dd667a51659ba79270d3d783d52b9e45d76d0f9467458df1482ded72ea79c873b2a5e56
-
Filesize
152B
MD5026e0c65239e15ba609a874aeac2dc33
SHA1a75e1622bc647ab73ab3bb2809872c2730dcf2df
SHA256593f20dfb73d2b81a17bfcc1f246848080dfc96898a1a62c5ddca62105ed1292
SHA5129fb7644c87bdd3430700f42137154069badbf2b7a67e5ac6c364382bca8cba95136d460f49279b346703d4b4fd81087e884822a01a2a38901568a3c3e3387569
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize360B
MD5a4caf10cd33b19c2dfdf52c6eac25025
SHA1bd50f502c10a1052e4bc37adfb85efad7a9ea64f
SHA256b318bf6c89afeedc0409d5856c45197abefcd6feea7a6da3a6ba885e2e011fb4
SHA5128b10f3c595f30edfe8fc648c1ab6280d02c05103d5f532ad8718733cb4497bbcdd52bdf29879dc7cf30d717bbbcc826f638ca9684a8ad8e118da9a4a799381b1
-
Filesize
2KB
MD5258ac77af0fb8a2a6247a0ded1cc4f5b
SHA1d5fd7e7c52891ebc94d7093f1dcfba7af7e4314f
SHA25638852c495bcc233798554524308920040e5bb6b6d6990fe8950239a0890636e1
SHA51259dea5557ae5cc993554fa02ae407e9ccf2531809a6903138f7c6feec1e580bc6f49c3ed93427153bdfb551c8cbe34826ca8d574e09e6b92461cc23b2983eb83
-
Filesize
5KB
MD5ff8190ca7fabadfc9ca74489f9f29178
SHA1ff2dfc0f6a7dceefa2798e126135e6ea90ce6a81
SHA256dc73a2c18173698dbe0b67eb4e3265af9832684d8008bf5753298ece80290f8e
SHA51243817bbb97a8ee3008ee73c8072a05ba122c8f6539bf5e58bf3c2df34a847d7afdeb1b84161fc92d193a353a9f05ad52f3e09879785b735c5fb4d55704d580b7
-
Filesize
6KB
MD514ab7acf37d9459121693f7b447ea95c
SHA113f2d2668bf9beccbee218753b6a1493dfa0789d
SHA2562866c54b95aa2c415b9b611cc8575a81ea5d1de4970c31b7c2d70853b1105f4f
SHA5123c25159b993252aa047b6a3c7ceacedd85921c7547445ffcf8eec375f5c735aad93737d187e4136a4ff3f82b09944eaffecba7c9113ad177c4b9ceae0613e6c5
-
Filesize
6KB
MD5725f6c5084ba77e90e302408a6f04a1a
SHA1f9dda68f60da12bea09a29724bd1a5b15a2fae0f
SHA256aeba4cbe9f56df163f6a8c4388238431989f0ad1659cc38e477b6db071aca875
SHA512bdcd552c57700168afe569039d7af4aa168809c753b3cad39b10a05a6340a52c94e224d38c0bed9100e570c71092924fb9a7293214352151e90ef738e882882c
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD5c2a15eb696ab986dcac763d5ebc51308
SHA11ffb8fab1e4882ff0d1229c684379b23d4b90b10
SHA2564a791127f51a7bdb4b0831eda7235224e182bad5bec3a76c6b3e7fda80368763
SHA5121129e7730a0566b5d9b27e86445aacee56dda4f85bef658d0002108a0a60fb52dfe808c51946b5d5da94e9b54557d33ef90529d5fcdbde435bcb25b4b6640442
-
Filesize
10KB
MD5ad7279e89d6d62ba93b7ffe310c31f90
SHA125c97d01864bf01e9618e728410520dcda215de2
SHA256a32655000479aa657d0ac17787260004c2eb2e769246209f59220e4881a13d2e
SHA512dec159698aff932ceddca4287558d2821241bd7c61b4eb83d12c13321714880bc73cbf2bc51ace5bada3638bdcd17275d7e2b64bf673638cfc150567204bc6fe
-
Filesize
2KB
MD59bdbde5a1f75a11ec4ce1b969c363bfc
SHA1e3ffa8574c30cf7a4aa2ad95cfb6822281485b67
SHA256959c1ca22f56b068338372d2d4a6229729b4d391728cd39198a8e97a51465d72
SHA51276cd4c8ccaaca201f1533289a168815f383ff23db8d8c960ed896d7c5d248f8578eb9ad7b5f38264dcb69c91c9d54888fffdb6babc492ab4a1dd94e6bd88b068
-
Filesize
240B
MD5d753f05546a08a941346ab73f3501101
SHA19b5bd8d61e242b62856a6dd01784dbb71e1adda5
SHA2568181bb19f41d6ee859ce5318908383f4f5473ba9e8ba9e78cce59d1d43149417
SHA512dc8a55765230e54e8e29412d4762bd478b5ad41c9f8d2ec2f99fd4be8fe417501101464272ce0d523ea5879c5660a83fc53ad922af8dc0539fe45f315970ac79
-
Filesize
242B
MD5cbce462a14af0d1602e2ac3d3a136547
SHA1f4ae8cf1560ba5bc53433f15dec56f509860545c
SHA256ab95c0e076590d081f7ae8442e384742e8bf0f95176353d2cab11b1b334d8968
SHA512601b95e8eb74af3183e813c633289c8d81e3bf9fdc8ab382e8266abf8eff600a5407fd11f3e0aa68cfac468bd389ed8dee930eeb909c6e3380c87f82d8c76c71
-
Filesize
224B
MD52c7e1fcab74f2a6f026131078bd4c91c
SHA1bdd7ad4fcb3e2f44dc33ce50d3474169dd257dd6
SHA2563993708208c2b2f89c51a60c5b76dd80e0b9d83ddb9538b282da2a93e129c30d
SHA512d5ba6db8d79e815043492d9cb34cd4b97b78af41de0772109b83fc1c2defd7239c57487df5e97f99892d7024872838c0dc8df9eade4f22915b449b0cef379c5c
-
Filesize
218B
MD5761bfeed5ca6bd40c6b967e7eebfed9b
SHA1f718b09eb4538626d741a84e35d8bce2c62a8de2
SHA256a94a02a11ef9f9bc2c3d1683719402da32bdadc70d2be1e045747f9de999a0a7
SHA5124938e3acc75f1b727f00cc7a6bfeab88a9e5a6f6880ef4b11556ed7ccea74299f57d854899fe5246a0bc0a57bd77f3402f955d57dd0ca1bd7175c3bbbbf42e03
-
Filesize
231B
MD5ab02346d7e3be7b50a7d89b55676b0bc
SHA1ffc4830b2d7025cd5e4fb5ef3006d99866aec169
SHA2561c5117f337e05c65619c4660e1cbd79871b16167787c3a29964fa9c32b87d44f
SHA5128b0862df162959b39911939ceefb11078c5e20b66a9e0ebebd2163c1dd677f7c7807e63201ade1735c1791362d89a4192d5c6d2bc2f45b90a7ddd6870e374e3f
-
Filesize
224B
MD5d3542fd600c1f6ce6ccfcbf3294e95b6
SHA174bc39e1083766aee99f6cf99b4105165a9e6956
SHA2565fb452b55434b40054ff3ad7944748d5184e0b82e1e38dc32a9d95a7a373fd39
SHA51295d2393946a428735fbd5408398759b841011106558dc46821a122af73a362454edb598299cbad74ff040484ca3192a2735e0464cdb2df2ed741ee54109e8baf
-
Filesize
225B
MD5ce3798dba4756453b8a92ba5690bcd7a
SHA14cc7a26110dd7e43cc5ae4b909d92598d99091bd
SHA2563b3a01bb26fa3be7d6b9b7a6bd4786324490d42865fd8f807d6ba077effa2ba6
SHA51263bab97b5d1e45336d82aec545cf37bda7c305847d73764625ec6987aa872852f26fd9d5a4c8c224afa0a2a6e4a5c4fbd02d069f89aedb1be9980243f6bcda54
-
Filesize
232B
MD51e41b2744c4a8390eb2df0742922d5d0
SHA178382c540ada4f1d5178e05379f6f8324f99a070
SHA2565f357213eba26280f735f323ce258814c6f1dd2f063937084ef6d659492ad13e
SHA5129ad7d0a138b15bb01988c6d7cd0730f4de5f48d4683d7dc7ded0516bae12b4c105a4b7fce719f22296f92aa288736eaaa9c9eee3567d08f837f0721200455650
-
Filesize
226B
MD5cb8191b547a73e24f7f1c61ed221e488
SHA10c6e798ba897add17005d6428794ab453b9663b0
SHA2569f450af6d8616d3fa52f2b07084464d439a0814138b762a435fe47c4f23557df
SHA512d7b04a710c0c74d57b47b17518ad38c4f78fc644e7b16383f15356930f380ed2c40db86663b7663ff1d51953eb7aa6aa8786c89a43187d6fc7b9f395e6525976
-
Filesize
228B
MD557a328103bfa80fd36ee0f702daebba0
SHA16eaa2c13931963498b7fef6eda49cdc99a3750b7
SHA25673f32bfa966e9cf3dd576c7bae905a0ccc11c9ebd2cb57a6c3383331dc5080d6
SHA51243fd11a0e6c169811c85936d360ed70493a4b62bde956720bdbd92066e8e4695d6fc2ee9c43af8265f26362f6b27e8d2932673c34b2eac931e9205f73b945ac4
-
Filesize
262B
MD583f6a429d967830bbd8f5148d7f0fa22
SHA1b8f2b6ddc59a5249f08075746e57e57254c4440d
SHA256ac2daec6be27ff79c95758b0d5325171b6fe2bfebfa26905ead09e59a2d4573d
SHA5121eacb4e4eaa6b0745a8020fab49771b99b91f218b8a3dc67a0dc6e29d44a9c3dc87c027a36da5952afbd5b3419764c24f55bcf8cbc6a0fc420afb45ea2b3592b
-
Filesize
227B
MD524dc5284c3a49eae5e2236120d9b20f8
SHA11fffaaa513d1d00f458b8bf7f0eda9813e1fef48
SHA25631ed6064156f70975023021962091bb1b591bf3b5747fdf78c387015bb900136
SHA5121d6020800d27004b07fa08ffa304586a21fae1af560cb847a539f48c072d5eff3885e17794354311a8c6f9f3c33c112e49ca1ebfba19e528b4cc4c9675c016a3
-
Filesize
110B
MD5afe46d7e46a902f1286c4d6eaa067183
SHA12a8efc9c6aecb1ed0c1a36d860200fa681936924
SHA2563aa697f2559d375c31374fd5e7383ea542ad3daa8a714307240ed9762b376762
SHA5125e6a1cf578ed6f121c895bcb720db8e827dd6a6a65797eba364310d2f6d7b58b15742be2f2066737dab76ac3f2ece0b45d96cb72f6c04427ef64a6dd4b674d3c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
17KB
MD54fb7040c6b9702f37f84d061cdfc5cc0
SHA173cd83902406a90e2b59b639d0d66d5b639ff4f6
SHA256d04b1193a4c004c3ab9be041ee0ad7982ce6c4b82b7b5c1232dbeae782aade94
SHA512977c6e092be398161c72b67d6885ad3fa3e92b891181c1eb6d91fb6f9d72475fa3109e87ac8adbcbf96eec7371474266ac36960df5290e2611391bdef4be5533
-
Filesize
1.2MB
MD51a74667eb45ba69cf95ae0d792110f15
SHA10a75928a17b1896de435f0a062320abe306bae65
SHA25611926ae11d9f90e138896a4312a0b01760969e26a157dfb3422b068e52fc6637
SHA5129f7cfe2fec5cb4d1236f043f2cde32d4ea64b6dd3e167a17ecd3232a996a240d7175e7a3977df15cb2779832cf23386d6d7f97de57aae41276dab66b586c6d77
-
Filesize
11KB
MD5492c4a69947cd83ebedecab2207ad1a2
SHA15cef8d298e29bf4e9583a949c5f340d4eef10a06
SHA2564e2897c6e74f092a954b2f187526e4608a0c27da96a8ac22a948453bf534b100
SHA512bebfa2cc8096f874097a3fa6fb42bba9b7069a59b391c7b830b80f4bbd04735b62fb752a49b06e2fd873ca712ada4e6b7006f091155a027dbf62e227288adaee
-
Filesize
1KB
MD514e67cc778b8803e64b2a9354d0acac3
SHA16049082c351b40a151390e342b10828bcdd6b011
SHA256b931fa1dd7a799d2202e83720c1e262533b449e1c24fbc9a1af81a907e83ecc6
SHA5125bb4968e37f39350b688385ad068dc358857d4d19826767b25c82ecc3447071674b005fea1c3adc933c15a44efc350a3c19a43848896668d0af01b6392aa15b5
-
Filesize
123KB
MD52022aa7027af02133dee344a874a3041
SHA1e34918646f52d3322d61d27c81a7f7718f0f2072
SHA25640a6b3b6a61ed9ec436eb50d8b93bc6a3942f93c66076d4059bd6f12939d1e92
SHA512f9b0c551970c8ca203171fb2821f118cdd952571d23d9b31fbb11069b6c8eca79b5e16f509130505b167f2f9c9ce1ab48c95ec352033d3187c5229590f523c3c
-
Filesize
11KB
MD511d905d5f5782b5e15b0fa70f613b862
SHA12fd16cb9ae82246c682fb8d6506a05a6df3364ee
SHA256339d3b56db804fb5c6312f27c58d4e102dff527e8ba414586f116f7033eeaa20
SHA512bacbee932783db40bc75eb60673f6220506d80d1c14e8bd207d4da5adfdac70d4839ef209cae803ea8f38d4a448851f583a45c5af919b32790b155eeae63fec0
-
Filesize
1KB
MD5a7d5c0c73d05acdffa664557874e7008
SHA13a98033c84a31e593ca4f27723dd70774c2674d0
SHA25617af5930daa149addf4f3092516ca1cc9af8018a792de967193b391e99516a8d
SHA512ca91643f28dca94cb25cc3af688f224139cedd0276c5b764b9c81b228854b8b7dc8a4ba87682681b020d93eb0d38e929bb0b247fab68bf88a16604048d9cfb62
-
Filesize
15KB
MD56482645cefe3e5237d154470e3e66ca7
SHA18048b5607ffbaee37e0a7b94091a2457181cda81
SHA25656af45ea19ea3aaf91121cae00748f533041bf4071949d270be530568a0e9c45
SHA5122b42a3e1ed6918d6a0a98739349cfc92596fb4f00c8acd901e57a3759cfa9e8da07da19386b6060af90bccb0e69df57e1e64fe0e310f6168f17dbf6e8e97da2e
-
Filesize
11KB
MD5392e0864cf48411536a368430b335815
SHA1510ba669937b726b1aa7d8e584eda8c6674574f3
SHA25635c18ddd139f5c411c05f0a7676f4f02fe263db7f67c3c2c48a6247821ad5dee
SHA5120e6ceee8347e930633aa720bfd675cb0baf230cb8171dbaae4aa30661d27b70a5c41e8ddea7bb342ed7b053a590bb6f9f08da739a6f46a07dceb027d64186cd2
-
Filesize
2KB
MD51b94d2e1883e0a7b2c07da8ea1e5e623
SHA13bbc02ecfd35e53effa9cb9fb28126bd9c9fc968
SHA256a6e1bf5d388ece7743a810400e0d8655feceac30a594487f90eaab458efda19c
SHA51268801095e962357cd3dec1f7dc70d62d11fac9e3d8f395646d6e2708539bc9371203fe0c3305dd7b54fad618c7b575ff078615024e500e9e216b9757f96f81c9
-
Filesize
213KB
MD5b1c7b628372da0a8b4d62b0f2b45a657
SHA12cfd8219f2981b8bdd5c16d094d3a7b8c612c1ce
SHA2567e2dc50cd7d80ab99ae8726a73046a138c217cd8d1b43e0efd33241c9efcb5ff
SHA512a0847b0d42e9bd53a8be1be9677de61e6ae16f1cee72c93c96106d6caabba5679cf5aff3c6d5d531be591a4e6aab7ac658b028113b8125ba8430d03dc2f84455
-
Filesize
11KB
MD5d98f841d3da556e2bc8683f39c59a1b0
SHA13d45decb3a83e9d353f4a2eefcde27d51775c5c7
SHA256c65e7922edd57822e962fa75607c1958962ef5d1e1a0d7afa1dd27d2ea248d60
SHA5122f41752bd30a2d2aa37c7698942e31131b53dad6dc75a82155836ac80ed1b7ff54679a813bcf6164cc7b1511ff340cfc5c7ecf3a15d932b00329278f7ceaaf27
-
Filesize
1KB
MD5328e03493b37c3ad4a9533b2dee5fae8
SHA13edf9241ea4f296574ede5ebb5b07d39bc15d540
SHA2565b309636d2c5faa9ec534604c71b408646c05997e5ec85ad4dc8832b0f194be4
SHA512c564bb03116998656e75aaed07a352611ab07ce464671b3c170fa561d7c26288969c65c2372f5b3f79dd5ad683a91ce9afff180cb6f849fd90dfb3ec05b32b05
-
Filesize
82KB
MD5fefd7ad8c5a1a900b2438777964071de
SHA1594a3dfa88dcea443036c326ed85cac444ab6614
SHA256345284c346d41700ba2e691733db56cd5ed83498b91743526cc2ca9d7a27028c
SHA512adb14114226d32e9eb6b16cf7109874aa8a028b70dc7a643e8ce2eaa08dd55bea6daa99c18f2db24e63f9ed5511518fa6e92fe70e634a9a124be9d9af1384849
-
Filesize
11KB
MD561841fa3b0740c3e0e6577f6d9e76945
SHA18df888fcd2592d6e4b734402088eae79445c568f
SHA256a7da17c1d4879cb473ec49d3d311b84f49c0b738e6b7feaf86d711f53b3ec63a
SHA512fb9245e89e2c7e1425c4a093fe603cced291c411906aaa0bf6bb4eda08988659a871079286bd98772eae3c5f0788682a3c5bbbf2e1c4c569c3d9a5fe8bbd8f13
-
Filesize
1KB
MD5b87bf438dce5f5a91fce70b1d699db84
SHA1638f27dc129363087812c93c49450190b653ba7b
SHA256920c547b4b95da8adfc7fedda0fe194021c7ffa9aaa6ddb7fd598bb093f29256
SHA512be8bdef7c5b4554a229ba1a008d7c27862bb9c8df06df251df9792a6b197b29f72ffff5f279811f9e455bea97600abea40722eda5a9c4e51855bf8eacd1d72b0
-
Filesize
259KB
MD5acb9ce58b276029b9cda043424d40a35
SHA15c1adb79ad70faf7b624218a996d1d93ef106ae4
SHA25647f81c93abd96d3a9ddf25b669c3e943ce7d85fbac61500687dd115d4489e04c
SHA5127b38e5ab7f81dcd794e3322b04873f787daabef73b68a5ceb9e072b337a7562d070da89bd197d6cf84c86d2c090627369814e6441a5cde4f242cc1b72cbd5d26