Malware Analysis Report

2024-11-30 19:23

Sample ID 240301-wq8nnsbc83
Target Checkm8.info Software.exe
SHA256 df8bc2dfd6961766452c508d84917c40c109b8920d9c617b08cb62dc7c6668da
Tags
agilenet
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

df8bc2dfd6961766452c508d84917c40c109b8920d9c617b08cb62dc7c6668da

Threat Level: Likely malicious

The file Checkm8.info Software.exe was found to be: Likely malicious.

Malicious Activity Summary

agilenet

Manipulates Digital Signatures

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Checks computer location settings

Executes dropped EXE

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Suspicious use of FindShellTrayWindow

Uses Volume Shadow Copy service COM API

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-01 18:09

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-01 18:08

Reported

2024-03-01 18:21

Platform

win7-20240221-en

Max time kernel

117s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2852 wrote to memory of 2284 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2852 wrote to memory of 2284 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2852 wrote to memory of 2284 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2852 wrote to memory of 2284 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2852 wrote to memory of 2284 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2852 wrote to memory of 2284 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2852 wrote to memory of 2284 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe

"C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 71A833C905DB1BF3890FA4155E5F99F5 C

Network

Files

memory/1888-0-0x00000000002F0000-0x00000000002F1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Checkm8.info\Checkm8.info Software 4.7.1\install\Checkm8.info Software.msi

MD5 30c152f87f12ab86a690f12d6c426fbb
SHA1 7672e0681df44cd40370d5bc9dbc3a787df829a6
SHA256 8eb7d687c3f364b997dceb9a88238baf9f9d4222994df7988513fba6b9ddda7a
SHA512 db7642ee854a4ee4f9d738ff85ea726ab0d097157f6aa4c9731a54a89caab34293b4955c7705a863efe467bc38fe2e6084166e44aa87e92f700810a57725cccf

C:\Users\Admin\AppData\Local\Temp\Cab8133.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar8165.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\Tar843A.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

C:\Users\Admin\AppData\Local\Temp\MSI89E6.tmp

MD5 5e33a5224c4d523a2517ba8a96aaff42
SHA1 12e41a9380cc890053b5c7e19769c76bfa1608d4
SHA256 d64407a6d5a5d48ddefd8376d8e7732f6e5d2318cf1671cb367302d566ed958c
SHA512 bdb2d57de5104db15c06e5aa4b852a007ef29139750eec050cd3ee013b7df1e15376b01528e32a1859a2132452032f27a4fcd58d163dd927b4b00a6b1b2ad8f1

C:\Users\Admin\AppData\Local\Temp\MSI8BAC.tmp

MD5 0cca4ccd0c4a2712301f4488180404b7
SHA1 ee44cd435225b02709bb4b904e97d630d4ebe7df
SHA256 fbae7c3613e76953e08e58b4c48c9eb9cb2bcbca977cf4a04d614016d9b73cb6
SHA512 362e20be4d993111a6b469c8bd5cf8aeb167ed4e3bb1f0685f4dc81cb906b60d77f38a34fb2a0734484a424e8d550bcfd70170b40fda950e44b131713a2b2553

\Users\Admin\AppData\Local\Temp\MSI8BAC.tmp

MD5 d290b64225bb549c184d9d27b25a7fe3
SHA1 daadb33a3c7b4a8be8d67ab06bcc7f0f3fcbfd46
SHA256 c34c67ed246aaf47d9875239efd07c6269c4384b482de775f50d0890d3b320b3
SHA512 d462730e60655b12efa41336d1f4db8a0c587fa8fb26c01bb427e45e3bcdd06e47f7a0ebb17cf1e3479945108f80102a5d31986d1b4cfaa910a5f04bf1cbb614

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-01 18:08

Reported

2024-03-01 18:21

Platform

win10v2004-20240226-en

Max time kernel

92s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe"

Signatures

Manipulates Digital Signatures

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION" C:\Windows\SysWOW64\certutil.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION" C:\Windows\SysWOW64\certutil.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL" C:\Windows\SysWOW64\certutil.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Windows\Installer\MSI9EF8.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Installer\MSI9EF8.tmp N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\CoreADI64.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\CoreVideo.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\OutlookChangeNotifierAddIn.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Newtonsoft.Json.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\boot\lzma C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\drivers\libusbk\amd64\winusbcoinstaller2.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\drivers\libusbk\dpscat.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\drivers\usbaapl\x64\usbaapl64.inf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\drivers\libusbk\amd64\libusb0_x86.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\APSDaemon_main.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\pcre.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\readline.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\drivers\usbaapl\x86\usbaapl.inf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libcrypto-1_1-x64.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\libusb0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\ssl-46.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\ucrtbased.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\icudt62.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\ideviceactivation.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\ideviceinfo.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\idevicepair.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\usbmuxd.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\drivers\libusbk\amd64\libusbK.sys C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\drivers\libusbk\amd64\WdfCoInstaller01011.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\drivers\libusbk\x86\libusb0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\drivers\usbaapl\x64\USBAAPL64.CAT C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\ApplePushService.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\AppleVersions.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\idevicename.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\libxml2.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\plist_test.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\jose-jwt.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\bz2.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\getopt.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\idevicedebug.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\pthreadVC2.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Shaman.CurlSharp.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\libcache.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\libicuin.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\idevice_id.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\libicuuc.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\boot\boot.tar.lzma C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\AppleMobileDeviceService_main.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\irecovery.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\libdispatch.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\drivers\libusbk\x86\WdfCoInstaller01011.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\Foundation.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\idevicebackup.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\ideviceenterrecovery.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\libexslt.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\drivers\usbaapl\x64\usbaapl64.sys C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libusb-1.0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\idevicecrashreport.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\idevicediagnostics.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\MobileDevice.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\AgileDotNet.VMRuntime.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\drivers\libusbk\x86\libusb0_x86.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\libcrypto-1_1-x64.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\drivers\libusbk\amd64\libusb0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\drivers\libusbk\x86\winusbcoinstaller2.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\idevicerestore.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\idevicescreenshot.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\zlib1.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\drivers\libusbk\x86\libusb0.sys C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\{E489471F-69DE-4243-9B3A-838F081C29D8}\Checkm8.infoSoftware.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e579710.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9A2E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9A7E.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{E489471F-69DE-4243-9B3A-838F081C29D8} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9EF8.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9A4E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9E1C.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{E489471F-69DE-4243-9B3A-838F081C29D8}\Checkm8.infoSoftware.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9FA5.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA13C.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI97BC.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9ABD.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9ACE.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9D5F.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9EA9.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA97B.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e579712.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIAA76.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e579710.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000042283678384db7f50000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000422836780000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090042283678000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d42283678000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000004228367800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23 C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F174984EED963424B9A338F880C1928D\A918597FE054CCCB65ABDBA0AD8F63C C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F174984EED963424B9A338F880C1928D C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F174984EED963424B9A338F880C1928D\ProductIcon = "C:\\Windows\\Installer\\{E489471F-69DE-4243-9B3A-838F081C29D8}\\Checkm8.infoSoftware.exe" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F174984EED963424B9A338F880C1928D\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F174984EED963424B9A338F880C1928D\MainFeature C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F174984EED963424B9A338F880C1928D\Version = "67567617" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F174984EED963424B9A338F880C1928D\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\Checkm8.info\\Checkm8.info Software 4.7.1\\install\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F174984EED963424B9A338F880C1928D\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F174984EED963424B9A338F880C1928D\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\Checkm8.info\\Checkm8.info Software 4.7.1\\install\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F174984EED963424B9A338F880C1928D\PackageCode = "772D0FED4005D9F4DAC8675692E4DCB6" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F174984EED963424B9A338F880C1928D\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F174984EED963424B9A338F880C1928D\SourceList C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4FBD7DFEF531EE246A95B5DD8F9D05D9 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F174984EED963424B9A338F880C1928D\SourceList\Media\DiskPrompt = "[1]" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F174984EED963424B9A338F880C1928D\SourceList\Media\1 = "Disk1;Disk1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F174984EED963424B9A338F880C1928D C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F174984EED963424B9A338F880C1928D\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F174984EED963424B9A338F880C1928D\AuthorizedLUAApp = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F174984EED963424B9A338F880C1928D\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4FBD7DFEF531EE246A95B5DD8F9D05D9\F174984EED963424B9A338F880C1928D C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F174984EED963424B9A338F880C1928D\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F174984EED963424B9A338F880C1928D\ProductName = "Checkm8.info Software" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F174984EED963424B9A338F880C1928D\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F174984EED963424B9A338F880C1928D\C4FE6FD5B7C4D07B3A313E754A9A6A8 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F174984EED963424B9A338F880C1928D\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F174984EED963424B9A338F880C1928D\SourceList\PackageName = "Checkm8.info Software.msi" C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1176 wrote to memory of 392 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1176 wrote to memory of 392 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1176 wrote to memory of 392 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1480 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe
PID 1480 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe
PID 1480 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe
PID 1176 wrote to memory of 4660 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 1176 wrote to memory of 4660 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 1176 wrote to memory of 216 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1176 wrote to memory of 216 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1176 wrote to memory of 216 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1176 wrote to memory of 1036 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI9EF8.tmp
PID 1176 wrote to memory of 1036 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI9EF8.tmp
PID 1176 wrote to memory of 1036 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI9EF8.tmp
PID 1036 wrote to memory of 2336 N/A C:\Windows\Installer\MSI9EF8.tmp C:\Windows\SysWOW64\certutil.exe
PID 1036 wrote to memory of 2336 N/A C:\Windows\Installer\MSI9EF8.tmp C:\Windows\SysWOW64\certutil.exe
PID 1036 wrote to memory of 2336 N/A C:\Windows\Installer\MSI9EF8.tmp C:\Windows\SysWOW64\certutil.exe
PID 1176 wrote to memory of 1316 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1176 wrote to memory of 1316 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1176 wrote to memory of 1316 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe

"C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding BD49349032AB90093502E8CA3CDA94E9 C

C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe

"C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe" /i "C:\Users\Admin\AppData\Roaming\Checkm8.info\Checkm8.info Software 4.7.1\install\Checkm8.info Software.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\Checkm8.info\Checkm8.info Software" SHORTCUTDIR="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Checkm8.info Software" SECONDSEQUENCE="1" CLIENTPROCESSID="1480" AI_MORE_CMD_LINE=1

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding DFCA3F5A85B994EAB48DFD1B0147455D

C:\Windows\Installer\MSI9EF8.tmp

"C:\Windows\Installer\MSI9EF8.tmp" /RunAsAdmin /HideWindow "C:\Windows\SysWOW64\certutil.exe" -addstore "Root" C:\Users\Admin\AppData\Local\Temp\simple.cer

C:\Windows\SysWOW64\certutil.exe

"C:\Windows\SysWOW64\certutil.exe" -addstore "Root" C:\Users\Admin\AppData\Local\Temp\simple.cer

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 6630498F59D52E88991F2D47BA4A8D98 E Global\MSI0000

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 181.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\Checkm8.info\Checkm8.info Software 4.7.1\install\Checkm8.info Software.msi

MD5 30c152f87f12ab86a690f12d6c426fbb
SHA1 7672e0681df44cd40370d5bc9dbc3a787df829a6
SHA256 8eb7d687c3f364b997dceb9a88238baf9f9d4222994df7988513fba6b9ddda7a
SHA512 db7642ee854a4ee4f9d738ff85ea726ab0d097157f6aa4c9731a54a89caab34293b4955c7705a863efe467bc38fe2e6084166e44aa87e92f700810a57725cccf

C:\Users\Admin\AppData\Local\Temp\MSI4BBF.tmp

MD5 5e33a5224c4d523a2517ba8a96aaff42
SHA1 12e41a9380cc890053b5c7e19769c76bfa1608d4
SHA256 d64407a6d5a5d48ddefd8376d8e7732f6e5d2318cf1671cb367302d566ed958c
SHA512 bdb2d57de5104db15c06e5aa4b852a007ef29139750eec050cd3ee013b7df1e15376b01528e32a1859a2132452032f27a4fcd58d163dd927b4b00a6b1b2ad8f1

C:\Users\Admin\AppData\Local\Temp\MSI4C4D.tmp

MD5 0cca4ccd0c4a2712301f4488180404b7
SHA1 ee44cd435225b02709bb4b904e97d630d4ebe7df
SHA256 fbae7c3613e76953e08e58b4c48c9eb9cb2bcbca977cf4a04d614016d9b73cb6
SHA512 362e20be4d993111a6b469c8bd5cf8aeb167ed4e3bb1f0685f4dc81cb906b60d77f38a34fb2a0734484a424e8d550bcfd70170b40fda950e44b131713a2b2553

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1480\banner

MD5 495a895d0a2feeba59737c745aa3f8ce
SHA1 48d5ea108fe612904ad80dc9e4296107d566131b
SHA256 26fb568a4bf976c45eae8d0c948a6ec2361bd0c027d1c325eb2d4319febaafb6
SHA512 7c11b9b9e14691b074ac507b1f37ba1ea107ef6fa617fc309dc29cc93b896486dc2bf575bc91334435457ac7fe4fa214c902c6c3d615093674c1828f9db2ba17

C:\Users\Admin\AppData\Local\Temp\MSI4E66.tmp

MD5 2b6fa5bfa4831df74de91db162bfaad1
SHA1 83c0bf7bbdecd65bcae1757a6a400ed8606cf8ab
SHA256 005e3260c33fb8c8033dec123d4e71613523fc5d11b32c93c74e86a35c876740
SHA512 fc4739b9fc23fb13765c107aa61ea57ae965d329874c4a57a62b980bb363939c53d8a966c0bc9bb92a794ebe6e3b52672bb403f684a273bce7193164d19ecc1c

C:\Users\Admin\AppData\Local\Temp\MSI4ED6.tmp

MD5 eb6c9388e07bc78ab4503a4f81f7928e
SHA1 5e835188376fb2e1a1fd641009cb03e675acd475
SHA256 5ff1e9d42d26f6b6324a5a4400c99d62d1c84a323c4f71bb2098e6478206d677
SHA512 65e65d5b7fccc243bb8d0787c9cc9a6b59780ee76d3e2800b8005412788093c476ebd19b1a1e326581ad77e22ca93080f453a2aedfcc008755b494afc30ca41d

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1480\dialog

MD5 d1880a8297f8f1ff8cb4ee2dc1058a17
SHA1 9fedea64be231c77c8c10b0bc6e4224632fd8dc3
SHA256 893454cc12eb3b298cf50e5915f890c86a314fce41ca3062c524ebb83349161f
SHA512 cb1f50427d04628f102eafc239ada43d72bc7371cbf86d4311f4a47e9223b511a375c92b22748d54a88586b4f0436cb328c992f424c6873c9a1a5b88fdfad699

C:\Users\Admin\AppData\Local\Temp\shi687E.tmp

MD5 77d6c08c6448071b47f02b41fa18ed37
SHA1 e7fdb62abdb6d4131c00398f92bc72a3b9b34668
SHA256 047e2df9ccf0ce298508ee7f0db0abcb2ff9cff9916b6e8a1fbd806b7a9d064b
SHA512 e1aeb8e8b441d755a119f45a465ca5660678f4131984322252bfb6d2cec52e7ee54d65a64b98429b23915eb5707b04b5cd62a85446c60de8842314130a926dbd

C:\Users\Admin\AppData\Local\Temp\shi9A9A.tmp

MD5 fdce43712079c189e993ff27df2911bc
SHA1 6f0465aeedb699de995e1c3b25f8f902bc05545f
SHA256 47267b3ddec6deeb0b018afbde2b99d17350329a52f0ae49f66b5edc5fcc4366
SHA512 c09215b7d0f567ed20e08c8b16a6738f07c7631e25f4bcf68f4d072016f509378eb1e9b4d519afa1e19c0aa11d104051d8c47732e39bc48d78be8f5d5696fc71

C:\Users\Admin\AppData\Roaming\Checkm8.info\Checkm8.info Software 4.7.1\install\Checkm8.info Software1.cab

MD5 1059a5c067618f5d3808347b85eeaaa9
SHA1 16072db6591f520836efb03f472f15ae22d96d1b
SHA256 8f9fc9df3c12319a123d09e5bbf0f980cc7699698176f4fb7c319cd82f14b80c
SHA512 4fc721453ea2f96c00358d8850e0632a8dff2e921fc7f029d083eac8beae2b49e2fe874431ccb96c1d6f4e9af89614783c43286c8a446ff0a760e24774150a32

C:\Windows\Installer\MSI9EA9.tmp

MD5 dcb6b94b4a41fabdbdbb6fe2a362681d
SHA1 efd8d4c271178a6cc37a265f287abfbc6ea91e13
SHA256 7a370cdf28500d571d1562a9ddb4977f6a837a7b095de9a7c469c7079923da95
SHA512 5dc3fda6012667cdf6f9a5ba96b01a4d74b0d4dc1f53ce2ad36296d79591c8eb34ec787ced4862b768523c3fa69ffef4b88ff653774357d7d5a052efde3bd87d

C:\Windows\Installer\MSI9EF8.tmp

MD5 79f3b2b5594d100ca5bd27ca85939224
SHA1 6cea8cc4638baee738e7174f33ee6281e5c4c059
SHA256 bc20f45927b68af1c6f4ce602bad6350756cacc74398901e654e93511a43e6d7
SHA512 79b1a330425c3c39f00f319b26ac57dc361510c722a26842e29769e07287f23766d8cbe5603bd16d494735cb78b2a49a87964fff2043e7b92a2799bd0bf76c8c

C:\Users\Admin\AppData\Local\Temp\simple.cer

MD5 4cdd2cf4c808076df09707ba72575a18
SHA1 cc9545c6ff2707b14018698e4d393a54475e6944
SHA256 0ed5ded8ba4300affef23a9ceed5e0c1de2303c2dc30b12e80be6eb9c5d02712
SHA512 49422b97a06ab4d01fc92f049670125fc82bfc0124688e793aed1f6ab3fb513685714596e7f8fcb7634d3d1bddde5bf09417634f3da8db42cef062807d52bdba

C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe

MD5 642830c52513d475ee8d8a1a6a9d6070
SHA1 e041aa66d3f130f3a944ce3f399bcb9b5a6d44f7
SHA256 1a94c162122cabdd2540dd9fa20072594894edade4a7a2e2b70b30145cf6ef7d
SHA512 f6a10eb2179ef4ec67ae383a56dee611a1ffec3b58a225441b3731a0819a985fd7d7e7e9e107468f68ebc776122373f70c61ca6051fcbde595b08e183c20fb4d

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Checkm8.info Software\Checkm8.info Software.lnk

MD5 2f4e775a2c5dcaee85315aaf2297289a
SHA1 11c8fd38f8655efa2ac4d44a8f2554e9b4a32645
SHA256 98dbb109125c66650a56e1cff1155bb8c552d2b5ec4b5f1ec46062611c8ed91e
SHA512 2ea2e0af6db3967d9ca1c0adff92f2de8fb5ac4f9a7132f614de29f4b2820c2941a95e178962db627041c3742517a08623f621a741bb782fad8cc1ca6f892b73

C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe

MD5 e07ef4a93adc7b34c1fe8679c1061946
SHA1 186f09239c1c9fdaed250fc5f2f362f86ed4f3ba
SHA256 ef7312cf24d0e533691cd04057e305b79892fad6914cb43fec187a48541ff332
SHA512 a173aa95e005388986a3538f7cfb8c399542094b80336e7c8ac8086b0ef696c47381fc2150b2d985347b087f1ec082999d99216a390bba018b7ae1111c8b66d3

C:\Users\Public\Desktop\Checkm8.info Software.lnk

MD5 862142eec666f0e194a3dc1aacffc2a5
SHA1 62bd64cb71368d8f246413d9ff86d57644702603
SHA256 650b95f1ebb25cbe83bef97f75a90bcbeda282e94b688fbacc9096aec26ca019
SHA512 c85231ed5d0cf3d29c9865e1ed4655e6d1d9106da02ebbd259c56b391cd69ad37517312e6ec2d68e36dd72a5f9e8e60c5178ed03ddf693577d8e8e7e688d8359

C:\Config.Msi\e579711.rbs

MD5 10082e05f14d8d54f8a6c8031de624a2
SHA1 9f2673db73d9e734adc0cad65b171909b4035e34
SHA256 28e1470d2abc5bc558cfcb0bebbdaddd6cd0f97f73bdd27122eaad902bd1b7f5
SHA512 216f8dbc45f4d598c1e62e200f52b487fd1db9a0ff54a98caaaa49d2176625656bb83f4e60177b3effe00265b89513df9414ad16d0fdd58776d318471ca76889

\??\Volume{78362842-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{eb4e9959-f44b-4621-a74f-f00bae37fc94}_OnDiskSnapshotProp

MD5 811a8ba0081d5ab241d277c603af4a37
SHA1 d217a3da04b8d9292ab415d89b1dd184fe7323ed
SHA256 07304d693ffa65508f6abd6aa9aac91766e1909581e85ec1352e0ee061851cc8
SHA512 968213df44786aa4fae2068f8c968b8dfd1d2557387ff1caffea03dde3fcc02c81f181f57511cb069afe1eac0bd40b5572af95e7177206b59a97212943a62a25

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 d3dff0247176ba3e6b861fac60f7fea2
SHA1 809da7e52f413e67bca3ac40ce3a7297e2ae1388
SHA256 1b3f8a623f4a7aa00ddccf5ce01bdf7868927588a0eda396384c3e6ca505b5ad
SHA512 89888f47021b51e2fb03b42095e37dab20153c242a779e941255016fe41761add01abbf0963cd86e5172adcf6295f5be27066c7b16f4f9eccff5b910b4d587c1