redline | hxxps://download[.]tt2dd[.]com/

Resubmissions

22-05-2024 04:29

240522-e39m3aca78 10

11-05-2024 11:09

11-05-2024 10:59

09-05-2024 13:02

04-05-2024 06:42

02-05-2024 14:21

Analysis

max time kernel
446s
max time network
447s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 11:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://download.tt2dd.com/

Score

10^/10

redline gu05 discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

GU05

45.89.53.206:4663

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/180-6237-0x0000000000D70000-0x0000000000DC2000-memory.dmp	family_redline

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

Awards.pif

description pid process target process

PID 5992 created 3632 5992 Awards.pif Explorer.EXE
PID 5992 created 3632 5992 Awards.pif Explorer.EXE
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Setup.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation Setup.exe

description	pid	process	target process
PID 5992 created 3632	5992	Awards.pif	Explorer.EXE
PID 5992 created 3632	5992	Awards.pif	Explorer.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Setup.exe

Drops startup file 2 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoSmart.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoSmart.url	cmd.exe

Executes dropped EXE 14 IoCs

Processes:

python_x86_Lib.exeITSMService.exeITSMAgent.exeITSMAgent.exeITSMAgent.exeRmmService.exeRmmService.exeITSMAgent.exeITSMAgent.exeSetup.exeAwards.pifRegAsm.exeupdater.exezlib.exe

pid	process
392	python_x86_Lib.exe
4388	ITSMService.exe
4700	ITSMAgent.exe
624	ITSMAgent.exe
2288	ITSMAgent.exe
4044	RmmService.exe
4636	RmmService.exe
5468	ITSMAgent.exe
5560	ITSMAgent.exe
5540	Setup.exe
5992	Awards.pif
180	RegAsm.exe
5292	updater.exe
5556	zlib.exe

Loads dropped DLL 64 IoCs

Processes:

MsiExec.exeMsiExec.exeITSMService.exeITSMAgent.exeITSMAgent.exeITSMAgent.exeRmmService.exe

pid	process
5020	MsiExec.exe
5020	MsiExec.exe
5020	MsiExec.exe
5020	MsiExec.exe
1708	MsiExec.exe
1708	MsiExec.exe
1708	MsiExec.exe
4388	ITSMService.exe
4388	ITSMService.exe
4388	ITSMService.exe
4388	ITSMService.exe
4388	ITSMService.exe
4388	ITSMService.exe
4388	ITSMService.exe
4388	ITSMService.exe
4388	ITSMService.exe
4388	ITSMService.exe
4388	ITSMService.exe
4388	ITSMService.exe
4388	ITSMService.exe
4388	ITSMService.exe
4700	ITSMAgent.exe
4700	ITSMAgent.exe
4700	ITSMAgent.exe
4700	ITSMAgent.exe
4700	ITSMAgent.exe
624	ITSMAgent.exe
4700	ITSMAgent.exe
624	ITSMAgent.exe
624	ITSMAgent.exe
4700	ITSMAgent.exe
624	ITSMAgent.exe
624	ITSMAgent.exe
624	ITSMAgent.exe
624	ITSMAgent.exe
4700	ITSMAgent.exe
4700	ITSMAgent.exe
4700	ITSMAgent.exe
4700	ITSMAgent.exe
4700	ITSMAgent.exe
4700	ITSMAgent.exe
4700	ITSMAgent.exe
4700	ITSMAgent.exe
4700	ITSMAgent.exe
4700	ITSMAgent.exe
4700	ITSMAgent.exe
4700	ITSMAgent.exe
4700	ITSMAgent.exe
2288	ITSMAgent.exe
2288	ITSMAgent.exe
2288	ITSMAgent.exe
2288	ITSMAgent.exe
2288	ITSMAgent.exe
2288	ITSMAgent.exe
2288	ITSMAgent.exe
4700	ITSMAgent.exe
4700	ITSMAgent.exe
4700	ITSMAgent.exe
4700	ITSMAgent.exe
4700	ITSMAgent.exe
2288	ITSMAgent.exe
2288	ITSMAgent.exe
1708	MsiExec.exe
4044	RmmService.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Endpoint Manager = "C:\\Program Files (x86)\\ITarian\\Endpoint Manager\\ITSMAgent.exe"	msiexec.exe

Blocklisted process makes network request 2 IoCs

Processes:

msiexec.exe

flow pid process

121 4668 msiexec.exe
123 4668 msiexec.exe

flow	pid	process
121	4668	msiexec.exe
123	4668	msiexec.exe

Checks for any installed AV software in registry 1 TTPs 8 IoCs

Security Software Discovery

T1518.001

Processes:

ITSMService.exe

description	ioc	process
Delete value	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Esm\RemovalSecurity	ITSMService.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Esm\RemovalSecurity	ITSMService.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Esm	ITSMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Esm	ITSMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS	ITSMService.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS	ITSMService.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Esm	ITSMService.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Esm\	ITSMService.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in System32 directory 8 IoCs

Processes:

ITSMService.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	ITSMService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	ITSMService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416	ITSMService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	ITSMService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416	ITSMService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E455012CBF4BA8A2AC67618C00590908	ITSMService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E455012CBF4BA8A2AC67618C00590908	ITSMService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	ITSMService.exe

Drops file in Program Files directory 64 IoCs

Processes:

python_x86_Lib.exemsiexec.exeRmmService.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\encodings\utf_8.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\idlelib\TODO.txt	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\msgs\he.msg	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\tzdata\America\Goose_Bay	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tix8.4.3\bitmaps\srcfile.xbm	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\email\parser.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\encodings\iso8859_4.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\encoding\cp1250.enc	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\tzdata\Asia\Urumqi	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\tzdata\Etc\GMT-1	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\tzdata\Etc\GMT-3	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\tzdata\Europe\Podgorica	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\site-packages\pip\_vendor\distlib\markers.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\site-packages\pip\_vendor\__init__.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\subprocess.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\encoding\tis-620.enc	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tix8.4.3\FloatEnt.tcl	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tk8.5\demos\label.tcl	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tk8.5\demos\labelframe.tcl	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\posixpath.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\site-packages\pip\_vendor\requests\packages\chardet\sjisprober.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\tzdata\America\Rainy_River	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tk8.5\demos\sayings.tcl	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tk8.5\msgs\da.msg	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tk8.5\spinbox.tcl	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\lib-tk\tkCommonDialog.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\site-packages\pip\_vendor\html5lib\filters\_base.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\genericpath.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\encoding\iso8859-14.enc	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\tzdata\Asia\Karachi	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\tzdata\Pacific\Wallis	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tix8.4.3\pref\Old12Pt.fs	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\CatUninstaller.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\compiler\consts.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\tzdata\Africa\Casablanca	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\tzdata\America\Boa_Vista	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\DLLs\tclpip85.dll	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\abc.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\site-packages\pip\_vendor\cachecontrol\caches\__init__.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\site-packages\pip\_vendor\requests\packages\chardet\eucjpprober.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tk8.5\demos\pendulum.tcl	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tk85.lib	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\email\_parseaddr.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\lib2to3\pgen2\token.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\lib-tk\turtle.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\lib2to3\refactor.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\stringprep.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tk8.5\demos\dialog2.tcl	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tk8.5\demos\ttkscale.tcl	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\virtualprinter\RCVirtualPrintDriver-manifest.ini	msiexec.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\dummy_threading.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\rmmConfig.db	RmmService.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\encoding\cp1258.enc	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tix8.4.3\Init.tcl	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\encoding\euc-cn.enc	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\tzdata\America\Guayaquil	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tix8.4.3\SText.tcl	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\uu.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\xml\dom\__init__.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\copy_reg.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\site-packages\setuptools\command\test.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\lib2to3\fixes\fix_ws_comma.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tix8.4.3\fs.tcl	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tk8.5\demos\button.tcl	python_x86_Lib.exe

Drops file in Windows directory 19 IoCs

Processes:

msiexec.exeMsiExec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI352A.tmp	msiexec.exe
File created	C:\Windows\Installer\{CA6B5E30-616B-4A5E-BC20-52629865CC0A}\icon.ico	msiexec.exe
File created	C:\Windows\Installer\wix{CA6B5E30-616B-4A5E-BC20-52629865CC0A}.SchedServiceConfig.rmi	MsiExec.exe
File created	C:\Windows\Installer\e5b2e71.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5b2e6f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI31CB.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{CA6B5E30-616B-4A5E-BC20-52629865CC0A}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI34CA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{CA6B5E30-616B-4A5E-BC20-52629865CC0A}\icon.ico	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3053.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3A3C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4DE6.tmp	msiexec.exe
File created	C:\Windows\Installer\e5b2e6f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3A9A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4605.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI34FA.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000003d697fb93d0c6eb40000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800003d697fb90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809003d697fb9000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d3d697fb9000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003d697fb900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

5740 tasklist.exe
5968 tasklist.exe

pid	process
5740	tasklist.exe
5968	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 61 IoCs

Processes:

ITSMService.exechrome.exepython_x86_Lib.exemsiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	ITSMService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	ITSMService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	ITSMService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	ITSMService.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{289AF617-1CC3-42A6-926C-E6A863F0E3BA} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 010000000000000000d4136d94a3da01	ITSMService.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{35786D3C-B075-49B9-88DD-029876E11C01} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 0100000000000000273a166d94a3da01	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E	ITSMService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	python_x86_Lib.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	ITSMService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	python_x86_Lib.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\40CEF3046C916ED7AE557F60E76842828B51DE53	ITSMService.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	ITSMService.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\40CEF3046C916ED7AE557F60E76842828B51DE53\Blob = 03000000010000001400000040cef3046c916ed7ae557f60e76842828b51de5314000000010000001400000017d9d6252767f931c24943d93036448c6ca94feb040000000100000010000000886ea78b530e0fd5bda4e12527ab6a2c0f00000001000000300000005d2164164eb6f3820b9b8d7a5601b60ebf70d832d2029c6c3c966db107dfcb1ba12a25700f26ca3d5b36e4a6cb576cfa19000000010000001000000092a08f142bb795a2197a0d3c7af066f55c000000010000000400000000080000180000000100000010000000ea6089055218053dd01e37e1d806eedf20000000010000001d0600003082061930820401a0030201020210137d539caa7c31a9a433701968847a8d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3138313130323030303030305a170d3330313233313233353935395a308195310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f726431183016060355040a130f5365637469676f204c696d69746564313d303b060355040313345365637469676f20525341204f7267616e697a6174696f6e2056616c69646174696f6e205365637572652053657276657220434130820122300d06092a864886f70d01010105000382010f003082010a02820101009c930246454a524892fc578df92dea53beb32cd5d8a8a5ec5b6903c01d10f65933defe0748a8e88c7a674af1f58dc33766d03291f7c49d0460c4b54ae2838ba7ae26d45d3a5ef8d11671bb8abd71a27dc8cea26024b052a03a4551de78936c6260f1e4569cb73bf73c55d8dfd57a317c357f125170e12cbe04accbfa4fe17c656ac040a7d97ca5638419e1f7caefaab4e8585ad999e326df8e12b2b8dc33b236da141d965842406e0b22851c5122aec4c806456d92e667b71923e4d8366b85d07fc752e3cfb07501e089b4a8bf8a364ea3e06ceb8441cea52f482213975062451e09a5cc9f6c57704006db20e81bd6f3938ba7329eb7441509d7affd7c011cdb0203010001a382016e3082016a301f0603551d230418301680145379bf5aaa2b4acf5480e1d89bc09df2b20366cb301d0603551d0e0416041417d9d6252767f931c24943d93036448c6ca94feb300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff020100301d0603551d250416301406082b0601050507030106082b06010505070302301b0603551d200414301230060604551d20003008060667810c01020230500603551d1f044930473045a043a041863f687474703a2f2f63726c2e7573657274727573742e636f6d2f55534552547275737452534143657274696669636174696f6e417574686f726974792e63726c307606082b06010505070101046a3068303f06082b060105050730028633687474703a2f2f6372742e7573657274727573742e636f6d2f555345525472757374525341416464547275737443412e637274302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010c050003820201004e134096c9c3e66e5bc0e3baf417e1ae091fc9bfcb0c2516f27353b3761ab7ab4806d6cd007c204543456c165a1b1361d749baa402a4ace8cece2dc92a74a3dcdeaeabd06836f891af3c01f777d50bcf97abeb87e715a8fa305a617120b1c043c4b98f6d8a31eb153624fb62d50b9c8fe966bde661519793b61d87bdb0b56cfea6112906613431303d20277351d0de8583d37739204696daa7c65a162785b2cf4e0f4e8c5cbebe3800f84bf9727bd4f27ad7a22985d004bad3422c5188522ed13d246747ec55cc1bf4ca34ea26c1deddc42189f6ba7b321e8e965e844538cf80aa37698b6017741548919c6df04ea377ca1b1c48faf9cf49e85f4f850ae28f901bab704c9aebb7a63fb4ac5da45fcfe6d88a9690f74f268160765d0f247791b32a319f165ab25d8c1c29aa489c8e6fd3784070db77ecdde3d15705702de64998880584620570567686394ed3226f1dfe6df10eb362c43ccbc085b9611ebae1158059940cae05bb8c7f56be1cd25abf97f26a4cb0c67076b0908dc10b36b911d8d6285cea4ffe24b7180a9b0cd0c17c5cfb69bdcca24dc690bca64df2b1bad69a675b960252d082f9c40a5c0d28e03fc8fa959589d5a4be496c40b23ea86bb8d525b2c4fef1d3d7e7d6dc43017630fb3b8b5df74a897c9a35befccaf05701f08d3fa087327b475a974b82d266c2c42dea3f24f4a7f9a8b9e36ad91861a03b8c15	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	ITSMService.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133598994019824519"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	python_x86_Lib.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	python_x86_Lib.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	ITSMService.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	python_x86_Lib.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	ITSMService.exe

Modifies registry class 29 IoCs

Processes:

msiexec.exeITSMService.exechrome.exefirefox.exeOpenWith.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03E5B6ACB616E5A4CB0225268956CCA0\ProductName = "Endpoint Manager Communication Client"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03E5B6ACB616E5A4CB0225268956CCA0\Version = "134527975"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03E5B6ACB616E5A4CB0225268956CCA0\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CDM\proxy = "false"	ITSMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03E5B6ACB616E5A4CB0225268956CCA0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03E5B6ACB616E5A4CB0225268956CCA0\SourceList\PackageName = "em_IKWliDMn_installer_Win7-Win11_x86_x64.msi"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03E5B6ACB616E5A4CB0225268956CCA0\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03E5B6ACB616E5A4CB0225268956CCA0\ProductName = "Intuits Intuits Quickbooks"	ITSMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DD4D523EF099D7E42B1DBDFD40CF9061	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03E5B6ACB616E5A4CB0225268956CCA0\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03E5B6ACB616E5A4CB0225268956CCA0\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03E5B6ACB616E5A4CB0225268956CCA0\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03E5B6ACB616E5A4CB0225268956CCA0\PackageCode = "DFFE6588FCABA52429605389FCB2DC8B"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DD4D523EF099D7E42B1DBDFD40CF9061\03E5B6ACB616E5A4CB0225268956CCA0	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03E5B6ACB616E5A4CB0225268956CCA0\SourceList	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03E5B6ACB616E5A4CB0225268956CCA0\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03E5B6ACB616E5A4CB0225268956CCA0\Language = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03E5B6ACB616E5A4CB0225268956CCA0\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03E5B6ACB616E5A4CB0225268956CCA0\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\Downloads\\Manual_installer_Win7-Win11_x86_x64-05112024\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CDM	ITSMService.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\03E5B6ACB616E5A4CB0225268956CCA0	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03E5B6ACB616E5A4CB0225268956CCA0\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03E5B6ACB616E5A4CB0225268956CCA0\ProductIcon = "C:\\Windows\\Installer\\{CA6B5E30-616B-4A5E-BC20-52629865CC0A}\\icon.ico"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03E5B6ACB616E5A4CB0225268956CCA0\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03E5B6ACB616E5A4CB0225268956CCA0\SourceList\Net\1 = "C:\\Users\\Admin\\Downloads\\Manual_installer_Win7-Win11_x86_x64-05112024\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\03E5B6ACB616E5A4CB0225268956CCA0\DefaultFeature	msiexec.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

ITSMService.exeRegAsm.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	ITSMService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	ITSMService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	ITSMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

6036 PING.EXE
Suspicious behavior: AddClipboardFormatListener 5 IoCs

Processes:

ITSMAgent.exeITSMAgent.exeITSMAgent.exeITSMAgent.exeITSMAgent.exe

pid process

4700 ITSMAgent.exe
624 ITSMAgent.exe
2288 ITSMAgent.exe
5468 ITSMAgent.exe
5560 ITSMAgent.exe

pid	process
6036	PING.EXE

pid	process
4700	ITSMAgent.exe
624	ITSMAgent.exe
2288	ITSMAgent.exe
5468	ITSMAgent.exe
5560	ITSMAgent.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exemsiexec.exeITSMService.exeAwards.pifRegAsm.exe

pid	process
3640	chrome.exe
3640	chrome.exe
3384	chrome.exe
3384	chrome.exe
800	msiexec.exe
800	msiexec.exe
4388	ITSMService.exe
4388	ITSMService.exe
4388	ITSMService.exe
4388	ITSMService.exe
5992	Awards.pif
5992	Awards.pif
5992	Awards.pif
5992	Awards.pif
5992	Awards.pif
5992	Awards.pif
5992	Awards.pif
5992	Awards.pif
5992	Awards.pif
5992	Awards.pif
5992	Awards.pif
5992	Awards.pif
5992	Awards.pif
5992	Awards.pif
5992	Awards.pif
5992	Awards.pif
5992	Awards.pif
5992	Awards.pif
5992	Awards.pif
5992	Awards.pif
5992	Awards.pif
5992	Awards.pif
5992	Awards.pif
5992	Awards.pif
5992	Awards.pif
5992	Awards.pif
5992	Awards.pif
5992	Awards.pif
5992	Awards.pif
5992	Awards.pif
5992	Awards.pif
5992	Awards.pif
5992	Awards.pif
5992	Awards.pif
5992	Awards.pif
5992	Awards.pif
180	RegAsm.exe
180	RegAsm.exe
180	RegAsm.exe
180	RegAsm.exe
180	RegAsm.exe
180	RegAsm.exe
180	RegAsm.exe
180	RegAsm.exe
180	RegAsm.exe
180	RegAsm.exe
180	RegAsm.exe
180	RegAsm.exe
180	RegAsm.exe
180	RegAsm.exe
180	RegAsm.exe
180	RegAsm.exe
180	RegAsm.exe
180	RegAsm.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

ITSMAgent.exe

pid process

4700 ITSMAgent.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

chrome.exe

pid process

3640 chrome.exe
3640 chrome.exe
3640 chrome.exe
3640 chrome.exe
3640 chrome.exe
3640 chrome.exe
3640 chrome.exe
3640 chrome.exe
3640 chrome.exe

pid	process
4700	ITSMAgent.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	3640	chrome.exe
Token: SeCreatePagefilePrivilege	3640	chrome.exe
Token: SeShutdownPrivilege	3640	chrome.exe
Token: SeCreatePagefilePrivilege	3640	chrome.exe
Token: SeShutdownPrivilege	3640	chrome.exe
Token: SeCreatePagefilePrivilege	3640	chrome.exe
Token: SeShutdownPrivilege	3640	chrome.exe
Token: SeCreatePagefilePrivilege	3640	chrome.exe
Token: SeShutdownPrivilege	3640	chrome.exe
Token: SeCreatePagefilePrivilege	3640	chrome.exe
Token: SeShutdownPrivilege	3640	chrome.exe
Token: SeCreatePagefilePrivilege	3640	chrome.exe
Token: SeShutdownPrivilege	3640	chrome.exe
Token: SeCreatePagefilePrivilege	3640	chrome.exe
Token: SeShutdownPrivilege	3640	chrome.exe
Token: SeCreatePagefilePrivilege	3640	chrome.exe
Token: SeShutdownPrivilege	3640	chrome.exe
Token: SeCreatePagefilePrivilege	3640	chrome.exe
Token: SeShutdownPrivilege	3640	chrome.exe
Token: SeCreatePagefilePrivilege	3640	chrome.exe
Token: SeShutdownPrivilege	3640	chrome.exe
Token: SeCreatePagefilePrivilege	3640	chrome.exe
Token: SeShutdownPrivilege	3640	chrome.exe
Token: SeCreatePagefilePrivilege	3640	chrome.exe
Token: SeShutdownPrivilege	3640	chrome.exe
Token: SeCreatePagefilePrivilege	3640	chrome.exe
Token: SeShutdownPrivilege	3640	chrome.exe
Token: SeCreatePagefilePrivilege	3640	chrome.exe
Token: SeShutdownPrivilege	3640	chrome.exe
Token: SeCreatePagefilePrivilege	3640	chrome.exe
Token: SeShutdownPrivilege	3640	chrome.exe
Token: SeCreatePagefilePrivilege	3640	chrome.exe
Token: SeShutdownPrivilege	3640	chrome.exe
Token: SeCreatePagefilePrivilege	3640	chrome.exe
Token: SeShutdownPrivilege	3640	chrome.exe
Token: SeCreatePagefilePrivilege	3640	chrome.exe
Token: SeShutdownPrivilege	3640	chrome.exe
Token: SeCreatePagefilePrivilege	3640	chrome.exe
Token: SeShutdownPrivilege	3640	chrome.exe
Token: SeCreatePagefilePrivilege	3640	chrome.exe
Token: SeShutdownPrivilege	3640	chrome.exe
Token: SeCreatePagefilePrivilege	3640	chrome.exe
Token: SeShutdownPrivilege	3640	chrome.exe
Token: SeCreatePagefilePrivilege	3640	chrome.exe
Token: SeShutdownPrivilege	3640	chrome.exe
Token: SeCreatePagefilePrivilege	3640	chrome.exe
Token: SeShutdownPrivilege	3640	chrome.exe
Token: SeCreatePagefilePrivilege	3640	chrome.exe
Token: SeShutdownPrivilege	3640	chrome.exe
Token: SeCreatePagefilePrivilege	3640	chrome.exe
Token: SeShutdownPrivilege	3640	chrome.exe
Token: SeCreatePagefilePrivilege	3640	chrome.exe
Token: SeShutdownPrivilege	3640	chrome.exe
Token: SeCreatePagefilePrivilege	3640	chrome.exe
Token: SeShutdownPrivilege	3640	chrome.exe
Token: SeCreatePagefilePrivilege	3640	chrome.exe
Token: SeShutdownPrivilege	3640	chrome.exe
Token: SeCreatePagefilePrivilege	3640	chrome.exe
Token: SeShutdownPrivilege	3640	chrome.exe
Token: SeCreatePagefilePrivilege	3640	chrome.exe
Token: SeShutdownPrivilege	3640	chrome.exe
Token: SeCreatePagefilePrivilege	3640	chrome.exe
Token: SeShutdownPrivilege	3640	chrome.exe
Token: SeCreatePagefilePrivilege	3640	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exeITSMAgent.exeITSMAgent.exeAwards.pif

pid	process
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
4700	ITSMAgent.exe
4700	ITSMAgent.exe
4700	ITSMAgent.exe
4700	ITSMAgent.exe
4700	ITSMAgent.exe
4700	ITSMAgent.exe
4700	ITSMAgent.exe
4700	ITSMAgent.exe
4700	ITSMAgent.exe
4700	ITSMAgent.exe
4700	ITSMAgent.exe
4700	ITSMAgent.exe
4700	ITSMAgent.exe
4700	ITSMAgent.exe
4700	ITSMAgent.exe
4700	ITSMAgent.exe
4700	ITSMAgent.exe
4700	ITSMAgent.exe
4700	ITSMAgent.exe
4700	ITSMAgent.exe
4700	ITSMAgent.exe
4700	ITSMAgent.exe
4700	ITSMAgent.exe
4700	ITSMAgent.exe
4700	ITSMAgent.exe
4700	ITSMAgent.exe
4700	ITSMAgent.exe
5560	ITSMAgent.exe
5560	ITSMAgent.exe
5560	ITSMAgent.exe
5560	ITSMAgent.exe
5560	ITSMAgent.exe
5560	ITSMAgent.exe
5560	ITSMAgent.exe
5560	ITSMAgent.exe
5992	Awards.pif
5992	Awards.pif
5992	Awards.pif
5560	ITSMAgent.exe
5560	ITSMAgent.exe

Suspicious use of SetWindowsHookEx 24 IoCs

Processes:

OpenWith.exeITSMService.exeITSMAgent.exeITSMAgent.exeITSMAgent.exeITSMAgent.exeITSMAgent.exefirefox.exe

pid	process
4476	OpenWith.exe
4476	OpenWith.exe
4476	OpenWith.exe
4388	ITSMService.exe
4388	ITSMService.exe
4388	ITSMService.exe
4388	ITSMService.exe
4388	ITSMService.exe
4388	ITSMService.exe
4388	ITSMService.exe
4388	ITSMService.exe
4388	ITSMService.exe
4388	ITSMService.exe
4700	ITSMAgent.exe
624	ITSMAgent.exe
2288	ITSMAgent.exe
4388	ITSMService.exe
4388	ITSMService.exe
4388	ITSMService.exe
4388	ITSMService.exe
4388	ITSMService.exe
5468	ITSMAgent.exe
5560	ITSMAgent.exe
6004	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3640 wrote to memory of 1788	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 1788	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 2636	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 2636	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 2636	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 2636	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 2636	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 2636	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 2636	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 2636	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 2636	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 2636	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 2636	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 2636	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 2636	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 2636	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 2636	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 2636	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 2636	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 2636	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 2636	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 2636	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 2636	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 2636	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 2636	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 2636	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 2636	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 2636	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 2636	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 2636	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 2636	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 2636	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 2636	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 3152	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 3152	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 4008	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 4008	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 4008	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 4008	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 4008	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 4008	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 4008	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 4008	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 4008	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 4008	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 4008	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 4008	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 4008	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 4008	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 4008	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 4008	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 4008	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 4008	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 4008	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 4008	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 4008	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 4008	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 4008	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 4008	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 4008	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 4008	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 4008	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 4008	3640	chrome.exe	chrome.exe
PID 3640 wrote to memory of 4008	3640	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://download.tt2dd.com/
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ffc8b88ab58,0x7ffc8b88ab68,0x7ffc8b88ab78
3⤵
PID:1788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1680 --field-trial-handle=1904,i,14114851280964890888,12916308907952444441,131072 /prefetch:2
3⤵
PID:2636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 --field-trial-handle=1904,i,14114851280964890888,12916308907952444441,131072 /prefetch:8
3⤵
PID:3152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2268 --field-trial-handle=1904,i,14114851280964890888,12916308907952444441,131072 /prefetch:8
3⤵
PID:4008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2992 --field-trial-handle=1904,i,14114851280964890888,12916308907952444441,131072 /prefetch:1
3⤵
PID:916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3000 --field-trial-handle=1904,i,14114851280964890888,12916308907952444441,131072 /prefetch:1
3⤵
PID:436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4356 --field-trial-handle=1904,i,14114851280964890888,12916308907952444441,131072 /prefetch:1
3⤵
PID:5000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4924 --field-trial-handle=1904,i,14114851280964890888,12916308907952444441,131072 /prefetch:8
3⤵
PID:2100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3312 --field-trial-handle=1904,i,14114851280964890888,12916308907952444441,131072 /prefetch:8
3⤵
PID:4280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=2992 --field-trial-handle=1904,i,14114851280964890888,12916308907952444441,131072 /prefetch:1
3⤵
PID:832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5268 --field-trial-handle=1904,i,14114851280964890888,12916308907952444441,131072 /prefetch:1
3⤵
PID:2652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5344 --field-trial-handle=1904,i,14114851280964890888,12916308907952444441,131072 /prefetch:1
3⤵
PID:4660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2428 --field-trial-handle=1904,i,14114851280964890888,12916308907952444441,131072 /prefetch:1
3⤵
PID:760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5552 --field-trial-handle=1904,i,14114851280964890888,12916308907952444441,131072 /prefetch:1
3⤵
PID:3324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5596 --field-trial-handle=1904,i,14114851280964890888,12916308907952444441,131072 /prefetch:8
3⤵
PID:4116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5404 --field-trial-handle=1904,i,14114851280964890888,12916308907952444441,131072 /prefetch:8
3⤵
PID:3832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=1528 --field-trial-handle=1904,i,14114851280964890888,12916308907952444441,131072 /prefetch:1
3⤵
PID:1528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6048 --field-trial-handle=1904,i,14114851280964890888,12916308907952444441,131072 /prefetch:8
3⤵
PID:3528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6040 --field-trial-handle=1904,i,14114851280964890888,12916308907952444441,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4764 --field-trial-handle=1904,i,14114851280964890888,12916308907952444441,131072 /prefetch:8
3⤵
PID:2016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4988 --field-trial-handle=1904,i,14114851280964890888,12916308907952444441,131072 /prefetch:8
3⤵
PID:3240

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Manual_installer_Win7-Win11_x86_x64-05112024\" -spe -an -ai#7zMap1398:150:7zEvent12644
2⤵
PID:4536

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\Manual_installer_Win7-Win11_x86_x64-05112024\em_IKWliDMn_installer_Win7-Win11_x86_x64.msi"
2⤵
- Blocklisted process makes network request
- Enumerates connected drives
PID:4668

C:\Users\Admin\Downloads\Manual_installer_Win7-Win11_x86_x64-05112024\Setup.exe
"C:\Users\Admin\Downloads\Manual_installer_Win7-Win11_x86_x64-05112024\Setup.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:5540

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Ups Ups.cmd & Ups.cmd & exit
3⤵
PID:5876

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
PID:5740

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
4⤵
PID:5868

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
PID:5968

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
4⤵
PID:5980

C:\Windows\SysWOW64\cmd.exe
cmd /c md 1101
4⤵
PID:5600

C:\Windows\SysWOW64\findstr.exe
findstr /V "puttingmixloadingstated" Cheats
4⤵
PID:5924

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Equivalent + Issn + Upgrading + Foot 1101\j
4⤵
PID:5928

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1101\Awards.pif
1101\Awards.pif 1101\j
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
PID:5992

C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
4⤵
- Runs ping.exe
PID:6036

C:\Windows\SysWOW64\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoSmart.url" & echo URL="C:\Users\Admin\AppData\Local\GreenLife Technologies Inc\EcoSmart.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoSmart.url" & exit
2⤵
- Drops startup file
PID:5808

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Manual_installer_Win7-Win11_x86_x64-05112024\updater.ini
2⤵
PID:5124

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe
2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:180

C:\Users\Admin\Downloads\Manual_installer_Win7-Win11_x86_x64-05112024\updater.exe
"C:\Users\Admin\Downloads\Manual_installer_Win7-Win11_x86_x64-05112024\updater.exe"
2⤵
- Executes dropped EXE
PID:5292

C:\Users\Admin\Downloads\Manual_installer_Win7-Win11_x86_x64-05112024\zlib.exe
"C:\Users\Admin\Downloads\Manual_installer_Win7-Win11_x86_x64-05112024\zlib.exe"
2⤵
- Executes dropped EXE
PID:5556

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Manual_installer_Win7-Win11_x86_x64-05112024\x86\updater.ini
2⤵
PID:5732

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
PID:5976

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
3⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6004

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6004.0.115244007\1989526063" -parentBuildID 20230214051806 -prefsHandle 1820 -prefMapHandle 1704 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e70428d2-043c-4fa7-9aff-3ea0285bc2a3} 6004 "\\.\pipe\gecko-crash-server-pipe.6004" 1900 2281d823758 gpu
4⤵
PID:4536

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6004.1.1040696893\63950235" -parentBuildID 20230214051806 -prefsHandle 2464 -prefMapHandle 2460 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9fa7f9f4-a5e0-4a5a-a419-f98e1d200961} 6004 "\\.\pipe\gecko-crash-server-pipe.6004" 2472 22809689f58 socket
4⤵
PID:5828

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6004.2.1085198636\1903062200" -childID 1 -isForBrowser -prefsHandle 2960 -prefMapHandle 2956 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1192 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce084ee2-1e96-4072-84c3-43b723f09330} 6004 "\\.\pipe\gecko-crash-server-pipe.6004" 2972 22820614b58 tab
4⤵
PID:1160

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6004.3.520205958\1827102936" -childID 2 -isForBrowser -prefsHandle 4072 -prefMapHandle 4068 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1192 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ced4ba1-81f2-42f1-a336-9b87f9b34c3b} 6004 "\\.\pipe\gecko-crash-server-pipe.6004" 4076 22822d87758 tab
4⤵
PID:5348

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6004.4.788218231\1801255772" -childID 3 -isForBrowser -prefsHandle 5240 -prefMapHandle 5260 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1192 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d257bba-62e2-49f6-b41d-dfcdb7ca6be1} 6004 "\\.\pipe\gecko-crash-server-pipe.6004" 5232 22824d7be58 tab
4⤵
PID:4540

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6004.5.1836925174\1228234228" -childID 4 -isForBrowser -prefsHandle 5396 -prefMapHandle 5400 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1192 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9136916-68ae-48a4-b8cd-fc5d14c5c428} 6004 "\\.\pipe\gecko-crash-server-pipe.6004" 5388 22824d7e558 tab
4⤵
PID:2052

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6004.6.972564056\128173365" -childID 5 -isForBrowser -prefsHandle 5600 -prefMapHandle 5604 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1192 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b354556-df1c-470d-b64b-c24d6f8107e0} 6004 "\\.\pipe\gecko-crash-server-pipe.6004" 5584 22824d7df58 tab
4⤵
PID:3152

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6004.7.273552115\953718744" -childID 6 -isForBrowser -prefsHandle 5624 -prefMapHandle 5628 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1192 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {61636a39-b4ef-4275-9909-cedfae80f220} 6004 "\\.\pipe\gecko-crash-server-pipe.6004" 5612 2282622d758 tab
4⤵
PID:5692

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1516

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4476

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4936

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:800

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:1812

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding A28F48FD052B28C42F588200A369984D
2⤵
- Loads dropped DLL
PID:5020

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 9951433482B73DBC6C0CE30D4006989D E Global\MSI0000
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1708

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C "cd "C:\Program Files (x86)\ITarian\Endpoint Manager\" && "C:\Program Files (x86)\ITarian\Endpoint Manager\python_x86_Lib.exe" "
3⤵
PID:4660

C:\Program Files (x86)\ITarian\Endpoint Manager\python_x86_Lib.exe
"C:\Program Files (x86)\ITarian\Endpoint Manager\python_x86_Lib.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
5⤵
PID:2228

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:3504

C:\Program Files (x86)\ITarian\Endpoint Manager\ITSMService.exe
"C:\Program Files (x86)\ITarian\Endpoint Manager\ITSMService.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4388

C:\Program Files (x86)\ITarian\Endpoint Manager\ITSMAgent.exe
"C:\Program Files (x86)\ITarian\Endpoint Manager\ITSMAgent.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4700

C:\Program Files (x86)\ITarian\Endpoint Manager\ITSMAgent.exe
"C:\Program Files (x86)\ITarian\Endpoint Manager\ITSMAgent.exe" noui
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:624

C:\Program Files (x86)\ITarian\Endpoint Manager\ITSMAgent.exe
"C:\Program Files (x86)\ITarian\Endpoint Manager\ITSMAgent.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2288

C:\Program Files (x86)\ITarian\Endpoint Manager\RmmService.exe
"C:\Program Files (x86)\ITarian\Endpoint Manager\RmmService.exe" --start
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4044

C:\Program Files (x86)\ITarian\Endpoint Manager\ITSMAgent.exe
"C:\Program Files (x86)\ITarian\Endpoint Manager\ITSMAgent.exe" noui
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5468

C:\Program Files (x86)\ITarian\Endpoint Manager\ITSMAgent.exe
"C:\Program Files (x86)\ITarian\Endpoint Manager\ITSMAgent.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5560

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2996

C:\Program Files (x86)\ITarian\Endpoint Manager\RmmService.exe
"C:\Program Files (x86)\ITarian\Endpoint Manager\RmmService.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5b2e70.rbs

Filesize
710KB

MD5
64c5e3d341e01241d8dca8c4abdaedec

SHA1
dffa2babc71faa82ae5c2feb92c6d9df13253485

SHA256
6b317a9bb18c0597e63aac5d44af575b9d487a87f53922d3858b73fde5fcc123

SHA512
4cd586a7051b2be9c946eb63f0166ac676daf8f8a4faa1a45d55cdb838368e8298f0ffbee65f52644117a1657cc4b6af9427bd3212e515ddcc8354d2c11b18d9

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\ApplicationManagement.dll

Filesize
87KB

MD5
c4988f5cb047ac689f30bae61ababe53

SHA1
f06ba7ffd589f3cd2f9f5ba697c2c70c7bca571a

SHA256
561f9863042d00d7e04463a162b4706cb57aebb5eb0f457f0a93c8ec4d02b368

SHA512
86a008bac947d3cf7522fcb68dbddac093bcb26c0b978c5e26de30460d836f170cd85b478bf605d09b938712eb2cf2d3f533ec13697dc7c248fe16a00f45746a

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\ITSMAgent.exe

Filesize
2.9MB

MD5
a223cbdc0a058b5158a7b46cd2c5d06c

SHA1
3376c1f6a9d28791c259623846604979ddfc70dd

SHA256
8382bea9ebf7638cd1c5170444330cf27e89eb5e96f76d7a89b47b3ae21425e3

SHA512
ea26b077355dd4000dfb698c1a6d68eea93bc96afd4b1d9e98c3ce6fc597afa7ec436b903b419f872dc2c0d082dee0f75b42b2a776321f26bb6f27883086d5f3

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\ITSMService.exe

Filesize
8.4MB

MD5
38c0aeef07c40a5ca17923cd91863019

SHA1
d9e349796dfe589e6e9f68f5a64eab989a62a923

SHA256
b0e21d8ec7942126ffff069640f2918f45ab8ecb0f42bf129efe87a9539bc61b

SHA512
756502a96a6408b48bddb625d8b80fc98c914cc7d1aa4adc5e0f153d122dfca19cc7780e9e2cd5b94aedcd1d876ddbfb76426a16c262406daad0755ebf8c2b5e

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\site-packages\setuptools-18.2.dist-info\zip-safe

Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\Qt5Network.dll

Filesize
1015KB

MD5
9f59b04aa22b0337dd679dc0d8a74f24

SHA1
483adf99e88971391c9dafe09ecae370c1ffb711

SHA256
9069fc1fdf33f9a593c01d13dfb4f06c73831ec3c70eb29ce677dce11f43a47e

SHA512
47d30e3feec3acc50b61d708254cc6b55227037232327791226536a7bb0de7f1cb8186ca5fb0ad2789fd300a8eaa47d209e7a10fd770bbfe0542ef0b4dfa1743

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\Qt5Sql.dll

Filesize
173KB

MD5
1c0211f848868243be3c20e064d4dddb

SHA1
b4c2ccbb50db60dfcb09693c5428ce52ecf2eb59

SHA256
32689f42510ba19bb52b77a0fb389a953b463a9bde09068813bf10c975f512f8

SHA512
f776f689f693f09f5e200ba821b8174589222cbbcd0d4c6a9fd39babd501a58adb5dbe97eaa5746dda2826c5bfc3ba7fe738c23dce3695828248ab62690f9ab2

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\Qt5Xml.dll

Filesize
163KB

MD5
ec6df57475693752294b66ca7b78d78d

SHA1
d9df943034823ad38e95adfe06cc853d88b56850

SHA256
38cd696f5b3b5046ca1c8949c9562f5cb9bfd3f879ce903d3ef3621ff90fc9af

SHA512
1247237e04fdcd769876cd7ea146886b5e7cfd537d86f32c5c4f05c357f542279628ea1fdf1407096d86ff3536576890a345d75dfce4239b22f0f71ca75b0a38

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\Qt5XmlPatterns.dll

Filesize
2.2MB

MD5
38232ee54a27898b3b6b559adb682a44

SHA1
c61f3e6410683b9dadaa4ae02d473321bb2f09ff

SHA256
339ad3b2fa0a1f5dbc2c5763e55230b145c202c691ef86dbfe5069f7e9edc9f3

SHA512
24eb2a4a463316ffe6c88f7f2bf87987673f0467a8fd608c2bdc514231e49351abdffa5eaafa69024f668f48c369eba25980688cb8dc1d6f2a222cd8c1012b46

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\log4cplusU.dll

Filesize
471KB

MD5
deb3f322eb7ca3c0b6daf4090029c9b8

SHA1
32cdfabfe95fc0a9c4b978574ef9445522cd0184

SHA256
658079c48d9b4b953c7076f3f77aeddf7f2b7433c42b35e69b1f510e3bee7c8d

SHA512
3657b9f0749afebc20bcdc79122afe875ad4b8f19e505d53c4e1a974d0bce580785a8b8de6e4383f0f8f80ddfa4ee6259c7b7feab336cea581627b5db9c8bae6

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\python_x86_Lib.exe

Filesize
7.2MB

MD5
5c6bb7660240850918b681d7db03d537

SHA1
b0eafb948aef588bffdc04698e13a621bcfa4026

SHA256
746ca047811f552dbca21660310513b3a53181bcd8400c24743f72669b1988ac

SHA512
b1ae5b3cedf3f5b92a771134c2eb13d0f7ae945f6088d4ae52b245456f644ac73539f9d8374be96e9642c56415244c3ac4eac06882115dcec293a085d323496f

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\qdjango-db0.dll

Filesize
132KB

MD5
3c36f2c0d7523c46db6c02784a0647ba

SHA1
a961e775e24e00f4ef18a612a776d0f78d4ddb0e

SHA256
9fc3bc818d0edbbd3fc3346c3c53cb4e83a3cd3a37050ad9f2598bcd746caf2e

SHA512
478ebc5a1c4b47fa7c4c6a2784881f1a1623caa79daa593fcbabb6a29466931af725b38a0af97a13e9ecdcc278255f0185cc323cad873594a0edc085487a0dd8

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4

Filesize
32KB

MD5
0c1e706f10a815c011ec1a87e1297926

SHA1
b7ad2040e5752fd756131a223ef4edea46bef95e

SHA256
9be5807e1e1b9a601234156222c248cdb9cef1ba52bd70fffc2cb4ffc2000b29

SHA512
50031eb639021eb46fae96ca9d796b0601b860cf36cebb100c55ce6d9dbf6a7d3d83dfaeb2e200bd0bef4e53b691668cc9459d78484bbcf1b21e9cdd647eb4f0

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4

Filesize
33KB

MD5
1819654e6bfdfb99a08e9b1396ef586d

SHA1
2e99a798a1f31fdbc72ecf1a92a03c5ccc02189f

SHA256
4f9ac1aefed17dd9a068dd2ad7987b88bbfdca9c82c76d23644c2c7a1b374b10

SHA512
6c06370ac758ae7ae5ae64fa18d71784d15b54910348b78fc384a446652fb9e2ab693da4cf2fff6fa2c5693bdec1ceda03147ce44bf2489eec0ca29db8cca1b0

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4

Filesize
33KB

MD5
764b971501dc83d37e898ed1baa7e794

SHA1
6ac6966d53340172e425204fbaf298224735711c

SHA256
a20bc9e13f6103a925e066fdb4f55f6064c4f8851f5a29e8770d6a73e6f81efe

SHA512
daf5b7fa525557e69a0d6d13eb60aee425e4240fba12b6dd206720e51f56a0c3a104012418b2db542192900eda843cfa32bc88f3b31fd65287be6af2b977776a

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4

Filesize
33KB

MD5
123e041d0783102f958ac52601a79d11

SHA1
1ca6c2d3512cb0fc726234a84d8b6b5c1f46c8d8

SHA256
2cc67532c8b3e1138b65e856230d36d69153ad34f5a714aa59655d2894e5e318

SHA512
536efdc545f048889e02cefb78d764835551bf639a4d58946b02eff2e33e42c11145c382a65ac3914fb2a9c1d979c1f6251f8d7eb9135cbad7addde44350905d

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4

Filesize
33KB

MD5
c02f659384eac8dbd0147a3ec0fd453e

SHA1
d55af730e4e0614e30b75c8afd9793cfe8ed57b7

SHA256
4fef4b5a7f62caa23e0e3fba876ed7d7e8ef4f03da09e0cb18da759d8d866b40

SHA512
96d75ed44b71789ac2b4514283dd2721cf11720b556d8d05efaaf929637bd01f528f00c7350d1943da890de79bab4cc3d680c4cbf15917565ec89f86f76a1813

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4

Filesize
33KB

MD5
c72ac8db0d955883f80358b7dcd78af7

SHA1
0f04ae6634bb5cd5f18651180d97f0630783ebaa

SHA256
f3044001fb19527500152e892933e0d96ef58fd5086a4353c7a60c157de008ff

SHA512
03bfa0cd63f61149aff85caa2bc91d9ce9d0c24ed282b17a43c0f916263265be84668aff0e60fd328e038ec440c8958faf47a1832d746b52f0201ff3031fe7f5

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4

Filesize
33KB

MD5
575ddc034bee8c747a13edc9ee0eea3f

SHA1
6a51068bd84ab111b7cc725be2c562fd15ab0bb9

SHA256
85e16d80abe6c6ee38167318701faa571d30423e8854721003b3e0202942782b

SHA512
6a5949071f02f6d649007533c17d38849ed9937260f27a87d079d5225765257ee6917fbfa8c0b684c2da4027ea959e278b6f3e7be5e741b98383b64bc7aa8b11

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4

Filesize
33KB

MD5
07cbbd5042310ac2a73d3d4fca8548ba

SHA1
acfd153e831d4cc25a927e9db2b87630af27f700

SHA256
75e47dd749c9c586418ff92660d87303c795fe72f15e6839de59a82b6ceed0dd

SHA512
4ea90ff058d790cc5d94ea5e8d0ab650e14c4cd091aca03627a7f668507cbbdb25ca0bdd22d05ce5b5bf8350d27ab6abe4b3207b7f1fe6daa73591cd82eaab6a

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4

Filesize
33KB

MD5
9883b7679da7e64c2ae58be03183f541

SHA1
6fcd7b562a1d225d3037cd99431d6c9e5308f1c0

SHA256
8fde1c927b66e217f71ec1e092c8f19f6270ce198fae4852a869a0c01815b6cd

SHA512
75602e5996b3bb36314d306be5a78d71e074a581ffdb5ba5ec181e959b0776a2b6f3e2b7df3eab4b02576a3b511ee6ce0bc9e52134a5d26bf99d37e131ede428

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4

Filesize
33KB

MD5
c400a4f3a3789bc8121ca8b63e29559b

SHA1
7866a20f45d4564fc871f94465a09a11626d3b38

SHA256
b961e9e4782f3a983fc5d17fbbd58d5377cdc3d541a782971eb4863cdda944e5

SHA512
04eeb2580f54ba2420325a2dd06c44c8737d08637445f87fcd90abccb5156ec3e2ddd9f2e47776618935200bea28e01e09aeb915e38ad39668a695b56c076127

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4

Filesize
33KB

MD5
e49f7207c7d643311c66e96c86f6b731

SHA1
6da2673dfd7f10c3e693c7d2ecb11a71af875b4d

SHA256
5494bfe32fffe7387b135e548c2016994a04571adbb5dee6247c718d254fa454

SHA512
44ecaa41d720f572af822f7c2ba37d2624b7f793c7368bd4d3b13801d1376b11512133621a36bf5592600500cd62e6d859d9b38780f28dc01aadddfd223135a5

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4

Filesize
33KB

MD5
3bd05828cec864e1d59236a3b410b570

SHA1
f8c02c25045286d37c7a8652a99301f8efd48139

SHA256
90b7690743c7c3a50bd4d8ff46502e71258bc6eb3ad658e6edef85cae8fd2a99

SHA512
0216a1fb774633125b7245ffbd2b0f63bdf89d734ea80b90c7d3296783e14236f8bad973f225d4bae00617895ac608abae8c92598f2f3803f17f10d8e2a38b46

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4

Filesize
33KB

MD5
c164e1c27a73853eabe429900b6d2077

SHA1
330b29c490a2cd50fcd7deb2278104c25a207017

SHA256
c4f934719d3b0bcbfc4be1c073f5e9cb5b3ef6eed2daf8710cf15559ff0cce14

SHA512
1517d20ce5c55e90595378bbf0a7366da5ab0788227e8051b2438a57fea12abb4edfeea5b634e317008ccaebacda0df69c0ca9ad49565e48f0d6bd7d72139101

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4

Filesize
33KB

MD5
d40b2f934cabeaec15b0f781f6a0ddc9

SHA1
8df0f168a99f01ca6f59cdeda56292c3845ce327

SHA256
f2916ed164ef0ac4ff469633cbdbdda7022fd6c5e98d883d902b2808cc63f2c5

SHA512
770b1a106f90a756f2a182c32ed0ddef1bad60da8373bb99bdc1bc581950779db7525e55a7bbe2d227903d4f844e0e87a2def6b0dfbe0e58101e8cd85d875424

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4

Filesize
33KB

MD5
26e30b7d2eabd5cfc0bc2c89cc5d7918

SHA1
983b2f5a4c55b6276ac1c78717cfcefaddc43e92

SHA256
f1e9287c4b1204968a985e3a6d47bbeeb88d61601599ea680bf8000eca9fef2f

SHA512
494c5c1da17241a8fc129f4e2f8ea879e62797e7383ac1cb01ba9e74799316e520e6fef4767e9d8c378925211e4e823bed01ede00fb907b73ec2d5bf92d9f18e

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4

Filesize
33KB

MD5
150d475263f5c8a146ba5edf62e6c2d3

SHA1
da18d1d08ec7ce1e2e023fb82024e27eaaf4f7c8

SHA256
7ba3b75001b9f3ecba36cd6d6eb18fb83fa7c8bb61539d0a9a6c407c2da645bb

SHA512
a141e849967584f41ca49cd1c786a1b9be601e8cb19f2fef51dab1cc3261d4bc98b219640e1b502b3b0e42c13eb0a64d71035313a402bd84455a3453ecb4809a

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4

Filesize
33KB

MD5
390ccf976a44affe25895daf873b0726

SHA1
3be471eebb078f5ddd88ae8c97fcf6851ac66a91

SHA256
0a5d40f6363b25c02611a1cc918c90d02adbee34a0ef1da2834236e6204b5bd9

SHA512
04665bc25d5e390b5a1089ba3464e5e841fefa2ed87ec89e8e5ae8470f764d54f4aefec179e613d68669a77201fa21b02099d0d35e10c215cc632dd1e9b52e85

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4

Filesize
33KB

MD5
23eefc1934df3d12d8bd4952428961b5

SHA1
103a85bbddf1f207547c0cfed405baee0e30f8cd

SHA256
9b4c65b44ed4626cc50d03461ba5ff5019a16ace640e2e79d33091fa3da16389

SHA512
673547bfcc6b23a27c74a491dd822ef960106290a1b88a96765fbf1238c83731656ef7bc56ca14ad9fabd98b13c2e418e4522ec3fbc83544353beb3c313997c8

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4

Filesize
33KB

MD5
e20d10ce702c22ac91037fa6513d6710

SHA1
9a2267df0cdfeaf78f7f424a808db706673c14e0

SHA256
f1f52f2d144f5df7f0eaa24fc509828938c4534dc65469f88211edad85b57081

SHA512
3df30e0a1adf91119b74f045a440f8e2fa3acf4f89cd7e7d8a7b1e2909f639a78478a8ecc02f610642bc682794c734f8da7890ccbbc96390434db5d95e8588cd

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4

Filesize
33KB

MD5
27bf80d784e4b1bfe3f654f4c77eb431

SHA1
2792f0795e9ccbc3e20f3d2c12cc089adbd967d9

SHA256
464d07c0b45faff7ae65d87677b1db86dc2dfbfacc67c1b96cb0b357cd439c39

SHA512
4cf51bdfcb95932ad532e07b3f772cc494f1fb1e16375158e6b2641149c894a068ad837167565a37a8ff0073ed5265d73f7992626de1c229537eb89727ebee84

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4

Filesize
33KB

MD5
f64f0ae5a6aeb64f6015db4a474f8f90

SHA1
63093587112633bef9b3087d1bc8c80b81eaf4ed

SHA256
ee4d97c17c22054a124530a85a68ecc71880202773c15ffbd7579a6abc6e2c4d

SHA512
6f0d3b0577a45fa551f28ab6a49167fab715446ad732e67956f55a51c6723ce32b236f07d8d9749ac8161135a9edde573199f0284386509449605828e74d71d2

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4

Filesize
33KB

MD5
772859bfadff911f78509a4ddd86a536

SHA1
4fa8f9b4b78692c29861efa4cf0b73fb48e99b80

SHA256
2b13cb65b75efffb12f1ffa9acbbaea5647d29cc914009261f8ee13003f5ac58

SHA512
e60c115e2af436762166cb2fdafd53b4fffaa297ba2f009b0c21df510dcd4a2cadf8c9a9affa28f7fbd4518cc7c69d8f985f926a695980efe5d39934cb658fb4

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4

Filesize
33KB

MD5
bddc9ff6b4ad92cb362d34f9567f9690

SHA1
57203bc1718cc052bd9230e61c49dfd1d31a6a10

SHA256
537a8804dcd584972c50b58012f086f33dad5098167edd7c710c436e3886f14e

SHA512
a8b966deb9c0437fb232e3946f92ebea7bd930095ddaf9d9e24110747f6e821d354ecb4e2d84647375968201f95527b19dd857dcb4a3b46acd501a12d0381e15

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4

Filesize
33KB

MD5
87c1ba086b609d0164ac8c820eeaa9fe

SHA1
4f1e01afb87b9649a87f98aa56e327971e22c54b

SHA256
b293144da0df471c5e3581c5ecdc5e7e4a26c410643ab9da745ccd8ed3687905

SHA512
384f14e955585b6175d80b4f86d10f6d77acbc781eff5e0f98eaf8d0b7a5efb50546a5e986ed3648523beaafd1da5d8ab131987e97c78aa218ec5be171125789

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4

Filesize
33KB

MD5
28ea63061368d30125d480a39eee3285

SHA1
ba3eb0f8b1f9e17208cb551c74b24c0eb31c6f6a

SHA256
4787c5a0d20cbed28675f0c6b031675d01e0bcc27972cc4e5603c959929f2d8d

SHA512
2a9823959b4d2f69fba1c16924ee2da32848b7e9bea7d2bc6b30d37cae7ac655ba965a26e9268fce27c729861894a4b0a4461bfd98917bb94592551388d717b2

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4

Filesize
33KB

MD5
d3ae5025ee4f0a0210676938ddeb2045

SHA1
0b157789f8d8fe11045c4fb88c9bf5611905295a

SHA256
fba0dfa193a7d4b919815151c521794cd646d99a29541b277243e1f502e98ba1

SHA512
ee41d27dea4538dc195c3a123796d2448c2e132d4815f9054182f074f74efc55a6555447f2bce960ad79ac7d634ae0a6e6c647f40fd9057a30440897e54900f7

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4

Filesize
33KB

MD5
65250dc78602427b1b27a5be6e968221

SHA1
7f31c5776e5f8a2fc227b674d02390aee4781a1e

SHA256
02ad9db0ad93f5eb3e7143a469e41866cfa6ff33fdf3a200142b910d9cea58c1

SHA512
403181244f97e7dba851412f595bee09715cf0fb3a2ff8f001449e38f48250b375aa8a50d08cc49a9a7ae255bd11d82720258cd17ad9f1cff680dc171d45a2a1

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4

Filesize
33KB

MD5
50c29ea3f07579f51e6c25efc8001ba1

SHA1
3db4bbded7be469ab68b1abd5e2dabab539da215

SHA256
32c5aebee1098115844f2bcfc75c8c45dd2c7470a94ca154789e33ca292901c0

SHA512
4a373b2f74af761f90814a4042ae68bf45b0c16652852e5c21ceaaa310a002510661594f208a7309fb3b43d54c84d30790ae5120f5ad0e1c35064f515b3279cc

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4

Filesize
33KB

MD5
948eeca40f7ed83dc1a7e77089d8ba00

SHA1
16215692a5579dbec7d03d8d83624bdea69179f8

SHA256
e8ca0e2364901ca0a998e80cc7964ab51b7988851b78939ce81eb2745407e606

SHA512
fb72e13a017137dbdab1b416f2ed25ff012d31c4e2823a8fc1a71a1bfef41315afaf7a6cbac0a3989c64bb38f012b7dedf92ea4ede0c69c087d83e6cb63f2b69

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4

Filesize
33KB

MD5
5d10addf49b6d3da43ab4ae04fc751dc

SHA1
7b5fb863b83ac6bbf305ad09233710de2d91d203

SHA256
4bcfde2ef96ac07524737e24621d4833fab42c48f4811dab8a3568e32aacf174

SHA512
b7ed3ab257e984e265b3b8ca49f924a6e955aa9cc854900dfd8dd6983c7c79bf149d2e3170941d7a3bafaba23d1d01e5f01c6c4c3e317cc84148dee67b253779

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4

Filesize
33KB

MD5
10aaa29323a1e459cb282bc8a898028a

SHA1
dbb5e285ed24dc5624daf84f3f754c708f2dc077

SHA256
d03866194d125bcb1245c3975d7f23ca2746223a196b26bfe54fdfade2845270

SHA512
c388966917f49baec0bcf4a0faf0a5a9f6fab5e3e5d440c8070f46aa3a2a252668f664d61bce825cf2c817bf35ffa1c0ce8cca50f53e8d0b7e297e3c616f9046

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4

Filesize
33KB

MD5
c215877c7e255c735a0f2410918f6ca3

SHA1
b4ab0015ed4533ea937c2c9ac3687c573465780d

SHA256
073e8b0c60475d7e43eb852925418aa36964b602a3fcc31933c5f9c4aa38d9ee

SHA512
67c7ed0b054a6733dafce385f4e1f2e0f28b6d028f241fbf8baa0b92dc27fd18194030ee1cad5bf23cfd21d242a28fd39d5fcb9607f9063994f049d4ed99251d

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4

Filesize
33KB

MD5
7176cd49658cd8516271dd4ae498a1bb

SHA1
84b2f507be3003040c529250db70acbdab7ef5f2

SHA256
cf2d6315ceb472573e1b762c3b1b69c0343e17984a1ea296d0cd409c20cf376c

SHA512
161b34ae54c9255f1d0f0ff141b52a6c4bac3dde996d2c6f806b80cfb30021243af8b16949d1b468fad4b575bb11151be05e4dfaf6197cfc629940395e9f7336

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4

Filesize
33KB

MD5
b67ead8c6b3e5d048f1088f6798f95c5

SHA1
314465ec9ae6d95b6ab3848eeb956b0a8523e44c

SHA256
2a020844c90f85aaaf8146185d276cc7f382c0e2e73e8f873888255e1d3ccb69

SHA512
c96ce8d896e7bde1374bcbc085c9d7040e0e10d361408826bab14a4240d6a8dc8731041ef2c8ac60ed7dba5c5e2816d27d4b3147561b214764e1cd2aaea9e034

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmproxy.dll

Filesize
153KB

MD5
8f4367738be84d092d667a7851c541d4

SHA1
174b6b7e45aecda80fbbf80207a159040d8ad638

SHA256
6c6a4d511f5e71dd87f1d51dc3ae94c04d64be50f10b62ae4dba6d00668061e1

SHA512
8ca340fad533abb4d9d21e201e876afc2fae96fc27a34d7b658ac53be18ecd48c91b6c194e9e06228b770a4f87c6a709438017bf93558d0a62d0a0d9c80eee03

Download Submit
C:\ProgramData\ITarian\Endpoint Manager\oem.rcc

Filesize
57KB

MD5
534640f3438b7fccaeb7e4759b47d4e8

SHA1
8b5f23bbdc250bf3ab52ee2694bd7433a4cbc39c

SHA256
ab175d307ed77321fd440de58c96af85f9134c1868905aec5bd7977336ed1d65

SHA512
a185ebbd630d633a803c7999c6e39db6af5da1d5474cb303362ce12f756d01910b593958b4fa4f8ed4653c1586a1c65e3f5c4c876d3910242c4f1bb30938ee52

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB

Filesize
765B

MD5
fc54491426ec080d9fb51ee8be67b28f

SHA1
96c553e74d768d09461fa4c59cf7c9190fa616be

SHA256
b296e5f5133d1080b46205e21e9fa944f314ba7e84e6cfd2e233ff80755b2ff3

SHA512
8c6aa7cedea9489797d686b399c7324444e838439c7e9030d71939c44854c9f38ae2239280ad57e50502a34a8ef32fcfbafd4f65e25aeafd96d2307bb534533b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AEACCDA8653DD8D7B2EA32F21D15D44F_8627E3B7B7F53AEB154CA2955D073D2F

Filesize
638B

MD5
0884c76fd599c5d30838334f17d487f5

SHA1
5b27a8ec65f9741a6e38dbd8f90a9adf7aa76741

SHA256
fc2ce6b313ba44fd26e64ac199f649e3b74a980e4de11439d17f05493c98c854

SHA512
5c2672dee9d5d10a0e72be8e6a312546cd85b21fc66eb3321dc8c39a27809b2a2531baf63b0a66d2fc967f4b3981b50c970f5ac598df4b32c03abc7543a809f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F

Filesize
1KB

MD5
543f380bb5a4307e72b011e9a015564b

SHA1
26a06119b1257d5429f8a8e03faaca711059383c

SHA256
45d445a40f93cdf26a15a1376e2656cae9d2dcce8a0b21fcd57cfcd6d6272760

SHA512
89d765811aad21ca748b249dd088b0a57a0a50cd59677f721971f7c084dc44fa2c66bc1f56a0f53dac6c13ba78fefb35060bb8988f1a2a400a5fa0de270e5d0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB

Filesize
484B

MD5
317d58ed214b18d58904ac9c2c8d45c5

SHA1
bc191742a83c41aa235aa21ccbe9ab35fb5c951b

SHA256
dba33fbf1ab3b346bdc40218c381972914659fc8903b94bb84380c5fdf8f5363

SHA512
6770b0b7dbf5fad5ddfb07034763a6299937a4bbf88f3d65f08acc36c54424422a7c2e0f22aa637fcef5f23c40f43208e30de1175fbb28202e977043c2ee41c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AEACCDA8653DD8D7B2EA32F21D15D44F_8627E3B7B7F53AEB154CA2955D073D2F

Filesize
484B

MD5
1288260ca416e4d1319971109d5d1b86

SHA1
3bce9f479f21ff7ce0770419d8ed57d1df1a5304

SHA256
f4de6406881e1281abaf86e43f6436875b7b32608f9434493ae45c74b808ab6c

SHA512
be06a38c70389d6cb5258caa66f7063ee81a6618fee6d42dca3f624a6a56d6dc7f89a881d3eb6dca913416540a70d032785326bb4e88e79a00a42b878aeb5ba1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F

Filesize
482B

MD5
00e400a6c358264622f98082876b0d38

SHA1
3a78523fff032302ab609a7d2075939f4eaceb53

SHA256
9a2199589d19d791af2ebebfe48eb7fa0abde26f9306f6ff53149bd3ea5c308d

SHA512
5c4b861964e11c0cb4aea7fba33671d697fca4ffb6281802a1392daceb96572b667da411baf31583978f19fff897804fb02d4fb8847ff4a5054e316e4731cb89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\96cf7e99-0883-44e6-80b4-38c874014468.tmp

Filesize
10KB

MD5
dcac3540487606bdfbb7dadc24e0d50a

SHA1
6fe16a5ffb1980e11e33e6e1b0ebb1541aa7235d

SHA256
40728f32e2ba9d4d03c217b186942f0d4642171e209531a548567f61ef0a66ad

SHA512
6d71f97fff109f78fd6408fad70175fcb3399517d0184878bd491e93f6469ffa6a55f3c8e041c89f7c566667e9baea728501c74462acfd0d3275276d98b6d976

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
2b6b89d05cf5333e4f5ed07ea4166609

SHA1
f066e4d4954a8d57505822c7e1f501ff4e58f849

SHA256
e7197fabe545753648eef52d39142cd09fb61c8624b7be5a07cbf7383a7f10c0

SHA512
e4b10a776eb19c2585fdcb3fce878a619c9ef9bbcbe8f59926b7cd57c03f9f1e446d8989cfa5c7218d213174a516989a5cc41a4066f6275f937540ec9112e652

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
90915b21827c01f294dcd7bbc9b62bac

SHA1
7966e79dd69f543ce9981857c1216046aad6cc72

SHA256
fb7574dafaa68e007c35f3e41870768ef455afc6f136180406094a3c9f93105f

SHA512
d13a827860b0e5602c7a23edb72387418306178f8ef86f7fbc8a807419f57fcbdf5caa14da41989ea27dba740795b97aae0d6893ab1e9bea92e5a60e64ff7f4e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
668d79fb4a1a5243fe98028f39837ac6

SHA1
17ef6a6fe63e0be4b59b1adcf45885022b67dc5c

SHA256
8741805ac62e312fc308dc53f03cd0159e86c0970a494964e697c26f45f86e94

SHA512
a9f9100bba845b93800becf2ca1d3be4398430b149316d60bde6d1b94a420cfb9f39573f9ff2ea652b6203f9daf752b313381b4d885969625c8b2be1ae3e4628

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
e738c2bfbe6479c09fecffe46115201a

SHA1
638d7a1ddf4ae68521ad85acfd8a3bb73be57f88

SHA256
a5203e86258d3d8cf11e2ea5e893ce4c7941cb204411c9c71ee29c5c4d88e79a

SHA512
e3a5b84ba00b3600879548117f9a9ceda2ee5df830b101a1908c1481939ed42893650339298e51c04ed31ebd187c7cbd6f130d0ddf0668749aea6b775e52f066

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
47f12bcbd21a331bf40be88048bf36f1

SHA1
5c98a5e864f97112e4299f5f969a43930ed5a03f

SHA256
2d3c9a45322bcfc99d29dfec743391dba7591d75333790e576af29a659fcd960

SHA512
0aa597395c5b2f35f14e174c6bc8e21ad31fade2e639d418ddbf5ff183d153659a58b596106b651b699266ddba2fded83188a8507edf3f8dc275b6591c949a09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a69a34c8cf6d819218ff87f256a6643c

SHA1
0cf4400874fff614bcf61af9e9d1c8b52c580f62

SHA256
8bdcfc16a07550d99287ddd779096770263ea86e5b22cf86b778bd31311e1e5f

SHA512
77fadaaee59120551c0484b3a8d51a1e2774216e32867fb02822be31b7afb5af5c1b5376af9a900b128485a4fbe371dbb44b5f2d80b7e758f4744d38ba255cbd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
cfb98ff395e6f0ff0f628d8d06932de1

SHA1
a5dbb8f73ff08d23421c5bca99528cb75bb82e08

SHA256
feddc6b6c171911477d035ec528a49f87f4142eeb1388af693996ed0d819963f

SHA512
26c3e8cbb42faf2e1f8e8eb8dc62aeed8e77a94b9555d913a5f48104c616449839abe0b273a3688ad4039bbbd3e5ad249c689133f4e8f033e2513d53c6ceabfe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
be578abc34c0ca88a68575cb8d0ad64e

SHA1
69851bc49632980821b68bbaa3b1b5c0f5d7901b

SHA256
68ef5db2b9b4d71990e3b28a6242177c04258e23253fee8edb2906c45964d82b

SHA512
d099584cce7cbb9983547761d44d38dbcb885e694c47f53ef177931b80d0cedd0f569c69480149642893c2b57f708d8c7e477b708f251baf462fad8c94457a8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
1a30a898404140b801f30ca9bf259310

SHA1
81625208956f500ec98d419025f84d1ca2e25632

SHA256
497afdc82694193f227da67d96d6ced74f8b721597991d8fff010e36393278b5

SHA512
67e20f567fd6ef21aca46940b7111c78df0904bf1083f5dd9f4c4aa608448c26c1af19f08b37a7690c3f8cebe620efc34d054917046291a60d70ecdfdac14400

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
2923d5f13ab70253b7faf25ec3f7f80a

SHA1
9b09968c57dbf7f16f8f091bf056889421e7ec2f

SHA256
0cfa74755ca65c826880ef23776e5d9179e0341e7766410ffeecd56b6884f03d

SHA512
195e0ea5230ac637644b2b7323b377154c948b915b44001ede63d3e705f1b03f56e975afde77ad8f779e79ed0037d81f255e353b014ee0a88f8eb49adf9eb155

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
98KB

MD5
a68fbf4f25340c9066faca39824b70ed

SHA1
be8f384a7c96fb13d029b87fd8e3784e799851ac

SHA256
1af1badf464870c0302a6d47238fc06a50c917cb2e0c2db220357e2dc7d0c818

SHA512
cfd04903e45d153182959d00342d60a94f5c03a7fc0b477a9b77626bbe35c1141194b5eba7530a07c28512308dc054068e9ad85f80da361edb1b9ba54e761fc0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
101KB

MD5
3b8362560c74bc43f4b9c09b7a15a0aa

SHA1
f87cea4c23d5d9cc37c5c6f0b4aab4e4aa2e5b0e

SHA256
64473dfb6872c5d6ed0c137973a6f9b41d6e34fc9f11c4d6d5bfd8b09d748d0f

SHA512
b7bee11dd3dd7192fd342f50f865db5b0ee48e1923684809eaaa7b050e680b3c06ea09d7baec9d441bd216e474f7d8f08e153f8eb1a95711ef2a7e8e89a9f73e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe582efa.TMP

Filesize
94KB

MD5
1c20f5a2fe72bc8424a88f89b17790ba

SHA1
8f9a49daa0e7f3f58f54a8f70aeb40b5d59693bb

SHA256
ba2581f403be18fe1212bd75c91fbe421286873038aa8e40b5c8cbfc762dc125

SHA512
538f8c3bde87162c5ff5f59d64cd40a1a0e3c04ef014c9671653f51654381530f3a81c62af67c203bdf0a6cf812c13c3ca45a4e268085649b28ca3e859cc28a9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\47kntzet.default-release\activity-stream.discovery_stream.json.tmp

Filesize
23KB

MD5
dca57a6188a22af6f4e026f39a297f5f

SHA1
f88e713c169aaa9493d084f6fffff00785273aa3

SHA256
ffa6f5fd806d15f6a61c4592cf87fc662ef9bc9ab40297eac86451861421ca8c

SHA512
ed4211bea486f31710c23b16c37b4c4a2c349ae0ff9eacf76a20971b2328dfcc94048a8ff91b67d541c8b42a9089cf6ddaef192bb6ba775db9ffefc0aff175b9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\47kntzet.default-release\cache2\entries\CC9AFF3BE02AD27708D587AE49B3DC68644172BA

Filesize
13KB

MD5
6d9284724d988f3bba4289e3e27e6088

SHA1
5c8356b7ba7f9b116bb5c29fb08bb1c8a95341df

SHA256
3198819b15ca3010c473a6a525948139afe009bec33d32bfc38c9a1550a9d3ea

SHA512
4cbef8d044434cf0a9cd859cfc0072d2e8049d728b225e6e169a42eb02cdcac14363b922517d6e6552c0ed5e4c427b32a6e57e7d7245a01359bed294b24471b8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\47kntzet.default-release\cache2\entries\F4EFE37A30D0F14C6AC03FF7949A51CBC2EBC649

Filesize
13KB

MD5
0cb9757a95de3eb4a82eaf0fe9716026

SHA1
4402e3ed8862dc97c6ff02051448e339f3295297

SHA256
4135931d9cbd623e799fc60c0cf3aba0e205150561e426f37ef839b79104b536

SHA512
c52cedeff47ec17da441c5b755e9ed3ff1069c7d97443ba01455d32c0b14308afdbc72e142259ca98d58113b326478a3c8e37786622ea3b576cef9e239038a45

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

Filesize
228B

MD5
8f45e0ea664b30edd40e277c6eb8fc89

SHA1
9742d05a0eabe8c4960d80bcb24e51514e77a803

SHA256
e2cdd1993e117f75ecd7833a86becccc3ecee73d8afd7197971acac88408c4d3

SHA512
6dec7f7a59cff0533eee2f50c44eefff880f1486d8cc0c3fa2884bb222d837dde26d7a21f4879b3ed2e4081dee6580529bbd3f23b93efd2e80609bb37b85f00d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp7D7.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\prefs-1.js

Filesize
9KB

MD5
11b569c173050e78047b2bac556caef9

SHA1
bee9702a751530dfb7fd5a4b5a270a8e9453845e

SHA256
a678b0881691b67bf92663c881ad8cffd88b4fb99d96a71011f1fe16bbbf46c4

SHA512
fe6307ccc0748960a827468caa1ade4c3eba8a41480b9329bdc3bf47af6811500f2074a92afe0d21bddf9c51d60afd1a5582a41b6d66278d13aa24f94b7cfdff

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\prefs.js

Filesize
6KB

MD5
bf5d255529e59e3eff6795e55205b964

SHA1
c27d8fdb9c28b0d322c9aed86f5b1723fcd39cf8

SHA256
967709c94cb0f12142ddb83537e1161e4e2dcb8b1f7f71cd0bbe5c3664314759

SHA512
4da55e8cdec8b58b3ddf489417a47c48802325b84089f7d489c6e539daec838f58725f4c8cd42e0f5c9e5c7b5964fd4c2291db35ef36210688e662ba7393b615

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\prefs.js

Filesize
7KB

MD5
ff153d9e2eea8d2921d203520180fb23

SHA1
5b89ac958b0ab4c9ccc145b0a00ff757a7908eb8

SHA256
c2fe1a487daac3db83c31766ec913012a5a77cdc67a81a6a7952b9678eaaaacd

SHA512
bd4681d7f3d27a0c97b4e1ca91968c7136f1c15bda09233e877a434e224549e4c7f822a8fe9b2516a76b1128d24ecf6e4dd95882f7a3efd7bb9bec2d5d37c146

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\prefs.js

Filesize
6KB

MD5
3c66ecaf1bddc30e7910a670f4584e73

SHA1
45cd30d884017ed39abfb7b256c2c3e7883a55d4

SHA256
9b53bcd49b56df241d0fbbcd74bcdb4d1c9792a9a2fdbcecd84527ee612a60f0

SHA512
c619785ba318476a566f1954d95f4305558ed967d5b7229a37e7a9c7ca8a2ca4b1c53405fc231ec2c656aa8c5a304c595e62ac56a82e9d8279481a5c47f4f9d4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
4537ea198b73e14255906d1ab540e72b

SHA1
9d7350de380508dfebc9d87caf1a34a1a732d82a

SHA256
601aa55d82960a365cb1c735bb788bf10fde521ccbc7e389423a251b4b04e880

SHA512
3d3c85a1454a4ccf7b997462b81fb076eb7b04d8c4950ac4d52af477a065b9b182f2c290dde1fdaa1c56e771640551a0499c874fc02a939a07b36bd9a0a8e645

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
048a8f55f4ba9a41121a34f7767f641b

SHA1
15bb6602f3c1c805f1ce25a64d2d169c84cedfdb

SHA256
4239a2e117711ca2f15b4122b5ca972ab06061edb6149f29c5325a93b5255556

SHA512
d51a3eb8b1a194e50d2db6690250f109f2bd8faf70321005246facc28c2c3257158f537d99febfa4cd5c0593242b0ac2bf45d4a3541a869297d7431e7d30574a

Download Submit
C:\Windows\Installer\MSI3053.tmp

Filesize
284KB

MD5
8d992a2126c1d93fe274057e6d4fb1d0

SHA1
bab132d4923c48b88b746f48114564cfae8184a5

SHA256
6c435a95b9ded21a2c27bfdfb096de2367a9e4f8e002a3dbb6aa6f52b6409276

SHA512
136babf8a8f2053e0c4d1d10c345b4b47dde10f15e230a4e914f3c72eb1144ccded421b2d47ad428a02c4273ac124a86e3e32222b0f1b24f69e22a221001869d

Download Submit
C:\Windows\Installer\MSI31CB.tmp

Filesize
203KB

MD5
d53b2b818b8c6a2b2bae3a39e988af10

SHA1
ee57ec919035cf8125ee0f72bd84a8dd9e879959

SHA256
2a81878be73b5c1d7d02c6afc8a82336d11e5f8749eaacf54576638d81ded6e2

SHA512
3aaf8b993c0e8f8a833ef22ed7b106218c0f573dcd513c3609ead4daf90d37b7892d901a6881e1121f1900be3c4bbe9c556a52c41d4a4a5ec25c85db7f084d5e

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
4fad158fa9a3d46dd03762770d3544c5

SHA1
2c544a73aa6b7accad59197fb94cfb59fd5a8ae2

SHA256
93e508bd9805e03570916e4f7bdae0971d0726a272fffcacfeb7eaca0997b305

SHA512
5fe440aced39ba703658c78b2306ded3a2b772632dc1b32cbf166c64d15a120bf781d2b237f972097ec42d6864eb8f7be4a26ae216dfe063fab4a765b68a91fc

Download Submit
\??\Volume{b97f693d-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{8d6a4c3a-7549-4844-b033-b8e16604767d}_OnDiskSnapshotProp

Filesize
6KB

MD5
a81e7e6c2a08a9bd1d31d66830ba402e

SHA1
686e369036c9da72b147c7f07c975d2e6e450af6

SHA256
b6c3ef2e9d6e6a386269962112b5eae0331b8ab43cfb4742ad19fcda74971358

SHA512
757af6d311895c02c2502adb90ddcbc5444b99a1d8e27c31b62cae8501d9c6a3e540768b2027f607f84f801086bd72c5803f689b3b1e610b205462ba98b8002d

Download Submit
\??\pipe\crashpad_3640_BJCETGREHHGTJFSW

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/180-6261-0x0000000006E60000-0x0000000007478000-memory.dmp

Filesize
6.1MB

Download
memory/180-6240-0x0000000005390000-0x000000000539A000-memory.dmp

Filesize
40KB

Download
memory/180-6264-0x0000000006950000-0x000000000698C000-memory.dmp

Filesize
240KB

Download
memory/180-6262-0x00000000069B0000-0x0000000006ABA000-memory.dmp

Filesize
1.0MB

Download
memory/180-6265-0x0000000006AC0000-0x0000000006B0C000-memory.dmp

Filesize
304KB

Download
memory/180-6258-0x0000000006720000-0x000000000673E000-memory.dmp

Filesize
120KB

Download
memory/180-6257-0x00000000060A0000-0x0000000006116000-memory.dmp

Filesize
472KB

Download
memory/180-6263-0x00000000068F0000-0x0000000006902000-memory.dmp

Filesize
72KB

Download
memory/180-6239-0x00000000052E0000-0x0000000005372000-memory.dmp

Filesize
584KB

Download
memory/180-6238-0x00000000057F0000-0x0000000005D94000-memory.dmp

Filesize
5.6MB

Download
memory/180-6237-0x0000000000D70000-0x0000000000DC2000-memory.dmp

Filesize
328KB

Download
memory/180-6273-0x0000000008930000-0x0000000008E5C000-memory.dmp

Filesize
5.2MB

Download
memory/180-6272-0x0000000008230000-0x00000000083F2000-memory.dmp

Filesize
1.8MB

Download
memory/180-6266-0x0000000006C00000-0x0000000006C66000-memory.dmp

Filesize
408KB

Download
memory/180-6269-0x0000000006E10000-0x0000000006E60000-memory.dmp

Filesize
320KB

Download
memory/5292-6270-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download