Resubmissions
03-06-2024 05:29
240603-f62bjadb7xAnalysis
-
max time kernel
1597s -
max time network
1607s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
04-06-2024 17:13
Errors
General
-
Target
90b0dacdb9974cb1f970960e3c082167_JaffaCakes118.exe
-
Size
211KB
-
MD5
90b0dacdb9974cb1f970960e3c082167
-
SHA1
921e17c1f9b6803ec6be7b4cde70e81e1163fd3d
-
SHA256
071fc19802f6780857fc4a516f64df6673cadba104828d7b2f11ed5fdf8e43c3
-
SHA512
798ab85ccb0be6e565552321feb3bb71e45d8de0028e2ce6a37c2411341ab8b036f60febcc1199eab4e645727498310ea6737e9d7eedf582aebc8173ea6f80b2
-
SSDEEP
6144:8+0qeo57l6zMm3CRT9qyfdiQgInzZOBT:8PqeMwzXC2+4Yd
Malware Config
Extracted
njrat
0.6.4
تم الاختراق من قبل دكتور الغربية #
Dr187.ddns.net:999
59e66e4fd01ed7a53bb65713760bdb7d
-
reg_key
59e66e4fd01ed7a53bb65713760bdb7d
-
splitter
|'|'|
Signatures
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Drops file in Drivers directory 19 IoCs
-
Manipulates Digital Signatures 1 TTPs 38 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 3 IoCs
-
Executes dropped EXE 37 IoCs
-
Loads dropped DLL 64 IoCs
-
Modifies system executable filetype association 2 TTPs 2 IoCs
-
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Registers COM server for autorun 1 TTPs 64 IoCs
-
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Blocklisted process makes network request 3 IoCs
-
Checks for any installed AV software in registry 1 TTPs 64 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 2 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in System32 directory 64 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 53 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 64 IoCs
-
Modifies system certificate store 2 TTPs 64 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 30 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\90b0dacdb9974cb1f970960e3c082167_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\90b0dacdb9974cb1f970960e3c082167_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Google Root.exe"C:\Users\Admin\AppData\Local\Temp\Google Root.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Google Root.exe" "Google Root.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9f27e46f8,0x7ff9f27e4708,0x7ff9f27e47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,14750786143134982384,1342549959130371297,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2016 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1996,14750786143134982384,1342549959130371297,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:32⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1996,14750786143134982384,1342549959130371297,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,14750786143134982384,1342549959130371297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,14750786143134982384,1342549959130371297,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,14750786143134982384,1342549959130371297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4572 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,14750786143134982384,1342549959130371297,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1996,14750786143134982384,1342549959130371297,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1996,14750786143134982384,1342549959130371297,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,14750786143134982384,1342549959130371297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3612 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,14750786143134982384,1342549959130371297,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,14750786143134982384,1342549959130371297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,14750786143134982384,1342549959130371297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,14750786143134982384,1342549959130371297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,14750786143134982384,1342549959130371297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1996,14750786143134982384,1342549959130371297,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6024 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1996,14750786143134982384,1342549959130371297,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5072 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,14750786143134982384,1342549959130371297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1996,14750786143134982384,1342549959130371297,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6220 /prefetch:82⤵
-
C:\Users\Admin\Downloads\Xcitium131.exe"C:\Users\Admin\Downloads\Xcitium131.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\tmp_069774d5e7e16156f22864e975acb27a85467aae\offlineinstaller.exe/ra warn /rm "Xcitium ZeroThreat Installed. NFR VERSION" /rt 300 /sm "Xcitium ZeroThreat Installed. NFR VERSION" /7orhigher /8orhigher /brand c3⤵
- Checks computer location settings
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe"C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe" reboot "Xcitium ZeroThreat Installed. NFR VERSION"4⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\Xcitium131.exe"C:\Users\Admin\Downloads\Xcitium131.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\Xcitium131.exe"C:\Users\Admin\Downloads\Xcitium131.exe"2⤵
- Executes dropped EXE
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Drops file in Drivers directory
- Registers COM server for autorun
- Adds Run key to start application
- Blocklisted process makes network request
- Checks for any installed AV software in registry
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 0DCDD5CCF0E1195B833F853C0E54A1962⤵
- Loads dropped DLL
- Checks for any installed AV software in registry
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 53C1A3548840C616AAD67AA949EF57D1 E Global\MSI00002⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe"C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe" --langID 1033 --msiinstall --installCertificates --osver 1000 --av --productguid=1EC1BE12-7F79-4002-99F8-CF951EE9D8EE --upgradeBackuped= --createConfig "active=endpt;dplus=opt;esm=1;av=1;fw=0;cesav=1;cesfw=0;cessandbox=1;free=0;noalerts=0;cloud=1;sendstats=1;configfile=;fwstate=0;dfstate=0;avstate=0;bbstate=0;avservers=0;standalone=0;useblob=0;trustnewnets=0;"3⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks for any installed AV software in registry
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
-
C:\Program Files\COMODO\COMODO Internet Security\cisbf.exe"C:\Program Files\COMODO\COMODO Internet Security\cisbf.exe" /Regserver4⤵
- Executes dropped EXE
- Registers COM server for autorun
-
C:\Windows\system32\runonce.exe"C:\Windows\system32\runonce.exe" -r4⤵
- Checks processor information in registry
-
C:\Windows\System32\grpconv.exe"C:\Windows\System32\grpconv.exe" -o5⤵
-
C:\Windows\system32\runonce.exe"C:\Windows\system32\runonce.exe" -r4⤵
- Checks processor information in registry
-
C:\Windows\System32\grpconv.exe"C:\Windows\System32\grpconv.exe" -o5⤵
-
C:\Windows\Installer\MSI4B21.tmp"C:\Windows\Installer\MSI4B21.tmp" -rptype 0 -descr "Installing COMODO Client - Security " -logfile "C:\Users\Admin\AppData\Local\Temp\COMODO Internet Security dbgout.log"2⤵
- Executes dropped EXE
-
C:\Windows\Installer\MSI4B21.tmp"C:\Windows\Installer\MSI4B21.tmp" -rptype 0 -descr "Installing COMODO Client - Security " -logfile "C:\Users\Admin\AppData\Local\Temp\COMODO Internet Security dbgout.log" -working3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:24⤵
-
C:\Windows\syswow64\MsiExec.exe"C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files\COMODO\COMODO Internet Security\cmdcom32.dll"2⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\System32\MsiExec.exe"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\COMODO\COMODO Internet Security\AmsiProvider_x64.dll"2⤵
- Loads dropped DLL
- Registers COM server for autorun
- Enumerates connected drives
-
C:\Windows\syswow64\MsiExec.exe"C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files\COMODO\COMODO Internet Security\AmsiProvider_x86.dll"2⤵
- Loads dropped DLL
- Enumerates connected drives
-
C:\Windows\System32\MsiExec.exe"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\COMODO\COMODO Internet Security\cavshell.dll"2⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Registers COM server for autorun
- Enumerates connected drives
- Modifies registry class
-
C:\Windows\System32\MsiExec.exe"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\COMODO\COMODO Internet Security\cisresc.dll"2⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
-
C:\Windows\System32\MsiExec.exe"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\COMODO\COMODO Internet Security\cisbfps.dll"2⤵
- Loads dropped DLL
- Registers COM server for autorun
-
C:\Windows\System32\MsiExec.exe"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\COMODO\COMODO Internet Security\cmdcomps.dll"2⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
-
C:\Windows\System32\MsiExec.exe"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\COMODO\COMODO Internet Security\cavwpps.dll"2⤵
- Loads dropped DLL
- Registers COM server for autorun
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 8D28AFD4732D4E2622A7258B3E3B2BBB2⤵
- Loads dropped DLL
-
C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe"C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe" --selfProtectionDisable3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Enumerates connected drives
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 9A44F079232AA76B1CA6E2B77A560FA1 E Global\MSI00002⤵
-
C:\Program Files\COMODO\EdrAgentV2\edrsvc.exe"C:\Program Files\COMODO\EdrAgentV2\edrsvc.exe" install3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 40B2F70EBEDA61653C096117EEF1D7FA2⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 1738AC3D2CCCD75C71A90234DBDE56C6 E Global\MSI00002⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe" /C "cd "C:\Program Files (x86)\COMODO\Endpoint Manager\" && "C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe" "3⤵
-
C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe"C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "5⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{2cb07e0b-e9a9-7746-afe9-c077f5812ee9}\cesguard.inf" "9" "4ca5bc957" "000000000000014C" "WinSta0\Default" "0000000000000164" "208" "C:\Program Files\COMODO\COMODO Internet Security\drivers\win10"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "8" "4" "C:\Windows\System32\DriverStore\FileRepository\cesguard.inf_amd64_7eb972e4be959e6b\cesguard.inf" "0" "4ca5bc957" "0000000000000164" "WinSta0\Default"2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{c34a78f6-0774-364d-864b-cfc03427477b}\ceskbdflt.inf" "9" "4b12ed323" "0000000000000158" "WinSta0\Default" "000000000000014C" "208" "C:\Program Files\COMODO\COMODO Internet Security\drivers\win10"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "8" "4" "C:\Windows\System32\DriverStore\FileRepository\ceskbdflt.inf_amd64_ea937b232aea382e\ceskbdflt.inf" "0" "4b12ed323" "000000000000014C" "WinSta0\Default"2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
-
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe"C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe"1⤵
- Manipulates Digital Signatures
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Checks for any installed AV software in registry
- Enumerates connected drives
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
- Modifies registry class
- Modifies system certificate store
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\COMODO\COMODO Internet Security\cavwpps.dll"2⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
-
C:\Program Files\COMODO\COMODO Internet Security\cis.exe"C:\Program Files\COMODO\COMODO Internet Security\cis.exe" --cistrayUI2⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Enumerates connected drives
- Suspicious use of SendNotifyMessage
-
C:\Program Files\COMODO\COMODO Internet Security\cis.exe"C:\Program Files\COMODO\COMODO Internet Security\cis.exe" --mainUI3⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\COMODO\COMODO Internet Security\cis.exe"C:\Program Files\COMODO\COMODO Internet Security\cis.exe" --ratingScanUI={0C999A1C-D192-4BD5-A219-55428C447B71}4⤵
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\COMODO\COMODO Internet Security\cis.exe"C:\Program Files\COMODO\COMODO Internet Security\cis.exe" --updateUI={9A65C575-9AD3-4DF2-9520-4D764743133F}3⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Enumerates connected drives
-
C:\Program Files\COMODO\COMODO Internet Security\cmdinstall.exe"C:\Program Files\COMODO\COMODO Internet Security\cmdinstall.exe" -type local -check 52⤵
- Executes dropped EXE
- Enumerates connected drives
-
C:\Program Files\COMODO\COMODO Internet Security\cmdinstall.exe"C:\Program Files\COMODO\COMODO Internet Security\cmdinstall.exe" -type "local" -check "5"3⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Enumerates connected drives
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\COMODO\COMODO Internet Security\cavwpps.dll"2⤵
- Registers COM server for autorun
- Modifies registry class
-
C:\Program Files\COMODO\COMODO Internet Security\cmdicap.exe"C:\Program Files\COMODO\COMODO Internet Security\cmdicap.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe"C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe" /ModeAvMonitor -Embedding1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
-
C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe"C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe" /ModeTdtHost -Embedding1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Enumerates connected drives
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMService.exe"C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMService.exe"1⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Enumerates connected drives
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe"C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe"C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe" noui2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\COMODO\Endpoint Manager\RmmService.exe"C:\Program Files (x86)\COMODO\Endpoint Manager\RmmService.exe" --start2⤵
- Executes dropped EXE
-
C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe"C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe" --installBrandSet "C:\ProgramData\COMODO\Endpoint Manager\brand.zip"2⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Enumerates connected drives
- Modifies data under HKEY_USERS
- Modifies system certificate store
-
C:\Program Files\COMODO\EdrAgentV2\edrsvc.exe"C:\Program Files\COMODO\EdrAgentV2\edrsvc.exe" enroll --rootUrl https://api.dragonplatform.net/endpoint --clientId 63e17b432cd65d0009748ba2 --endpointId 106 --start2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\COMODO\Endpoint Manager\RmmService.exe"C:\Program Files (x86)\COMODO\Endpoint Manager\RmmService.exe" --stop2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /x {1EC1BE12-7F79-4002-99F8-CF951EE9D8EE} /q2⤵
-
C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe"C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe" noui2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Enumerates connected drives
-
C:\Program Files (x86)\COMODO\Endpoint Manager\RmmService.exe"C:\Program Files (x86)\COMODO\Endpoint Manager\RmmService.exe"1⤵
- Executes dropped EXE
-
C:\Program Files\COMODO\COMODO Internet Security\cis.exe"C:\Program Files\COMODO\COMODO Internet Security\cis.exe" --cistrayUI1⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Enumerates connected drives
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman1⤵
- Enumerates connected drives
- Modifies data under HKEY_USERS
-
C:\Program Files\COMODO\EdrAgentV2\edrsvc.exe"C:\Program Files\COMODO\EdrAgentV2\edrsvc.exe"1⤵
- Executes dropped EXE
-
C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe"C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe" /ModeAvMerger -Embedding1⤵
- Executes dropped EXE
- Enumerates connected drives
-
C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe"C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe" /ModeAvMonitor -Embedding1⤵
- Executes dropped EXE
- Enumerates connected drives
-
C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe"C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe" /ModeAvScanner -Embedding1⤵
- Executes dropped EXE
- Enumerates connected drives
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Checks for any installed AV software in registry
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 299758E00880E49B12B0280A0E136F29 E Global\MSI00002⤵
-
C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe"C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe" --checkPassword3⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Enumerates connected drives
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cwwwvr.exe"C:\Windows\System32\cwwwvr.exe"1⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3820055 /state1:0x41c64e6d1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
4Subvert Trust Controls
2Install Root Certificate
1SIP and Trust Provider Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\e5f3d34.rbsFilesize
1.3MB
MD5bf35ad33a1edec476a5f3dec930507d7
SHA12453fd86e3c5a3e470163356cb8af62c6ad51eaa
SHA256bfec98e49d8adde9b03437b422cd7bfd9888f3d62594dcf15c8dfdf550c5514d
SHA512e32b1efbb063a7b5f2aa0c6c6be4a92c5357c8a41422c4f44c52b127b74db7788ed8e52e8209a256c608633e1c6b195691c9776d57cd027a38ffd1f62789f792
-
C:\Config.Msi\e5f3d39.rbsFilesize
141KB
MD53c63c1df10e77346e1e501e7ae900e8a
SHA179cf71c4d1d77c689fb57370568a5c10c3a04e18
SHA2566b17cd7b139b64a97c47b54a89db561dbf197fe791f1d810060fe26566e8e2b5
SHA5128aba8be0bbeca05881b2630ca1cec1dac6747c6ca38af51ed67048ee20fb62ec5338773491d162f6206d608814378851172450ecb9471c0bbcb48f7cf7f78ad1
-
C:\Config.Msi\e5f3d3f.rbsFilesize
710KB
MD56825437b1c7e734c4a4bdbf8a499f58e
SHA1fdf3d094f442580a8f57cd4c7e2c8ea0cb988ca3
SHA2569a19ade742f697649d753a7e6b8f1dbec94d56365daeed8b1bd6524a3da6089f
SHA5121337cfa9e4e63df9f825f3ad1255c3dfd7eb4e8f29353c33ecf9cfe05555c6d4923625ba5e6661acbe8a25cf79b4037db092d76b3a5a3449c10bc2abb67db6a3
-
C:\Config.Msi\e5f3d41.rbsFilesize
573B
MD597608e3dbdb78c8ec55ad95710a934b9
SHA184293f87cfc6730cfdaab555d7a7371e8a192263
SHA256cfba1d569a95a3069db3c65de4d5059de93647f8036ea8f8e22d711f87a1ff17
SHA51216723b86d4d3ae5f86220424bef99d1420090533ab0fa42841b4ab9244b30f6620d704ff95f22bcd95f976e9393ca1080589ebabe9ac03c33fdc9dcb04d57833
-
C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exeFilesize
2.9MB
MD566aba8b7c1b3c664d168ec8abca8c8ef
SHA18e2f4a05f10082017b6302ccdb99b9c017f1276e
SHA256d0e054e6ad540746fd5bfd1844a26c3cb7b5869572d21ec650ff8f95e6bea65a
SHA512f112450dd08b8c6e47344c1447720730c9e676b8cbd82e5c14462376d4b5070e7ab74db519947eceb096023755c8b27823f42190aff2c4f52dca698a9d6a41f9
-
C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\setuptools-18.2.dist-info\zip-safeFilesize
2B
MD581051bcc2cf1bedf378224b0a93e2877
SHA1ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA2567eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA5121b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d
-
C:\Program Files (x86)\COMODO\Endpoint Manager\offline_mode.iniFilesize
31B
MD5e46a20af00a63f54ff431ea87ec309cf
SHA167540012531b99a45a66871aec18371ac004918d
SHA256e1f7b254938f295375c20ea97d91c5cb085ddacbd0bc727f469a424ac7159789
SHA51291841f226d65d6787ca27a1abfd11ce2021b53e4c6f9f3b454d6e8a31dfa2a2110a3a8387a559d57f6d7a3766d597c4bd82409d204c65dcf23f49d1137aab6de
-
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.1Filesize
33KB
MD50c4daf1e61a7ee3edfd22678bd9b4cdd
SHA1bbd358bdd9c7bb0b0108b66429874e43e7b18ce3
SHA256a0ec71e16918adb748001417c93e8ac9d0edadf76709aec4026cf4dc92bbe7d7
SHA512d563ba50c6c63732d82ca8f425f13e8cbc3f81d64bffe56f6e9cc1906cade1ffb92e4c8e137e7b2913ea7f6c1281fc851c9c3892b543893645747f572df086a4
-
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.1Filesize
33KB
MD5acd95af4841d35305b3d2494ede4c1e4
SHA1a60702841bdbaf84f6c245c24076987172f54d37
SHA2562ab817921e5abef734679f9396fdc8e7b3f9657d04a6d857eefd2aef5173eb79
SHA512abb7918e77776b570ecf6c0438efd26d33a230eb6532ac7957c04f44d70ea572409a4738495187d8880ed5e1c18e4105075894a33ff1ca896c36c5802bde2ee8
-
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.1Filesize
33KB
MD5d5fc42737415d85e289e18395e4a896e
SHA167b8f2511e0007dfb9a2898ae64341122e4dccee
SHA2567191373fa806b444150f99528c59dabecb51efbbda9a2aa11d7e4fd2c1681ef7
SHA51247fb867a36761c23b5e8b6dbc67e6a5a70e2c48a83853ffc0a95f46112dc79489328a642f52dec17d05a47f71bdcae86f1f6d8c14f9187942dab96d0d6bcd6fe
-
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.1Filesize
33KB
MD5fa6ed06b9215c4db8506dbf6f1e95890
SHA16e228f9fce72c567f9b927f5ca6547e5d10a514c
SHA256a48b4b5eb8cb24627476ab10788989456a442c43bdb5ec45ed849ce2bc50283f
SHA5129c7026d95720fc689fc0b648b0aa9bbf79a60c042c1619f0ef366e2d859162caa984570388a0c8a2b549def4fa1600dbc53c7bae51c445e006e2c70ac8210460
-
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.1Filesize
33KB
MD5b7518371f8d87ece5d787badd4205a31
SHA1a8b6a6cb779cf8fd887884bb509c11aa3dd5b957
SHA256fdd775105a510614555ca16cc660b09a925f71717b749b4863b8b0d61457c8be
SHA5120ee4a687310d6dfe0ab468e29837a0d98f97906706dd98ec2749d32878a817126fcb3d61043d9ae78690f750d062b8765ab744ea28b9b2b2584619902853c123
-
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.1Filesize
33KB
MD56f6114826f9e0f51b2befa4bc30bb879
SHA15757ff1c98b7d1141c7e3703e66e2cb70674e05a
SHA256e4d67779bfdb1c2f9bbf1c365391794557a95fef3753b45fc7b8afeff4b6014e
SHA51208fe5c97995b52d09b0bfee74a8373a20031e6331cb12169204af9ae8b2cec83ec715dbe1bd15c8318a536cbd8d3980f24dc341655da1e8387f2440e681bb2c8
-
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4Filesize
32KB
MD5a4d457103c1b5f667e24c019caf41a6e
SHA10c79dc8a8ea631fce870ddf2265b207bca1a08fb
SHA2568994af91d287c6a5fc03ea56434f1249986ecaa5861d10ba6e4676ac5d8d1422
SHA5124381e1f3043eaabd7bd444629105a2576e0c9332280ac079af0f8947ba77d9fb8d13793f8577c9a5e217d6e7f6221a508675a8e9aecc955d3241c73b89aa030d
-
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4Filesize
33KB
MD553e96c40004c733495fa9de05ed0c2f6
SHA17e747ea14cf58faa820ca6256202c29aea2a49f1
SHA25657baf3866acc8d75bd0dfeb3fa82769d4c6106f9f139f3bfd428b93be1ffd2e6
SHA51267d35ed851b17775a6508a3cccfdb303446541fb4f2969b0f6e403a8382db0f06a6a19bf0c3d57f461fabae265db3910a61f31f0c2a71fc33d32e94c46ce82b5
-
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4Filesize
33KB
MD5b245302ed4a8f09e4de1ec1ffe295aae
SHA107b3b5c2bcfc9a6b0701d2715a01f21c375512ca
SHA25676293a36f3093f606692fe22ea286c1a1f48a664404435838668051d8940ecbf
SHA512376f880b0b7aac8fdc5c99cd5dfc3dfabf4279d9af64735dd6a955b5d2d6b5abc3efb631fd637ae146fe970a3ff7a9506d5a58889252b8b6f41e72ed7d4d5549
-
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4Filesize
33KB
MD50b2279f522871bad1117943204478da6
SHA1832f574efbc540881e01c9fe8d80456a54e7c424
SHA2569c744f8166b2b9e46b7a27715fd352ba299a8008d35d15eae9763e8956229df1
SHA5124e5c8a41204bf4020ab35485647b14e1a110847da62e538dfa5ad1e95dbd58201bbcf4e0b6d10de25c23884a0b52df79eef1784c1c0570d15c58b49793205e62
-
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4Filesize
33KB
MD59e9994ecee803ddf880a9a74d8a55589
SHA150d96c34c9eb3a5c9a3566fd70e5a8fb19f22bc9
SHA256040de5b76c1ea269eeb26290a98049a43c7e5776cc8bd60197c819a39cf856b2
SHA51245c13460cf509b07630721b4fe8997837e3676a7b94bc59bb1e744c3ff4ab59291012e9734bdc4e95379c429ea60db0cc5f8dc0c2cb933f3e8e7d2fd274d2f6a
-
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4Filesize
33KB
MD51223c4fcb954f48ddf5a84fdcdcf79ef
SHA12b63eeb986555cdc0dff5744b1cf4e63e3506a21
SHA256e4a491fd911f70534b1a5aefa8529fb6b14a60871629d1a6baed59e5f3bf01f1
SHA512fe55838d09b33482fa867d8e00e41ddc8b10d2a3526575eb85077f948917b143c4efa57dab528454babef719411edfc4bb37e1f4e123ecc936007ddf3e21a7b8
-
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4Filesize
33KB
MD5cb414b2c2b2fa7e8db4c1f92f98df015
SHA1485e7337d8032026331f4cd2999c6b91d5a3b32d
SHA2563f8dd685e333c4f67a90c1a360a0877e61a33af10dc96d6a9b552b6f335afd4a
SHA512b90029e9dbcfe3288e4e328308205889ae4ea94596c32f35934f2e9c966e93345232b44a0f15fb6ac551e923d7fc4aba10f1fc97e0b005d7fc4a9afc55c00c7b
-
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4Filesize
33KB
MD5a9a58ce6769d955f1b7bce2ee20c3191
SHA1358dc2957360d0c91e82658db080e5fcdddbd6d2
SHA2569b85e47c59ee7459b1d1216b15d998265acc8131d4a5cded68088c028c224a02
SHA512ee9b7fc1df115fb2bba2a9ed2b72b17c0cd402320c2245ce0dc3a0ac1e62d824275a2948278ffe193ccb46c6d6b888f60b5f07cb52eae4e295880f32f7d52b2a
-
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4Filesize
33KB
MD512706ddb60f36eca3634c341cd395e13
SHA1863e7548d71a8b4aa81513d082402432077d66b8
SHA256ea5ae443ce200b2932964afd642a3cf8dbabd6a43a5a4c67e9f323a67c893184
SHA5121b28e5130b7a15eae5d4e4403e59b6ff53bf1c0876a2e0ea43525fc93345efbf41d161a788b4715033993122efdc223dfab476db8d8a8af20d8a47d29ac61230
-
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4Filesize
33KB
MD5d57d2638bb52a639890d2b0cd84645bd
SHA1e5db643f4c2a1f4a316032031b8e32bd6288d6e4
SHA256c422e354952a2ffc2ce6753e010f92dfbb04a7da51d25b32e7225d214e0f18fa
SHA512136df7c2e9692f6fa3484bc8b6d8195aebe7eb39bc590d9597c93edf3947fa90ee1985d194587452bb73ee16c656066b595b3cb337c07a110c29866d423eb000
-
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4Filesize
33KB
MD55fbd9c7418fd3c6714eb3eb1f627103c
SHA19f9f37861bf80655616fc491057b13840d0a96b9
SHA256453938dfb81ae5972842c6890a811fc2f42771cf0b31a8d3d58b78c7d5375a88
SHA512fa1d3dfcf30e7c0500b6b220e69015db95d04d4d80f5ecb15cf865cec638cd78553b9e526e5c432b38778c0bcc059505b2bcc307dd8ed023295d8b835e35dd68
-
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4Filesize
33KB
MD51dc5027a8a82c4c8cbbd9110d3f28906
SHA14e96b578723ab744bf5bccf03b722b454cae4782
SHA256d634e9da41ff25e8dcb68759076d258bf3b78a97c35e54a7721766c53b080e70
SHA512a1b71ed8f914fa1e146f551ba49591205af2d27dc07d6306a1b22ca23e05248921696ed41ac2f85e3c882d22c279d50b61748042c8c70a4ef6b2a39833ac0ee7
-
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4Filesize
33KB
MD5355ecfbd000a39271c22dff841f27f74
SHA149f234c94e0425635ea14caaf567ad8c2fee8402
SHA2563afdca5a25c0c9edb1730d9c3c6299c4aaa2ca3f634599d1ae51c4be03937935
SHA5128c79873b48b59af85fe1f70fbad152df8bb6fe4e576e701af5dabc6120e142c11c368ffcc3da2086b494e6b1cb9358c4d755e5d45f7e4e4bcc329eda795e4fd1
-
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4Filesize
33KB
MD5170f761923dd6a590cef970dda29b753
SHA199ae2392c7f66ef357193d1a48ce6048b7f82ff3
SHA25650e4c19111917f585cf8d2f4300be12a54041877d9f625bb49285dd4a5020c8c
SHA5128e6645b9280355ed890216bf54536f079813b0ecb337f3a0926e3fccb7f6d58c8568641e68111edfd1ef7cc944f7964142ec911078dc9fc21add6ece0189fd55
-
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4Filesize
33KB
MD50c575bccc89e7677bc62b60cd8e53673
SHA1ac7db565cb9820745daf9b24137e0c7e94f7ee2e
SHA256903d6afa8c3b0ff1c8600b472edae351e682124adb83059dad5479169e03199e
SHA512a8e93ae158ef07d86c74170056d310f6cd326f4fe7123f93a0a2cd8b9c3f2d3aa78d8dfd65bbbecd153dfbc518e0cbf825ef11031d796b3a0fd86339999fb313
-
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4Filesize
33KB
MD54f1ea6c2d2c89006f9360fd7f7ab7453
SHA1b2d71b6e9c79ecd594001385e805ec79f415d6e3
SHA2560bee7ae4655da3c2e2ca010e29e6fcdf6af283d7d2fc35057ce06222a42b1066
SHA512bdddee53752d45f6aac604c7e192bdafad9c13f4e4192097459b4839382bf3974c58c77ef1d6a55652636ec31af0bc98b76ed13f9a36918eb72b29116264ee94
-
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4Filesize
33KB
MD510d0e0fc75b29ddb9da107d02e4ad9d8
SHA1f65eeef1d24503e868085f42415e5949c7f83c91
SHA2568b51b811eee9c8a96b3ecc6c90b3e747afbb23240c901b1f890feb9622d3079d
SHA5124d97e185f93c65264b3f7877828e2902a4142323e70a716090775054d78a9c7435749033d9d452c17229f40d523fc62fe89044685246a2a9967ababb383c2899
-
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4Filesize
33KB
MD5ff0ea1cb832a41b00dbc921d4279b31f
SHA1a26ec3ec04c6953ec2fc3fd9f92c928390616fe0
SHA256b5eef30d3d5fc519b15b843d59d729f9f10fa8428388449ae51339e673a47501
SHA512601c5609f495273203fdfbd64cd59d5abe208f8d6db61e70d6cb58248062bcfb723ca8af806dc29928bb92c3491e383c57a8883e44524fe7513b46085888729f
-
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4Filesize
33KB
MD527fdba88b21a3a0733e8cf8408137261
SHA1e131e9292306efe0eba7b316f0356a8da62859af
SHA2565b51e78807d902998d5e4fdad7542fe7802fc3a36bd3d04fafafea7e241ba0d2
SHA512407d91175e86f6dfd977259917c6ecc49bdef7aa6dc8364e29084067b3be955c092e315e9a90b4c6c5f73e7a373737ee4678fa1884be03702f1a35392f9b6351
-
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4Filesize
33KB
MD528ff2271b1b4e1665acd238fbdbd24ee
SHA16bd466c1d8d0612de23fb4b15cfbe12e4c9bd56f
SHA256e6507ac1e42438309f54073c7ae617a46f0cfd251c4531f4b3116acbf3d1613e
SHA51287aac8f50d9bc5688864611400793ac0f64bd82ba34c96598a7dacd58111e9b57ff285df35d28ea7ec5355a09439a2bdf98d5468f8cabf19a3c8a695b8c94809
-
C:\Program Files\COMODO\COMODO Internet Security\7za.dllFilesize
402KB
MD5bf3ab7188be0fb006472049b4e9d2cfa
SHA1e127bef1e53dd528b06f69bd1c336f6aa1798fea
SHA256aef110468614772ee6010883fc1551dda32d0707c9abf903421fdfe06a1e0fb2
SHA5125b9479a863ce02027155ed853c11a69788c725067d494589888cc422fb820f1811e1810f57e1c1c391f6ff3918373d020244c68e47c847c22a3d437e6b0a898b
-
C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exeFilesize
6.3MB
MD50a455a8aaf98061f8bba28f34420e562
SHA1ab985a678e06351f480845488358d9bbb907467b
SHA25674620a0d5f205555107568b91f1cb8413924409aa28bdf9c95c8f6491a6580b4
SHA5129e83e03786061dfcdd3a30b2dea7511c9e0e3b3e5c6a00af1e744ee21435b086ed78ccc8c7b6098e73c413e9b71dbfb3628bb08c941e39ae5f6829e1f017294c
-
C:\Program Files\COMODO\COMODO Internet Security\cfpver.datFilesize
13B
MD502c518822af6a3faba056636f71ae17b
SHA18d3490f8496f59bb00ece161521ec252af377005
SHA256680d293f3fb99bcb3dcabf21cc1f55c9b9b3dd875affa8cc92d008c3c1db8213
SHA51244788022a71669df40a6b0409267a44a8b1b72bb1ccade1902bab2cd445e07680b4f48282a1d099d9d67bfcd8de8bdd842149cf5d018ecbc3c1a9df0d42b5cfe
-
C:\Program Files\COMODO\COMODO Internet Security\cmdcomps.dllFilesize
469KB
MD5e6961cdc65d1b2dc5eb045d222f44ee9
SHA157222c2205ea2fe6696438ad418feffbaff7da63
SHA256fc98e05adbc1447d0c14f815dcc14053378381e719028e50296eef2aaef6521e
SHA512d325e2709fbdc6bc2a35cb81aec74a5c1f682bcf3d5b5caab8bf1a3ad7cb1d40b08b25343016e2f97d26b99e5556a8e32f51e527fe3c4da6642e31712ba1aebb
-
C:\Program Files\COMODO\COMODO Internet Security\cmdres.dllFilesize
506KB
MD58ce31a119562fa5494d9413b65a2424b
SHA122f36491178485e0ce611a1cb153ec2b57a3e839
SHA256da8d2279798b0ccfc7a3523be7a095dcc6f922966287c3b7ade35ff846a897a3
SHA5122f8d8b9fe5eda630ea2f02ffd520724f8460f825ee67d7cb89d92258edcf8b405f5165375a91490e781b671361b90fcc9193da494eed593cc2278463152019d9
-
C:\Program Files\COMODO\COMODO Internet Security\drivers\win10\cesintelTDT.sysFilesize
157KB
MD56f3449cda6abe86c003c806da6f67d6d
SHA156f46f8821d5e365480cf91285ee96d296d0238c
SHA256e9d2ffd52d23e0c0bd91a57cec60c6666530289051d5ba0fe8bb948fdfba8f2a
SHA5125e0f6350cb17391a19a9fad4a2524d31e5a5c293a8aeb614b2bab86734dffc8f492b16be1c55b24710d5392e592f6ce651dfac3e01f6bbf8552d7d50eac0a963
-
C:\ProgramData\Comodo\Cis\telemetry\telemetry.v1.jsonFilesize
1B
MD568b329da9893e34099c7d8ad5cb9c940
SHA1adc83b19e793491b1c6ea0fd8b46cd9f32e592fc
SHA25601ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
SHA512be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09
-
C:\ProgramData\Comodo\Cis\telemetry\telemetry.v1.xmlFilesize
468B
MD500f3eb0e5b75dc96819b496a93cda2ec
SHA1317a0659800fadc57fce20b1d075db1d5459e9aa
SHA2561691b0f879e351874e48247340c3b876c1cec5e33e143fbb34865b8c7d56d5f7
SHA51297f9d28cf1af7798654bd6e0b870a3daeaf2e3a42d014d03863d73359774759b41d498cad936744ffc2d1c7b9226f52baa4a65756b2ac2904d2e86b648564f90
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD54158365912175436289496136e7912c2
SHA1813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59
SHA256354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1
SHA51274b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5ce4c898f8fc7601e2fbc252fdadb5115
SHA101bf06badc5da353e539c7c07527d30dccc55a91
SHA256bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa
SHA51280fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001bFilesize
27KB
MD597f07e182259f3e5f7cf67865bb1d8f0
SHA178c49303cb2a9121087a45770389ca1da03cbcdf
SHA256c3a70f23a2cf331852a818d3f2a0cf7f048753c9b47aa4e7f0fee234c46b226c
SHA51210056ad3a71ee806a8d8aff04d513a079568bf11799016f76f27c4255be2141a4c2d99c1f46bbfde9c99ba0f8b44e780a92b59f514d3cc1c248ead915c31b5dd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
1KB
MD57171655b6a873cacfc51bdd30e7f9a83
SHA11480769fe25e6f10fd227b29cbed37cea1b3c27f
SHA25629e1724921c02ce8e5ccdc36399492ab6874df9373d5fc4e727aa7b0857adab1
SHA5122774bf2f4709aa4607167d07c05a90c5b1b797f8ca9575d839b1761d969d6c4b630946edb0c94211a6f957393685f1a4e914ada3bf8f2abdc39fb116d4cb83d3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
1KB
MD5f379279965ce4b5e20b7a871e0c9ef1d
SHA1c6ecc3f2de408bb0883c160c19e17dc4a97b5c41
SHA256f9f5024787d0724de29ed65184280f8c0b7ca28772cea9f9631e94584462829f
SHA51233e29f59806d739574d9a88a49adf783a82230a7571f52a2aa431bdc0d6df40cabeae1f8b185818aae2799b89b06b105583f23a683751e80ba65f9f8fa93745f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
3KB
MD5392b7731e467927b9206d18bd6e71e1e
SHA108cca3c6798dc5fba8eca8a267ad982ae7635ffe
SHA256e8e08edb5ad08d12e4e318a2612a16b9186a8ab0846393a6e89ee91c4ed1b4ec
SHA512d51653e9b5a86956498b0c6fb8f4a9fcd4cb51ba0fe42f1b627ca9028369d1da4ad5be5b38a2ad15c3fe57026b18bc1a35725f4e43b91e3bc399ab154d8b5f69
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
4KB
MD505baea937d85edb8dc91cd1fc76e414a
SHA16c9034155a18ad94b743f1f64143db594ae1c2bc
SHA2564cfb659e4a8fc31050369f42fb586968b7860ef8e22ce9ed06d0910da3d278b3
SHA51244d88b4c9cb7493076a3e5da7371324caeda9a727b57685ce86ad94210f37a164c3df4b261f786fb3ac1a620cc86259767df209a08a64a61b210d4eff6f7d16b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5ee10072fd945056c1266bf66b73ee183
SHA13346c4dc767f093ed604c7189a55ad71d2277543
SHA2563b6d65f11e82765e7997ad48e751028ee96af7ed61169adcda8e702091a67c49
SHA5127b21421280b3f9e428a08d1ad66cdd7bdeb476d66622ab26c7faa43cc93bf14bf2b6176e6b797dd75aa284e4500b1ffad6d761474aa67ca0c59ab50ad0e255a7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD564c2e4bb100531a8e58bf26d85fc54eb
SHA1832391fd22f4b2fadc6c1e7c401a44dff722183f
SHA25672e8d561ab947ba83c8558a5e6ae4e084d98ba7f22d93cd468f0cb2a99350045
SHA51203ce61f97640ff2a6cb774735c81a3f9ab87d995c6ff6f3e7d41d1d09275266477609ca072570791628099860532ca36821ca27add89f8aeb87ab8b7b7b03d07
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD586e3d9b8f87baa939c5b79867751feb4
SHA17fe2f6487733583d71e07d8ad7f4fe3d56383cf2
SHA256ffd19d6cd63529653bd5ba7f810a98f1f7bc54f3be62c8aec7366421ec1769df
SHA512074dc67133067f01c11fa5f5ae80eac130bdf6ee275feb1a89133f2cdba67c36908ee7cd6446d0806751b59ecd590f7a247687827e86d288b6cf51e36913b778
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD56ef66fbc66066df36048db0253d3aeea
SHA1a2d29f56e84209666ba3e6b08651f2f422e39488
SHA2566d4ed16474923d1988506d453e32c931ecd5d497515c11418caa69993bbd9591
SHA5125925bde9902032127b35da425d7058a819bf204caf20810fa8e9747e14abfe9b7ec29158dc257dd4cd1c5d54d4c703e4d7e0d765530a374b4419115f19222136
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD58e89508651db1ec1a95ac1d359c912f2
SHA18b755e73a9ed791641e971e2eb2d86a5ab530db3
SHA25664b34a54a5e8bdfb5982d15d4bf634e9dc9441175ccafc08816ccc3a7b8bf790
SHA512e3fb913892d400102e6270278f0619745137b0298cddf713ed326b479998e74cbdd7fd4d4f6d2a17ce6cc5131eda2fcc61c1a556553e627f40a1201f5f68e501
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD559de22279c79e53af7d98f4e3d918351
SHA10070b19a3bc72a03fd506c078553ff066358710b
SHA256c623e920c96daa29ae1e6160c992b0a0f84146e2b05eaf8e8a555aaa0e58fa44
SHA5120cf4e3b292087d08845b21c55f50a0cf5881defe549c356f7db111e8aa80e98a6d13784c126defd23844c192b914117f3626049bc679b8f56597e5aa36603ff3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5f557c.TMPFilesize
1KB
MD560bc670453eb01b81eedbfc22934c5c0
SHA11cfc29d89f8a81c56c7a0c99ddcf571ea5f36f40
SHA256ddfd2107984c840c125a78fdebc424fbfb21b6e3e796b8c73a56df606ff57d64
SHA512a6b198a153f332df4008fb43da0cb8a21d727a303a23f5c9fcf3d7db192d0ea86b2d222878d6fb3f034567a720c6e74ced780b20c505e83a420f05f505d65540
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD51844a6f0f58de49be9e9c07183abff07
SHA1e61e470da2843dd62c8280a737086fd41833a3fa
SHA25625ae0335f22f873222e86019633ac2063dca441ccabb18f3e70ba7c80471d627
SHA5129bdf79bd6ebc97b643614c6eff07de14f1b51e4cd3eea5f96811c763a823aa8d307ff63947613871b6992392da768f24baa9f1f05d673baa2a51b59147965fd1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5f7c2753a442ccec6fc7e5d9d28466138
SHA1ef3b64d971921947517770b8933018e872562e11
SHA256b940ec04d4e8c4770c58013bae11c26f7a8653b457734a391924a7469fefdb56
SHA51243e7e70c8ae45e42d53a700518721b8dcd99a9d951a683dd76e3db44448ec6ae8c62f75a8e352cae259c11c704a181212d6cb9f70939569016df442e005dd2ff
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5cac347bc29a967945435645363451000
SHA1a4fd6367ee16e5c9d3e407988d9abcaec010d89f
SHA2569ba0e2054966e15a994208bb7ac31e79120f419b0e09672903a950033268ad12
SHA5124676a54e64320814c024adea18f4ed3b3ce00e05cc91a4b804c75cd7339435888b8d5d793da2fd5e79912f881126977c34e5fb657e4eb4e90d396f025c4429ac
-
C:\Users\Admin\AppData\Local\Temp\COMODO Internet Security dbgout.logFilesize
2KB
MD5e138addcaef0bf32e579a663ce47938c
SHA12e6e66d73a814208b1b08f3cc4351cda4026b356
SHA256d3398f07b64192043d8e003662cbf19ac9176526aeaba2134150d70254dd710b
SHA5122873ffba658406f5b967ff6a120531e12c633ec562cfe19812629c285ad40218b2672d30e22c224950bf8e7795aa5ba90cd739b213c365817fe1f50bd6309604
-
C:\Users\Admin\AppData\Local\Temp\COMODO Internet Security dbgout.logFilesize
4KB
MD537ef50e4984821f7023178c7e96742c9
SHA1b36706bda9c8cead0f5af814d0ff72040858bfbc
SHA256b729ce0404dcf72b9b071b32cb15822f3a36a5ac92d023270c2f0108297a446b
SHA5124f2187fa1876d31252ea9589d69340ca08d613fd33db818491812e5c3c2557a37f7364b5c83dae0e66cbb90a1196734ea1516c05f88b15aef079c3fdc98b06a6
-
C:\Users\Admin\AppData\Local\Temp\COMODO Internet Security dbgout.logFilesize
5KB
MD50a96280f2437df10b54d79d84102097d
SHA1a7b93d9692807a726573bc8f803a18d0117a0cbe
SHA256b2606446670a2c8f58f6b0f8ad071c12a1e5609a9c13a148a9649db34dfa32fc
SHA5123893d867970f9e4b5eeeda7f17e84eaad14ec4653c0fa7c9fce1fdeaad0a9f3c439a9bc0ac8ac64b721a77cc4556121c7bdce3e1dd4f9f408cbf6483b1a60a08
-
C:\Users\Admin\AppData\Local\Temp\COMODO Internet Security dbgout.logFilesize
6KB
MD54d17390f1f4c246a86dcbb578f2cd9e8
SHA1a229aa6ed8d7d91cfc1fe36da443505020681fcc
SHA256d2f98f7ef20639625395180cc7ead228cb8000bae279b636861901644664e236
SHA512ddd2d57edfa5354a59d85890e98c5a07e2727eb7cf1998d4314e240c865bba9420b27783e71b4b4a24ce25772df9a8c7e37ba152c570873f495020b701ddb8cb
-
C:\Users\Admin\AppData\Local\Temp\Google Root.exeFilesize
211KB
MD590b0dacdb9974cb1f970960e3c082167
SHA1921e17c1f9b6803ec6be7b4cde70e81e1163fd3d
SHA256071fc19802f6780857fc4a516f64df6673cadba104828d7b2f11ed5fdf8e43c3
SHA512798ab85ccb0be6e565552321feb3bb71e45d8de0028e2ce6a37c2411341ab8b036f60febcc1199eab4e645727498310ea6737e9d7eedf582aebc8173ea6f80b2
-
C:\Users\Admin\AppData\Local\Temp\Google Root.exe.tmpFilesize
91B
MD5ee12072e5fc456ef60f7d660123c573a
SHA1255e26114a87c5913088a7684c47965d93223253
SHA2569fb3fe364ca8429f4a0c6d8275a0012220096e3cba9eca4152283bb340a89f90
SHA512c88e63581bd12bdac55acaae967cb63933031f58de2e56c575e7fa1c27e3da47532297eee02fb2658e7318d996e201e4633baf7bda6dab5d4cc29b3a6f10a22f
-
C:\Users\Admin\AppData\Local\Temp\tmp_069774d5e7e16156f22864e975acb27a85467aae\ITSM.msiFilesize
94.2MB
MD5e2b59dcb015772c7a32dfee1e3e4dd79
SHA17be45eaac380719fc93472c9e39f0f243d8ad709
SHA2565cfad0e9c3cd18d2b3f4123edb0ebd7a84a23b59c8593210cee9e537ad70d511
SHA5121856fe9e3df5ce26ede51394a7e98894aa069ca625b9e90352adc8d5a9ea325100da34578edba70384bca504ac65e59db69d86dfb087229ab81c0faf3242c5f5
-
C:\Users\Admin\AppData\Local\Temp\tmp_069774d5e7e16156f22864e975acb27a85467aae\enrollment_config.iniFilesize
153B
MD5844f2e62a6767c5e6f7f106a8901d86f
SHA1df1263768cf8499cb153568da22733b8a023c808
SHA2565bc400bfa55a33a204bdb54d3c22bb1e94907d2ea10c8f0d1b35fba58d3123a4
SHA512c733548f9fee7c9874fc2ab90e378b56e00e80022a08cb6a1b2ab2003eaf154f9317892c205e25bc6e48144fe4ba02e5f658f50a9a772f1d1ba9bf3f05830dba
-
C:\Users\Admin\AppData\Local\Temp\tmp_069774d5e7e16156f22864e975acb27a85467aae\itsm_offline.mstFilesize
20KB
MD571cdc4994caf6c6e74f84d7cb7b83434
SHA112d401557e8449ef10fc6f6a5bf3ed3a1ff8c4ca
SHA256801120688851b74636a9bbb3c620ff2d34f7dec9a6602fb72be96fdda72c12d5
SHA51293a2e768648b7a23c5818f2c188ea96550ce9cc2eca519a4b1cee9d7f044752ff2d8ec7c07e3b06fc862e0b5e49eb4302195bc5c11eb33afc21e1e684cacb1c9
-
C:\Users\Admin\AppData\Local\Temp\tmp_069774d5e7e16156f22864e975acb27a85467aae\offlineinstaller.exeFilesize
249KB
MD5cc56a58b2adf5ae4b777a9ce95c2e158
SHA17ea03b2c65d6b19bd8a1c7fdeefe0fe9f946c281
SHA256284c0e52432dbe2fcc60beaa6c1368069d9cfce9bb1dd8596b1fdb8a82b247d2
SHA512a7d4294bd3116a0f5e9fd5e91924a3708f3fdc06767319c14c817459fe7ed44ee16b0ac244195dd8e544444a9fa303df4021af6d8f68736006b32a2ef75d3aae
-
C:\Users\Admin\AppData\Local\Temp\tmp_069774d5e7e16156f22864e975acb27a85467aae\profile.binFilesize
33KB
MD5105b5e307618d42dc75442f86da329b3
SHA188411ca9bbfa4b8367128199c13347212ec8f17a
SHA2561dd8c55403d4b791ae6be1ccaac3245883e1f7c464526bf5206a64ea0bced8fa
SHA512159e9dd3a8e9318bfe1afa99daeda8e1595913532df9c6c50a6d1b3f54f7ec44e3d2c5697b4c5edd3f6092209cf8fbdacd41e6f3645a3de77bef021fd655af8f
-
C:\Users\Admin\AppData\Local\Temp\{2cb07e0b-e9a9-7746-afe9-c077f5812ee9}\ceserd.sysFilesize
56KB
MD51e1860631959accbdb14b012338d28d6
SHA1cefb85c24528de44f89d5b0f5a3b893e90c65f4f
SHA2562f8ad98389cb6c12fc217f717478b9d4008e3f8ba9446d29786d68306ce6d9cc
SHA512b425e2ee4d663cd92d5afb0a36ce224c77beb13ac03c51001c4c328efb674e814c4d8a84750389c97b8fab51e04e961d01c5ec1cad25990e1fea3d2f3e0db372
-
C:\Users\Admin\AppData\Local\Temp\{2cb07e0b-e9a9-7746-afe9-c077f5812ee9}\cesguard.sysFilesize
1.0MB
MD56d6282254f9f7a2714f996936d06b795
SHA123973edcddcdfad185edb1d5ad018f9b46ba9bd3
SHA256c686e1485ab94879d50f0d3a115dfa9658af708600cdce2296df541fdf907ce5
SHA5128486fe12aa6639442f8ffd4cf3cc3f7af60811907266f3cca02fc220fd16465e7fcd8fec91a94b7efbef680c0006e2120709e5aa33bc3ae14038f0c7c883e36c
-
C:\Users\Admin\AppData\Local\Temp\{c34a78f6-0774-364d-864b-cfc03427477b}\ceskbdflt.sysFilesize
46KB
MD57386afea5456926cebfd711a96dafe7d
SHA17b38ee8a1b551d275bde396a3d8f341c7b51cdc5
SHA25612c54c8a1b7da0bcae917053da80d8e5873d6d4314323695f284a31d3a76f2e8
SHA512832c9361601431aeb1986d89ba9de99b59ff6292ee29835f4a95b6bed0127ed2ed4828e93f0e3bbed28cf16931fcb87649a7dd51ea010727780e764b94448083
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\f50e774e1527ce0a.customDestinations-msFilesize
9KB
MD503e55e265d1efa7df80cc49b409da535
SHA1a4f39dee8b3a17d243ffb08315983666f35ae8a4
SHA2567d14aeab7854effb7aff831fe156b2caf2cf86d7225e9146989f692655f7d89f
SHA5126e993bdd0b9d7d7adcbb5325dd8ebe0d20bc98c0537505d48120f72b6fd93277a896929841bce8ff20d9b1773113f5b257b6448388ea034ac8924f4a90ff0256
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\f50e774e1527ce0a.customDestinations-msFilesize
9KB
MD57580dc441d7cda6e315f5d43909a1d35
SHA132f5adecd48fdd1701dd5d3ffc6252c12a1a4c5b
SHA256225fd5ad5b68f4414bd6013f0f471ae49a0ec505f811334d56fb72ebb8d94162
SHA512b2b3bc98f24feeb038b49269d8ac510f267dacec86f9a7b3edba487129f74e09ea77e5ab188c87408e2167057b7b990b29efcd12fd9c6496a800b099922782eb
-
C:\Windows\Installer\MSI145.tmpFilesize
284KB
MD532731da6af4165f2824ec7ec9c099a79
SHA18fcfea49de0ca0bf1d233097d68c6f466625d70e
SHA25643d4a3df46ab2a9d299ec097587cd024f928eadda6264dd38beeb328260e429b
SHA5127e49420d2db94b96b04cd46bf90f787c5f3399a9f6e6e397a0ef0b14c6d2ac8a93b34a5042a76f06c5dc4b09228a67924c30b89d3d42a7d12597e7bb59498654
-
C:\Windows\Installer\MSI26F.tmpFilesize
203KB
MD5d53b2b818b8c6a2b2bae3a39e988af10
SHA1ee57ec919035cf8125ee0f72bd84a8dd9e879959
SHA2562a81878be73b5c1d7d02c6afc8a82336d11e5f8749eaacf54576638d81ded6e2
SHA5123aaf8b993c0e8f8a833ef22ed7b106218c0f573dcd513c3609ead4daf90d37b7892d901a6881e1121f1900be3c4bbe9c556a52c41d4a4a5ec25c85db7f084d5e
-
C:\Windows\Installer\MSI436B.tmpFilesize
635KB
MD5167213d916aff015c31bb8a080970e29
SHA103bb35551676f1e48795571d1bff8a8eb11db357
SHA256a3d64decf8ceb717d1c099aed4bc5a4349426e3ceadb608b8d3e1d7091a7a3bc
SHA5121aa6e245310e01e134ae9407028d4e30371a0f756718bc19df01bb8c7a3b7e935da681cc1c9d53ac0c4f8e89de599071abab5a1b11cea567cc0830e91324dc1e
-
C:\Windows\Installer\MSI4B21.tmpFilesize
181KB
MD568655664b2e3c9d58ab731dfd6f106e1
SHA1c91b9bea0f640914430f42a1c00435c637b6e299
SHA25664c93df9217f6f9e8bb2f1594d5591a8278ebde9939e174216b523442b828522
SHA512029908ff1de09c5f5907908ba1774e3a35934bafac5bc2da385823ae1cc9c69ad441cd47e44754090c665f4d426ccd5727fc753409274b6a1c98e37a95923751
-
C:\Windows\Installer\MSIE990.tmpFilesize
127KB
MD593394d2866590fb66759f5f0263453f2
SHA12f0903d4b21a0231add1b4cd02e25c7c4974da84
SHA2565c29b8255ace0cd94c066c528c8ad04f0f45eba12fcf94da7b9ca1b64ad4288b
SHA512f2033997b7622bd7cd6f30fca676ab02ecf6c732bd44e43358e4857b2cf5b227a5aa6bbbf2828c69dd902cbcc6ff983306787a46104ca000187f0cba3743c622
-
C:\Windows\Installer\e5f3d3a.msiFilesize
5.7MB
MD5e144e4cf617b51b0ddc4af8281a2f62c
SHA101d806fbd0aa38ca35d8c4645df0fc2caa2bf6c1
SHA256d94c88521ef8f9e6edaa7abd2deba37ba038d8e82af79892335a0041a92c547f
SHA512479f434bd8aa888b824113c99927e901ec016739e4977a4dfdcff07eea05f649e423e41e1c3c7abe48aa6a639f1a3dc99615f83ff4e65422ac11b124a7949147
-
C:\Windows\System32\DriverStore\Temp\{6e025dbb-63f2-b346-86c2-0cd48c6e9f30}\SET8AB5.tmpFilesize
11KB
MD5dc8ebe0964d003b760f3ae9057365441
SHA1139632d6477added77d4f846ce585d7498dfd1a9
SHA2560457e7e0164720d7da75ba2ce981cdbf93dd4d03c5a752ebf27ce14d57511c40
SHA51239144bf9d2910a0f111188b1b1f8232a1f0639f8a27ffcfbc431e8b36a05d248698f0c8991b6a6b578dd414dfa5d2346df3cdcc62caacc1c4f0a8d57ca616384
-
C:\Windows\System32\DriverStore\Temp\{6e025dbb-63f2-b346-86c2-0cd48c6e9f30}\SET8AC5.tmpFilesize
2KB
MD5040c544ba7cd19fda257f665547b02be
SHA1eb6740d0f16dcc41adb21a7cb7aadc029447a1b9
SHA2564b6ed377ac81e7e273b58d97b8bbe1149245bffb78885815d492cdc9f7b72fa0
SHA51226603ed633781633d99c114cb22e57a243c9463fd846df3f2e30e7c90ab4c899633fdd1a574b43826f481163f574c4f32221937bdcfc305634a2d3ddf9edbc70
-
C:\Windows\System32\DriverStore\Temp\{71c81925-2576-7d48-aa8e-87ac1801cc39}\SET87B8.tmpFilesize
12KB
MD59d20d2d47022ee7f8011cda3cb03fa5a
SHA1fb49bc4d65e2456e8ef0c08dc7b154f4af6ccc40
SHA256aaceab28888865f278766dd1f926234ae5c5f3096758989649e7c1f3a9097b0a
SHA51275ad0a5f3289766bde4e3e3b80dca03ddac4d66273a9b39d09ca195c2d8819a7b4adad6acaf2133efa209f93e188869a20007244911c5d03bc5e744627c8f885
-
C:\Windows\System32\DriverStore\Temp\{71c81925-2576-7d48-aa8e-87ac1801cc39}\SET87B9.tmpFilesize
4KB
MD5c8755f46e4cf63f0ae772f62ba3ea4b0
SHA12f4757978bb43d41fa8d4e9f4afa45e1574d7399
SHA256d3b6dd2646f11a33614c39702e561af2a4031128373f223b7719984032af34f7
SHA5121308be0c373efef6edbfb3994834665d136342aeb09b75cad6379100eea8874fa0d0d0a86a1d6d0368cf42496a5347d3f4c2d7687f53e40d3a3d53b7d7c220b9
-
C:\Windows\System32\catroot2\dberr.txtFilesize
20KB
MD528f5ffcdf74a20572dfada827e0e3dd1
SHA16921c14eb460a3ec919dd6211eccb004a6abe6e1
SHA2564d348f0822051efd7b78cbded26f4becac046e60e23314e6ba65cb44496f7a50
SHA51224be9b35ea2d7a211245ecf2bf145dd0bff4533081e0a31248237e5947c060a7140ce7bdee905d09cf5f45961106ff60c276f065963d804bac091620293af8e2
-
C:\Windows\System32\drivers\cesboot.sysFilesize
15KB
MD5e887953162c1a92d45f8621c27943053
SHA12a1547af1744bab80f93746c60f7f7c2da9399f8
SHA256b28c0cfe35c2714fdfc1cbe6f07a01bf2e5ef3ca18d4e0326d39dd5f86a76a6a
SHA51224a7934f86a4ec7bcd7cffb352ac3d491a44e4097a178b8fb318713a773841f8e089afcc0d1b3f25c784c42c57f5177871dbdf0f916d5758a7742aae221e8ab0
-
\??\pipe\LOCAL\crashpad_4592_XXMWYMIBOTRFVIUGMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1348-1134-0x00007FFA14610000-0x00007FFA14805000-memory.dmpFilesize
2.0MB
-
memory/1348-878-0x00007FFA14600000-0x00007FFA14610000-memory.dmpFilesize
64KB
-
memory/1348-880-0x0000012BDD870000-0x0000012BDD871000-memory.dmpFilesize
4KB
-
memory/1348-879-0x00007FFA14600000-0x00007FFA14610000-memory.dmpFilesize
64KB
-
memory/1348-6890-0x00007FFA14610000-0x00007FFA14805000-memory.dmpFilesize
2.0MB
-
memory/1896-995-0x00007FFA14610000-0x00007FFA14805000-memory.dmpFilesize
2.0MB
-
memory/2460-6981-0x00007FFA14610000-0x00007FFA14805000-memory.dmpFilesize
2.0MB
-
memory/3640-872-0x00007FFA14600000-0x00007FFA14610000-memory.dmpFilesize
64KB
-
memory/3640-1708-0x00007FFA14610000-0x00007FFA14805000-memory.dmpFilesize
2.0MB
-
memory/3640-7241-0x00007FFA14610000-0x00007FFA14805000-memory.dmpFilesize
2.0MB
-
memory/3640-7183-0x00007FFA14610000-0x00007FFA14805000-memory.dmpFilesize
2.0MB
-
memory/3640-7072-0x00007FFA14610000-0x00007FFA14805000-memory.dmpFilesize
2.0MB
-
memory/3640-7114-0x00007FFA14610000-0x00007FFA14805000-memory.dmpFilesize
2.0MB
-
memory/3640-1136-0x00007FFA14610000-0x00007FFA14805000-memory.dmpFilesize
2.0MB
-
memory/3640-6988-0x00007FFA14610000-0x00007FFA14805000-memory.dmpFilesize
2.0MB
-
memory/3640-7139-0x00007FFA14610000-0x00007FFA14805000-memory.dmpFilesize
2.0MB
-
memory/3640-7026-0x00007FFA14610000-0x00007FFA14805000-memory.dmpFilesize
2.0MB
-
memory/3640-6230-0x00007FFA14610000-0x00007FFA14805000-memory.dmpFilesize
2.0MB
-
memory/3640-6203-0x00007FFA14610000-0x00007FFA14805000-memory.dmpFilesize
2.0MB
-
memory/3640-6888-0x00007FFA14610000-0x00007FFA14805000-memory.dmpFilesize
2.0MB
-
memory/3640-871-0x00007FFA14600000-0x00007FFA14610000-memory.dmpFilesize
64KB
-
memory/3640-6889-0x0000029C3CB20000-0x0000029C3CBB1000-memory.dmpFilesize
580KB
-
memory/3640-1133-0x00007FFA14610000-0x00007FFA14805000-memory.dmpFilesize
2.0MB
-
memory/3920-7099-0x00007FFA14610000-0x00007FFA14805000-memory.dmpFilesize
2.0MB
-
memory/3920-7129-0x00007FFA14610000-0x00007FFA14805000-memory.dmpFilesize
2.0MB
-
memory/3920-7255-0x00007FFA14610000-0x00007FFA14805000-memory.dmpFilesize
2.0MB
-
memory/3920-7029-0x00007FFA14610000-0x00007FFA14805000-memory.dmpFilesize
2.0MB
-
memory/3920-6991-0x00007FFA14610000-0x00007FFA14805000-memory.dmpFilesize
2.0MB
-
memory/3920-7203-0x00007FFA14610000-0x00007FFA14805000-memory.dmpFilesize
2.0MB
-
memory/3920-7057-0x00007FFA14610000-0x00007FFA14805000-memory.dmpFilesize
2.0MB
-
memory/3920-7165-0x00007FFA14610000-0x00007FFA14805000-memory.dmpFilesize
2.0MB
-
memory/4040-21-0x00007FF9F65B0000-0x00007FF9F7071000-memory.dmpFilesize
10.8MB
-
memory/4040-17-0x00007FF9F65B0000-0x00007FF9F7071000-memory.dmpFilesize
10.8MB
-
memory/4040-13285-0x00007FF9F65B0000-0x00007FF9F7071000-memory.dmpFilesize
10.8MB
-
memory/4040-19-0x00007FF9F65B0000-0x00007FF9F7071000-memory.dmpFilesize
10.8MB
-
memory/4040-20-0x00007FF9F65B0000-0x00007FF9F7071000-memory.dmpFilesize
10.8MB
-
memory/4900-6782-0x00007FFA14600000-0x00007FFA14610000-memory.dmpFilesize
64KB
-
memory/4900-6792-0x00007FFA14610000-0x00007FFA14805000-memory.dmpFilesize
2.0MB
-
memory/4928-4-0x00007FF9F65B0000-0x00007FF9F7071000-memory.dmpFilesize
10.8MB
-
memory/4928-0-0x00007FF9F65B3000-0x00007FF9F65B5000-memory.dmpFilesize
8KB
-
memory/4928-1-0x0000000000BD0000-0x0000000000C0A000-memory.dmpFilesize
232KB
-
memory/4928-16-0x00007FF9F65B0000-0x00007FF9F7071000-memory.dmpFilesize
10.8MB
-
memory/4928-2-0x0000000002C60000-0x0000000002C6E000-memory.dmpFilesize
56KB
-
memory/5044-7186-0x00007FFA14610000-0x00007FFA14805000-memory.dmpFilesize
2.0MB
-
memory/5044-6992-0x00007FFA14610000-0x00007FFA14805000-memory.dmpFilesize
2.0MB
-
memory/5044-7244-0x00007FFA14610000-0x00007FFA14805000-memory.dmpFilesize
2.0MB
-
memory/5044-7044-0x00007FFA14610000-0x00007FFA14805000-memory.dmpFilesize
2.0MB
-
memory/5044-7142-0x00007FFA14610000-0x00007FFA14805000-memory.dmpFilesize
2.0MB
-
memory/5044-7090-0x00007FFA14610000-0x00007FFA14805000-memory.dmpFilesize
2.0MB
-
memory/5044-7130-0x00007FFA14610000-0x00007FFA14805000-memory.dmpFilesize
2.0MB