Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
31-07-2024 01:41
Static task
static1
Behavioral task
behavioral1
Sample
a840bdaefb80641123d7ca786ebace65769da70f45e18bd3f0c7ef7b2ffcabdd.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
a840bdaefb80641123d7ca786ebace65769da70f45e18bd3f0c7ef7b2ffcabdd.exe
Resource
win10v2004-20240730-en
General
-
Target
a840bdaefb80641123d7ca786ebace65769da70f45e18bd3f0c7ef7b2ffcabdd.exe
-
Size
1.9MB
-
MD5
60fd2d6645e5b41740828e73d4040d5f
-
SHA1
c135e0d348ff99c0155b88ef3ab603fed3018c8c
-
SHA256
a840bdaefb80641123d7ca786ebace65769da70f45e18bd3f0c7ef7b2ffcabdd
-
SHA512
ed2a187666f23fb12d585611b5cf947b00ef881345aa57a96bb3f81883c3ec7a750c4044d0d7e1c64c00764e4f9e9b86147423b4506343c1c1efba1f04192b84
-
SSDEEP
49152:g04/3N9QDpjQgodOKqtuIGSPMunSeKRj/xo4012F:54VspjQgoYuknnS5li4
Malware Config
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Extracted
redline
exodusmarket.io
91.92.240.111:1334
Extracted
quasar
1.4.1
Office04
51.222.21.20:4782
374acc94-a8cd-45c6-bc31-752e0f83541d
-
encryption_key
5B2A5F50FABB3F6748116D7077D95758D0DFFC77
-
install_name
svchost.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
svchost
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\adada.exe family_quasar behavioral2/memory/3788-1617-0x0000000000F40000-0x0000000001264000-memory.dmp family_quasar -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/5108-72-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
SectopRAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/5108-72-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
axplong.exeaxplong.exea840bdaefb80641123d7ca786ebace65769da70f45e18bd3f0c7ef7b2ffcabdd.exeaxplong.exeaxplong.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ a840bdaefb80641123d7ca786ebace65769da70f45e18bd3f0c7ef7b2ffcabdd.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
axplong.exeaxplong.exeaxplong.exeaxplong.exea840bdaefb80641123d7ca786ebace65769da70f45e18bd3f0c7ef7b2ffcabdd.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a840bdaefb80641123d7ca786ebace65769da70f45e18bd3f0c7ef7b2ffcabdd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a840bdaefb80641123d7ca786ebace65769da70f45e18bd3f0c7ef7b2ffcabdd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe -
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a840bdaefb80641123d7ca786ebace65769da70f45e18bd3f0c7ef7b2ffcabdd.exeaxplong.exejsawdtyjde.execlamer.exeRegAsm.exedropperrr.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3774859476-2260090144-3466365324-1000\Control Panel\International\Geo\Nation a840bdaefb80641123d7ca786ebace65769da70f45e18bd3f0c7ef7b2ffcabdd.exe Key value queried \REGISTRY\USER\S-1-5-21-3774859476-2260090144-3466365324-1000\Control Panel\International\Geo\Nation axplong.exe Key value queried \REGISTRY\USER\S-1-5-21-3774859476-2260090144-3466365324-1000\Control Panel\International\Geo\Nation jsawdtyjde.exe Key value queried \REGISTRY\USER\S-1-5-21-3774859476-2260090144-3466365324-1000\Control Panel\International\Geo\Nation clamer.exe Key value queried \REGISTRY\USER\S-1-5-21-3774859476-2260090144-3466365324-1000\Control Panel\International\Geo\Nation RegAsm.exe Key value queried \REGISTRY\USER\S-1-5-21-3774859476-2260090144-3466365324-1000\Control Panel\International\Geo\Nation dropperrr.exe -
Executes dropped EXE 24 IoCs
Processes:
axplong.exejsawdtyjde.execlamer.exethkdh.exedeepweb.exeaxplong.exerqqsv.exepureee.exeadada.exedropperrr.exesvchost.exeaxplong.exepython_x86_Lib.exeITSMService.exeITSMAgent.exeITSMAgent.exeITSMAgent.exeRmmService.exeRmmService.exeRmmService.exeRmmService.exesvchost.exeaxplong.exegtgpwwjkduow.exepid process 1600 axplong.exe 4828 jsawdtyjde.exe 692 clamer.exe 2008 thkdh.exe 1576 deepweb.exe 4972 axplong.exe 2264 rqqsv.exe 1304 pureee.exe 3788 adada.exe 532 dropperrr.exe 5800 svchost.exe 6072 axplong.exe 928 python_x86_Lib.exe 5716 ITSMService.exe 3048 ITSMAgent.exe 5724 ITSMAgent.exe 3648 ITSMAgent.exe 1540 RmmService.exe 1180 RmmService.exe 4072 RmmService.exe 5516 RmmService.exe 5324 svchost.exe 2016 axplong.exe 4544 gtgpwwjkduow.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
axplong.exeaxplong.exea840bdaefb80641123d7ca786ebace65769da70f45e18bd3f0c7ef7b2ffcabdd.exeaxplong.exeaxplong.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3774859476-2260090144-3466365324-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-3774859476-2260090144-3466365324-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-3774859476-2260090144-3466365324-1000\Software\Wine a840bdaefb80641123d7ca786ebace65769da70f45e18bd3f0c7ef7b2ffcabdd.exe Key opened \REGISTRY\USER\S-1-5-21-3774859476-2260090144-3466365324-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-3774859476-2260090144-3466365324-1000\Software\Wine axplong.exe -
Loads dropped DLL 64 IoCs
Processes:
MsiExec.exeMsiExec.exeITSMService.exeITSMAgent.exeITSMAgent.exeITSMAgent.exeRmmService.exepid process 4128 MsiExec.exe 4128 MsiExec.exe 4128 MsiExec.exe 4128 MsiExec.exe 1324 MsiExec.exe 1324 MsiExec.exe 1324 MsiExec.exe 5716 ITSMService.exe 5716 ITSMService.exe 5716 ITSMService.exe 5716 ITSMService.exe 5716 ITSMService.exe 5716 ITSMService.exe 5716 ITSMService.exe 5716 ITSMService.exe 5716 ITSMService.exe 5716 ITSMService.exe 5716 ITSMService.exe 5716 ITSMService.exe 5716 ITSMService.exe 5716 ITSMService.exe 3048 ITSMAgent.exe 3048 ITSMAgent.exe 3048 ITSMAgent.exe 3048 ITSMAgent.exe 3048 ITSMAgent.exe 3048 ITSMAgent.exe 3048 ITSMAgent.exe 5724 ITSMAgent.exe 5724 ITSMAgent.exe 5724 ITSMAgent.exe 5724 ITSMAgent.exe 5724 ITSMAgent.exe 5724 ITSMAgent.exe 5724 ITSMAgent.exe 3048 ITSMAgent.exe 3048 ITSMAgent.exe 3048 ITSMAgent.exe 3048 ITSMAgent.exe 3048 ITSMAgent.exe 3048 ITSMAgent.exe 3048 ITSMAgent.exe 3048 ITSMAgent.exe 3048 ITSMAgent.exe 3048 ITSMAgent.exe 3048 ITSMAgent.exe 3048 ITSMAgent.exe 3048 ITSMAgent.exe 3048 ITSMAgent.exe 3048 ITSMAgent.exe 3648 ITSMAgent.exe 3648 ITSMAgent.exe 3648 ITSMAgent.exe 3648 ITSMAgent.exe 3648 ITSMAgent.exe 3648 ITSMAgent.exe 3648 ITSMAgent.exe 3048 ITSMAgent.exe 3648 ITSMAgent.exe 3648 ITSMAgent.exe 1324 MsiExec.exe 1540 RmmService.exe 1540 RmmService.exe 1540 RmmService.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
msiexec.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Endpoint Manager = "C:\\Program Files (x86)\\COMODO\\Endpoint Manager\\ITSMAgent.exe" msiexec.exe -
Blocklisted process makes network request 2 IoCs
Processes:
msiexec.exeflow pid process 36 5164 msiexec.exe 38 5164 msiexec.exe -
Checks for any installed AV software in registry 1 TTPs 8 IoCs
Processes:
ITSMService.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Esm\ ITSMService.exe Delete value \REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Esm\RemovalSecurity ITSMService.exe Key opened \REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Esm\RemovalSecurity ITSMService.exe Key opened \REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Esm ITSMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Esm ITSMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\COMODO\CIS ITSMService.exe Key queried \REGISTRY\MACHINE\SOFTWARE\COMODO\CIS ITSMService.exe Key queried \REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Esm ITSMService.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe -
Drops file in System32 directory 6 IoCs
Processes:
ITSMService.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData ITSMService.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E455012CBF4BA8A2AC67618C00590908 ITSMService.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content ITSMService.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E455012CBF4BA8A2AC67618C00590908 ITSMService.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft ITSMService.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache ITSMService.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
a840bdaefb80641123d7ca786ebace65769da70f45e18bd3f0c7ef7b2ffcabdd.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exepid process 3936 a840bdaefb80641123d7ca786ebace65769da70f45e18bd3f0c7ef7b2ffcabdd.exe 1600 axplong.exe 4972 axplong.exe 6072 axplong.exe 2016 axplong.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
deepweb.exepureee.exegtgpwwjkduow.exedescription pid process target process PID 1576 set thread context of 5108 1576 deepweb.exe RegAsm.exe PID 1304 set thread context of 5160 1304 pureee.exe AddInProcess.exe PID 4544 set thread context of 5264 4544 gtgpwwjkduow.exe conhost.exe PID 4544 set thread context of 5912 4544 gtgpwwjkduow.exe explorer.exe -
Drops file in Program Files directory 64 IoCs
Processes:
python_x86_Lib.exedescription ioc process File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\bsddb\dbtables.py python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\distutils\util.py python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\HTMLParser.py python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\multiprocessing\dummy\connection.py python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\gyp-0.1-py2.7.egg\gyp\MSVSSettings_test.py python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\setuptools\command\bdist_rpm.py python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\encodings\utf_16.py python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\importlib\__init__.py python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\setuptools-18.2.dist-info\METADATA python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\msgs\mr_in.msg python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\America\Catamarca python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\America\Hermosillo python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Navajo python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\multiprocessing\synchronize.py python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\easy-install.pth python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Asia\Saigon python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Europe\Amsterdam python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\hmac.py python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\idlelib\StackViewer.py python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\ihooks.py python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\pip\_vendor\html5lib\treeadapters\sax.py python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\sre_compile.py python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Europe\Kaliningrad python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\idlelib\WidgetRedirector.py python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\lib2to3\pgen2\grammar.py python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\America\Argentina\Jujuy python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tokenize.py python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\csv.py python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\lib2to3\fixes\fix_tuple_params.py python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\setuptools\command\install_egg_info.py python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\msgs\nb.msg python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tk8.5\ttk\treeview.tcl python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\encodings\cp865.py python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Europe\Rome python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Portugal python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tk8.5\demos\button.tcl python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tix8.4.3\pref\14Point.fsc python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\urllib.py python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Etc\GMT-4 python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\distutils\command\build_py.py python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\encodings\cp1252.py python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\encodings\idna.py python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\lib2to3\fixes\fix_import.py python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\encoding\iso8859-5.enc python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\msgs\ms.msg python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Australia\Yancowinna python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tix8.4.3\bitmaps\minusarm.xbm python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tk8.5\demos\paned1.tcl python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tk8.5\msgs\sv.msg python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Antarctica\McMurdo python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\bsddb\dbrecio.py python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\encodings\rot_13.py python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\idlelib\Icons\python.gif python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\pip\exceptions.py python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\pip\_vendor\requests\exceptions.py python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\pip\_vendor\requests\packages\chardet\compat.py python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\America\Belem python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\GMT python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Indian\Mahe python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tix8.4.3\bitmaps\info.xpm python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tix8.4.3\pref\WmDefault.tcl python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tk8.5\msgs\ru.msg python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Europe python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\encodings\mac_latin2.py python_x86_Lib.exe -
Drops file in Windows directory 21 IoCs
Processes:
msiexec.exeMsiExec.exea840bdaefb80641123d7ca786ebace65769da70f45e18bd3f0c7ef7b2ffcabdd.exethkdh.exedescription ioc process File opened for modification C:\Windows\Installer\e59263b.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI30C0.tmp msiexec.exe File created C:\Windows\Installer\{373FFE70-5FF7-492D-A2F4-0C6A15D8D503}\icon.ico msiexec.exe File opened for modification C:\Windows\Installer\{373FFE70-5FF7-492D-A2F4-0C6A15D8D503}\icon.ico msiexec.exe File created C:\Windows\Installer\e59263b.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI2B9D.tmp msiexec.exe File created C:\Windows\Installer\wix{373FFE70-5FF7-492D-A2F4-0C6A15D8D503}.SchedServiceConfig.rmi MsiExec.exe File created C:\Windows\Installer\e59263d.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI5562.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI288D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI28DC.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{373FFE70-5FF7-492D-A2F4-0C6A15D8D503} msiexec.exe File opened for modification C:\Windows\Installer\MSI2BDD.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3228.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI418B.tmp msiexec.exe File created C:\Windows\Tasks\axplong.job a840bdaefb80641123d7ca786ebace65769da70f45e18bd3f0c7ef7b2ffcabdd.exe File created C:\Windows\Tasks\Test Task17.job thkdh.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI2B5E.tmp msiexec.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid process 5320 sc.exe 5508 sc.exe 4752 sc.exe 4948 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 22 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
python_x86_Lib.exeRmmService.exethkdh.exeRegAsm.exerqqsv.exedropperrr.exeMsiExec.execmd.exeITSMService.execmd.exeRmmService.exeITSMAgent.exeITSMAgent.exeRmmService.exeRmmService.exepowershell.exea840bdaefb80641123d7ca786ebace65769da70f45e18bd3f0c7ef7b2ffcabdd.exeaxplong.exedeepweb.exeMsiExec.execmd.exeITSMAgent.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language python_x86_Lib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RmmService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thkdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rqqsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dropperrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ITSMService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RmmService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ITSMAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ITSMAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RmmService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RmmService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a840bdaefb80641123d7ca786ebace65769da70f45e18bd3f0c7ef7b2ffcabdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axplong.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language deepweb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ITSMAgent.exe -
Modifies data under HKEY_USERS 56 IoCs
Processes:
ITSMService.exemsiexec.exepython_x86_Lib.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates ITSMService.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs ITSMService.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs ITSMService.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" python_x86_Lib.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs ITSMService.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs ITSMService.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" python_x86_Lib.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates ITSMService.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\40CEF3046C916ED7AE557F60E76842828B51DE53\Blob = 03000000010000001400000040cef3046c916ed7ae557f60e76842828b51de5314000000010000001400000017d9d6252767f931c24943d93036448c6ca94feb040000000100000010000000886ea78b530e0fd5bda4e12527ab6a2c0f00000001000000300000005d2164164eb6f3820b9b8d7a5601b60ebf70d832d2029c6c3c966db107dfcb1ba12a25700f26ca3d5b36e4a6cb576cfa19000000010000001000000092a08f142bb795a2197a0d3c7af066f55c000000010000000400000000080000180000000100000010000000ea6089055218053dd01e37e1d806eedf20000000010000001d0600003082061930820401a0030201020210137d539caa7c31a9a433701968847a8d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3138313130323030303030305a170d3330313233313233353935395a308195310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f726431183016060355040a130f5365637469676f204c696d69746564313d303b060355040313345365637469676f20525341204f7267616e697a6174696f6e2056616c69646174696f6e205365637572652053657276657220434130820122300d06092a864886f70d01010105000382010f003082010a02820101009c930246454a524892fc578df92dea53beb32cd5d8a8a5ec5b6903c01d10f65933defe0748a8e88c7a674af1f58dc33766d03291f7c49d0460c4b54ae2838ba7ae26d45d3a5ef8d11671bb8abd71a27dc8cea26024b052a03a4551de78936c6260f1e4569cb73bf73c55d8dfd57a317c357f125170e12cbe04accbfa4fe17c656ac040a7d97ca5638419e1f7caefaab4e8585ad999e326df8e12b2b8dc33b236da141d965842406e0b22851c5122aec4c806456d92e667b71923e4d8366b85d07fc752e3cfb07501e089b4a8bf8a364ea3e06ceb8441cea52f482213975062451e09a5cc9f6c57704006db20e81bd6f3938ba7329eb7441509d7affd7c011cdb0203010001a382016e3082016a301f0603551d230418301680145379bf5aaa2b4acf5480e1d89bc09df2b20366cb301d0603551d0e0416041417d9d6252767f931c24943d93036448c6ca94feb300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff020100301d0603551d250416301406082b0601050507030106082b06010505070302301b0603551d200414301230060604551d20003008060667810c01020230500603551d1f044930473045a043a041863f687474703a2f2f63726c2e7573657274727573742e636f6d2f55534552547275737452534143657274696669636174696f6e417574686f726974792e63726c307606082b06010505070101046a3068303f06082b060105050730028633687474703a2f2f6372742e7573657274727573742e636f6d2f555345525472757374525341416464547275737443412e637274302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010c050003820201004e134096c9c3e66e5bc0e3baf417e1ae091fc9bfcb0c2516f27353b3761ab7ab4806d6cd007c204543456c165a1b1361d749baa402a4ace8cece2dc92a74a3dcdeaeabd06836f891af3c01f777d50bcf97abeb87e715a8fa305a617120b1c043c4b98f6d8a31eb153624fb62d50b9c8fe966bde661519793b61d87bdb0b56cfea6112906613431303d20277351d0de8583d37739204696daa7c65a162785b2cf4e0f4e8c5cbebe3800f84bf9727bd4f27ad7a22985d004bad3422c5188522ed13d246747ec55cc1bf4ca34ea26c1deddc42189f6ba7b321e8e965e844538cf80aa37698b6017741548919c6df04ea377ca1b1c48faf9cf49e85f4f850ae28f901bab704c9aebb7a63fb4ac5da45fcfe6d88a9690f74f268160765d0f247791b32a319f165ab25d8c1c29aa489c8e6fd3784070db77ecdde3d15705702de64998880584620570567686394ed3226f1dfe6df10eb362c43ccbc085b9611ebae1158059940cae05bb8c7f56be1cd25abf97f26a4cb0c67076b0908dc10b36b911d8d6285cea4ffe24b7180a9b0cd0c17c5cfb69bdcca24dc690bca64df2b1bad69a675b960252d082f9c40a5c0d28e03fc8fa959589d5a4be496c40b23ea86bb8d525b2c4fef1d3d7e7d6dc43017630fb3b8b5df74a897c9a35befccaf05701f08d3fa087327b475a974b82d266c2c42dea3f24f4a7f9a8b9e36ad91861a03b8c15 ITSMService.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" python_x86_Lib.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs ITSMService.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\40CEF3046C916ED7AE557F60E76842828B51DE53 ITSMService.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" python_x86_Lib.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ python_x86_Lib.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates ITSMService.exe -
Modifies registry class 26 IoCs
Processes:
msiexec.exeITSMService.exedropperrr.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\07EFF3737FF5D2942A4FC0A6518D5D30 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\DirectX11\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\SourceList\Media msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CDM ITSMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\ProductIcon = "C:\\Windows\\Installer\\{373FFE70-5FF7-492D-A2F4-0C6A15D8D503}\\icon.ico" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\DirectX11\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\ProductName = "Endpoint Manager Communication Client" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\SourceList\PackageName = "em_TaWHWZA1_installer_Win7-Win11_x86_x64.msi.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CDM\proxy = "false" ITSMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\PackageCode = "D7076E96D3235814DB26ACC95D2BAD84" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\Version = "151109272" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\DeploymentFlags = "3" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\USER\S-1-5-21-3774859476-2260090144-3466365324-1000_Classes\Local Settings dropperrr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DD4D523EF099D7E42B1DBDFD40CF9061\07EFF3737FF5D2942A4FC0A6518D5D30 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DD4D523EF099D7E42B1DBDFD40CF9061 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\SourceList\Media\1 = ";" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\07EFF3737FF5D2942A4FC0A6518D5D30\DefaultFeature msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\Language = "0" msiexec.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4828 schtasks.exe 5484 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 3 IoCs
Processes:
ITSMAgent.exeITSMAgent.exeITSMAgent.exepid process 3048 ITSMAgent.exe 5724 ITSMAgent.exe 3648 ITSMAgent.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a840bdaefb80641123d7ca786ebace65769da70f45e18bd3f0c7ef7b2ffcabdd.exeaxplong.exeaxplong.exeRegAsm.exepureee.exeaxplong.exemsiexec.exepid process 3936 a840bdaefb80641123d7ca786ebace65769da70f45e18bd3f0c7ef7b2ffcabdd.exe 3936 a840bdaefb80641123d7ca786ebace65769da70f45e18bd3f0c7ef7b2ffcabdd.exe 1600 axplong.exe 1600 axplong.exe 4972 axplong.exe 4972 axplong.exe 5108 RegAsm.exe 5108 RegAsm.exe 1304 pureee.exe 1304 pureee.exe 1304 pureee.exe 1304 pureee.exe 1304 pureee.exe 1304 pureee.exe 1304 pureee.exe 1304 pureee.exe 1304 pureee.exe 1304 pureee.exe 1304 pureee.exe 1304 pureee.exe 1304 pureee.exe 1304 pureee.exe 1304 pureee.exe 1304 pureee.exe 1304 pureee.exe 1304 pureee.exe 1304 pureee.exe 1304 pureee.exe 1304 pureee.exe 1304 pureee.exe 1304 pureee.exe 1304 pureee.exe 1304 pureee.exe 1304 pureee.exe 1304 pureee.exe 1304 pureee.exe 6072 axplong.exe 6072 axplong.exe 1304 pureee.exe 1304 pureee.exe 1304 pureee.exe 1304 pureee.exe 1304 pureee.exe 1304 pureee.exe 1304 pureee.exe 1304 pureee.exe 1304 pureee.exe 1304 pureee.exe 1304 pureee.exe 1304 pureee.exe 1304 pureee.exe 1304 pureee.exe 1304 pureee.exe 1304 pureee.exe 1304 pureee.exe 1304 pureee.exe 4956 msiexec.exe 4956 msiexec.exe 1304 pureee.exe 1304 pureee.exe 1304 pureee.exe 1304 pureee.exe 1304 pureee.exe 1304 pureee.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
RegAsm.exeadada.exesvchost.exepureee.exeAddInProcess.exemsiexec.exemsiexec.exevssvc.exeMsiExec.exedescription pid process Token: SeDebugPrivilege 5108 RegAsm.exe Token: SeDebugPrivilege 3788 adada.exe Token: SeDebugPrivilege 5800 svchost.exe Token: SeDebugPrivilege 1304 pureee.exe Token: SeLockMemoryPrivilege 5160 AddInProcess.exe Token: SeLockMemoryPrivilege 5160 AddInProcess.exe Token: SeShutdownPrivilege 5164 msiexec.exe Token: SeIncreaseQuotaPrivilege 5164 msiexec.exe Token: SeSecurityPrivilege 4956 msiexec.exe Token: SeCreateTokenPrivilege 5164 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 5164 msiexec.exe Token: SeLockMemoryPrivilege 5164 msiexec.exe Token: SeIncreaseQuotaPrivilege 5164 msiexec.exe Token: SeMachineAccountPrivilege 5164 msiexec.exe Token: SeTcbPrivilege 5164 msiexec.exe Token: SeSecurityPrivilege 5164 msiexec.exe Token: SeTakeOwnershipPrivilege 5164 msiexec.exe Token: SeLoadDriverPrivilege 5164 msiexec.exe Token: SeSystemProfilePrivilege 5164 msiexec.exe Token: SeSystemtimePrivilege 5164 msiexec.exe Token: SeProfSingleProcessPrivilege 5164 msiexec.exe Token: SeIncBasePriorityPrivilege 5164 msiexec.exe Token: SeCreatePagefilePrivilege 5164 msiexec.exe Token: SeCreatePermanentPrivilege 5164 msiexec.exe Token: SeBackupPrivilege 5164 msiexec.exe Token: SeRestorePrivilege 5164 msiexec.exe Token: SeShutdownPrivilege 5164 msiexec.exe Token: SeDebugPrivilege 5164 msiexec.exe Token: SeAuditPrivilege 5164 msiexec.exe Token: SeSystemEnvironmentPrivilege 5164 msiexec.exe Token: SeChangeNotifyPrivilege 5164 msiexec.exe Token: SeRemoteShutdownPrivilege 5164 msiexec.exe Token: SeUndockPrivilege 5164 msiexec.exe Token: SeSyncAgentPrivilege 5164 msiexec.exe Token: SeEnableDelegationPrivilege 5164 msiexec.exe Token: SeManageVolumePrivilege 5164 msiexec.exe Token: SeImpersonatePrivilege 5164 msiexec.exe Token: SeCreateGlobalPrivilege 5164 msiexec.exe Token: SeBackupPrivilege 3248 vssvc.exe Token: SeRestorePrivilege 3248 vssvc.exe Token: SeAuditPrivilege 3248 vssvc.exe Token: SeRestorePrivilege 4956 msiexec.exe Token: SeTakeOwnershipPrivilege 4956 msiexec.exe Token: SeRestorePrivilege 4956 msiexec.exe Token: SeTakeOwnershipPrivilege 4956 msiexec.exe Token: SeRestorePrivilege 4956 msiexec.exe Token: SeTakeOwnershipPrivilege 4956 msiexec.exe Token: SeRestorePrivilege 4956 msiexec.exe Token: SeTakeOwnershipPrivilege 4956 msiexec.exe Token: SeRestorePrivilege 4956 msiexec.exe Token: SeTakeOwnershipPrivilege 4956 msiexec.exe Token: SeRestorePrivilege 4956 msiexec.exe Token: SeTakeOwnershipPrivilege 4956 msiexec.exe Token: SeRestorePrivilege 4956 msiexec.exe Token: SeTakeOwnershipPrivilege 4956 msiexec.exe Token: SeRestorePrivilege 4956 msiexec.exe Token: SeTakeOwnershipPrivilege 4956 msiexec.exe Token: SeRestorePrivilege 4956 msiexec.exe Token: SeTakeOwnershipPrivilege 4956 msiexec.exe Token: SeShutdownPrivilege 1324 MsiExec.exe Token: SeShutdownPrivilege 1324 MsiExec.exe Token: SeShutdownPrivilege 1324 MsiExec.exe Token: SeRestorePrivilege 4956 msiexec.exe Token: SeTakeOwnershipPrivilege 4956 msiexec.exe -
Suspicious use of FindShellTrayWindow 24 IoCs
Processes:
a840bdaefb80641123d7ca786ebace65769da70f45e18bd3f0c7ef7b2ffcabdd.exeAddInProcess.exemsiexec.exeITSMAgent.exepid process 3936 a840bdaefb80641123d7ca786ebace65769da70f45e18bd3f0c7ef7b2ffcabdd.exe 5160 AddInProcess.exe 5164 msiexec.exe 3048 ITSMAgent.exe 3048 ITSMAgent.exe 3048 ITSMAgent.exe 3048 ITSMAgent.exe 3048 ITSMAgent.exe 3048 ITSMAgent.exe 3048 ITSMAgent.exe 3048 ITSMAgent.exe 5164 msiexec.exe 3048 ITSMAgent.exe 3048 ITSMAgent.exe 3048 ITSMAgent.exe 3048 ITSMAgent.exe 3048 ITSMAgent.exe 3048 ITSMAgent.exe 3048 ITSMAgent.exe 3048 ITSMAgent.exe 3048 ITSMAgent.exe 3048 ITSMAgent.exe 3048 ITSMAgent.exe 3048 ITSMAgent.exe -
Suspicious use of SendNotifyMessage 20 IoCs
Processes:
ITSMAgent.exepid process 3048 ITSMAgent.exe 3048 ITSMAgent.exe 3048 ITSMAgent.exe 3048 ITSMAgent.exe 3048 ITSMAgent.exe 3048 ITSMAgent.exe 3048 ITSMAgent.exe 3048 ITSMAgent.exe 3048 ITSMAgent.exe 3048 ITSMAgent.exe 3048 ITSMAgent.exe 3048 ITSMAgent.exe 3048 ITSMAgent.exe 3048 ITSMAgent.exe 3048 ITSMAgent.exe 3048 ITSMAgent.exe 3048 ITSMAgent.exe 3048 ITSMAgent.exe 3048 ITSMAgent.exe 3048 ITSMAgent.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
Processes:
ITSMService.exeITSMAgent.exeITSMAgent.exeITSMAgent.exepid process 5716 ITSMService.exe 5716 ITSMService.exe 5716 ITSMService.exe 5716 ITSMService.exe 5716 ITSMService.exe 5716 ITSMService.exe 5716 ITSMService.exe 5716 ITSMService.exe 5716 ITSMService.exe 3048 ITSMAgent.exe 5716 ITSMService.exe 5724 ITSMAgent.exe 3648 ITSMAgent.exe 5716 ITSMService.exe 5716 ITSMService.exe 5716 ITSMService.exe 5716 ITSMService.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a840bdaefb80641123d7ca786ebace65769da70f45e18bd3f0c7ef7b2ffcabdd.exeaxplong.exejsawdtyjde.execmd.execlamer.exedeepweb.exeRegAsm.exeadada.exesvchost.exepureee.exedropperrr.exemsiexec.exeMsiExec.exedescription pid process target process PID 3936 wrote to memory of 1600 3936 a840bdaefb80641123d7ca786ebace65769da70f45e18bd3f0c7ef7b2ffcabdd.exe axplong.exe PID 3936 wrote to memory of 1600 3936 a840bdaefb80641123d7ca786ebace65769da70f45e18bd3f0c7ef7b2ffcabdd.exe axplong.exe PID 3936 wrote to memory of 1600 3936 a840bdaefb80641123d7ca786ebace65769da70f45e18bd3f0c7ef7b2ffcabdd.exe axplong.exe PID 1600 wrote to memory of 4828 1600 axplong.exe jsawdtyjde.exe PID 1600 wrote to memory of 4828 1600 axplong.exe jsawdtyjde.exe PID 4828 wrote to memory of 3164 4828 jsawdtyjde.exe cmd.exe PID 4828 wrote to memory of 3164 4828 jsawdtyjde.exe cmd.exe PID 3164 wrote to memory of 692 3164 cmd.exe clamer.exe PID 3164 wrote to memory of 692 3164 cmd.exe clamer.exe PID 692 wrote to memory of 2008 692 clamer.exe thkdh.exe PID 692 wrote to memory of 2008 692 clamer.exe thkdh.exe PID 692 wrote to memory of 2008 692 clamer.exe thkdh.exe PID 1600 wrote to memory of 1576 1600 axplong.exe deepweb.exe PID 1600 wrote to memory of 1576 1600 axplong.exe deepweb.exe PID 1600 wrote to memory of 1576 1600 axplong.exe deepweb.exe PID 1576 wrote to memory of 1324 1576 deepweb.exe RegAsm.exe PID 1576 wrote to memory of 1324 1576 deepweb.exe RegAsm.exe PID 1576 wrote to memory of 1324 1576 deepweb.exe RegAsm.exe PID 1576 wrote to memory of 5108 1576 deepweb.exe RegAsm.exe PID 1576 wrote to memory of 5108 1576 deepweb.exe RegAsm.exe PID 1576 wrote to memory of 5108 1576 deepweb.exe RegAsm.exe PID 1576 wrote to memory of 5108 1576 deepweb.exe RegAsm.exe PID 1576 wrote to memory of 5108 1576 deepweb.exe RegAsm.exe PID 1576 wrote to memory of 5108 1576 deepweb.exe RegAsm.exe PID 1576 wrote to memory of 5108 1576 deepweb.exe RegAsm.exe PID 1576 wrote to memory of 5108 1576 deepweb.exe RegAsm.exe PID 5108 wrote to memory of 1304 5108 RegAsm.exe pureee.exe PID 5108 wrote to memory of 1304 5108 RegAsm.exe pureee.exe PID 5108 wrote to memory of 3788 5108 RegAsm.exe adada.exe PID 5108 wrote to memory of 3788 5108 RegAsm.exe adada.exe PID 5108 wrote to memory of 532 5108 RegAsm.exe dropperrr.exe PID 5108 wrote to memory of 532 5108 RegAsm.exe dropperrr.exe PID 5108 wrote to memory of 532 5108 RegAsm.exe dropperrr.exe PID 3788 wrote to memory of 4828 3788 adada.exe schtasks.exe PID 3788 wrote to memory of 4828 3788 adada.exe schtasks.exe PID 3788 wrote to memory of 5800 3788 adada.exe svchost.exe PID 3788 wrote to memory of 5800 3788 adada.exe svchost.exe PID 5800 wrote to memory of 5484 5800 svchost.exe schtasks.exe PID 5800 wrote to memory of 5484 5800 svchost.exe schtasks.exe PID 1304 wrote to memory of 5160 1304 pureee.exe AddInProcess.exe PID 1304 wrote to memory of 5160 1304 pureee.exe AddInProcess.exe PID 1304 wrote to memory of 5160 1304 pureee.exe AddInProcess.exe PID 1304 wrote to memory of 5160 1304 pureee.exe AddInProcess.exe PID 1304 wrote to memory of 5160 1304 pureee.exe AddInProcess.exe PID 1304 wrote to memory of 5160 1304 pureee.exe AddInProcess.exe PID 1304 wrote to memory of 5160 1304 pureee.exe AddInProcess.exe PID 1304 wrote to memory of 5160 1304 pureee.exe AddInProcess.exe PID 1304 wrote to memory of 5160 1304 pureee.exe AddInProcess.exe PID 1304 wrote to memory of 5160 1304 pureee.exe AddInProcess.exe PID 1304 wrote to memory of 5160 1304 pureee.exe AddInProcess.exe PID 1304 wrote to memory of 5160 1304 pureee.exe AddInProcess.exe PID 1304 wrote to memory of 5160 1304 pureee.exe AddInProcess.exe PID 1304 wrote to memory of 5160 1304 pureee.exe AddInProcess.exe PID 532 wrote to memory of 5164 532 dropperrr.exe msiexec.exe PID 532 wrote to memory of 5164 532 dropperrr.exe msiexec.exe PID 4956 wrote to memory of 4128 4956 msiexec.exe MsiExec.exe PID 4956 wrote to memory of 4128 4956 msiexec.exe MsiExec.exe PID 4956 wrote to memory of 4128 4956 msiexec.exe MsiExec.exe PID 4956 wrote to memory of 1324 4956 msiexec.exe MsiExec.exe PID 4956 wrote to memory of 1324 4956 msiexec.exe MsiExec.exe PID 4956 wrote to memory of 1324 4956 msiexec.exe MsiExec.exe PID 1324 wrote to memory of 5640 1324 MsiExec.exe cmd.exe PID 1324 wrote to memory of 5640 1324 MsiExec.exe cmd.exe PID 1324 wrote to memory of 5640 1324 MsiExec.exe cmd.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a840bdaefb80641123d7ca786ebace65769da70f45e18bd3f0c7ef7b2ffcabdd.exe"C:\Users\Admin\AppData\Local\Temp\a840bdaefb80641123d7ca786ebace65769da70f45e18bd3f0c7ef7b2ffcabdd.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Users\Admin\AppData\Local\Temp\1000057001\jsawdtyjde.exe"C:\Users\Admin\AppData\Local\Temp\1000057001\jsawdtyjde.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\clamer.execlamer.exe -priverdD5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\thkdh.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\thkdh.exe"6⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2008 -
C:\Users\Admin\AppData\Local\Temp\1000058001\deepweb.exe"C:\Users\Admin\AppData\Local\Temp\1000058001\deepweb.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:1324
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Users\Admin\AppData\Local\Temp\pureee.exe"C:\Users\Admin\AppData\Local\Temp\pureee.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u ETC:0x612e5dBaff1fa2Be8D30e5684630c26db5c5196B.RIG_CPU -p x --cpu-max-threads-hint=506⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5160 -
C:\Users\Admin\AppData\Local\Temp\adada.exe"C:\Users\Admin\AppData\Local\Temp\adada.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:4828 -
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5800 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:5484 -
C:\Users\Admin\AppData\Local\Temp\dropperrr.exe"C:\Users\Admin\AppData\Local\Temp\dropperrr.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\DirectX11\em_TaWHWZA1_installer_Win7-Win11_x86_x64.msi.msi"6⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5164
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4972
-
C:\ProgramData\wvvauqk\rqqsv.exeC:\ProgramData\wvvauqk\rqqsv.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2264
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6072
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 8C59B162EF6824E4D427ECBC9672A9542⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4128 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 1E8FC18D300BDFF4BC7F9314448E7035 E Global\MSI00002⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe" /C "cd "C:\Program Files (x86)\COMODO\Endpoint Manager\" && "C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe" "3⤵
- System Location Discovery: System Language Discovery
PID:5640 -
C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe"C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:928 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "5⤵
- System Location Discovery: System Language Discovery
PID:5632
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3248
-
C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMService.exe"C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMService.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5716 -
C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe"C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3048 -
C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe"C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe" noui2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5724 -
C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe"C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3648 -
C:\Program Files (x86)\COMODO\Endpoint Manager\RmmService.exe"C:\Program Files (x86)\COMODO\Endpoint Manager\RmmService.exe" --start2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1540
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:6100
-
C:\Program Files (x86)\COMODO\Endpoint Manager\RmmService.exe"C:\Program Files (x86)\COMODO\Endpoint Manager\RmmService.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1180 -
C:\Program Files (x86)\COMODO\Endpoint Manager\RmmService.exe"C:\Program Files (x86)\COMODO\Endpoint Manager\RmmService.exe" --run_procedure --in Global\sharedInputMemory_1 --out Global\sharedOutputMemory_2 --err Global\sharedErrorMemory_32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4072 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\'""3⤵
- System Location Discovery: System Language Discovery
PID:5460 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath 'C:\'"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
PID:5524 -
C:\Program Files (x86)\COMODO\Endpoint Manager\RmmService.exe"C:\Program Files (x86)\COMODO\Endpoint Manager\RmmService.exe" --run_procedure --in Global\sharedInputMemory_4 --out Global\sharedOutputMemory_5 --err Global\sharedErrorMemory_62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5516 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\svchost.exe3⤵PID:5836
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\svchost.exe4⤵
- Executes dropped EXE
PID:5324 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "CWRWVXLO"5⤵
- Launches sc.exe
PID:4948 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "CWRWVXLO" binpath= "C:\ProgramData\uyrlkcqvoccj\gtgpwwjkduow.exe" start= "auto"5⤵
- Launches sc.exe
PID:5320 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog5⤵
- Launches sc.exe
PID:5508 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "CWRWVXLO"5⤵
- Launches sc.exe
PID:4752
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2016
-
C:\ProgramData\uyrlkcqvoccj\gtgpwwjkduow.exeC:\ProgramData\uyrlkcqvoccj\gtgpwwjkduow.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4544 -
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:5264
-
C:\Windows\explorer.exeexplorer.exe2⤵PID:5912
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
710KB
MD5c7e6faed023909b8d3c05dea1bf1448b
SHA1c218f6333eb86e05b8a3ca7dbc5740c91926c116
SHA2562a44ed157dca6ce69e323cb13f2c25f1380c193b89c7f049e07e59a0267bb583
SHA512dfdf892bbaeec8a6f099ea2efcfda589f238df7a2f3552dbc47428003269f08c9d1a10556a9e6fa678c8abbb114572e6bd673bf811f31bc127ec6419d55752b0
-
Filesize
87KB
MD525c603e78d833ff781442886c4a01fe6
SHA16808adc90eb5db03163103ec91f7bc58ee8aa6d0
SHA25694afd301c1baa84b18e3b72d017b6a009145c16c6592891c92f50c127e55169e
SHA51284e33be97d97ae341d74fc8273d191df519616f12bec8ac2f89454897c30a5f7bf9115f208c8dae78da83f0ca7bf9e5f07544d37d87b07f63408fbc91e449d54
-
Filesize
3.0MB
MD5a5b010d5b518932fd78fcfb0cb0c7aeb
SHA1957fd0c136c9405aa984231a1ab1b59c9b1e904f
SHA2565a137bfe1f0e6fc8a7b6957d5e9f10df997c485e0869586706b566015ff36763
SHA512e0ca4b29f01f644ef64669ed5595965b853ae9eaa7c6c7d86df7634437041ef15ceb3c2d1ab9dec4171c80511684a7d7b06fc87b658e5a646699eb9523bc4994
-
Filesize
8.4MB
MD56b4752088a02d0016156d9e778bb5349
SHA1bd13b1f7b04e0fe23db6b3e4bd0aa91c810e1745
SHA256f64f13bf19726624a9cbaedda03a156597737581d6bc025c24e80517f5cab011
SHA5120fe982b0b551238fc881511cdd0656ee71f22aca3a5e83ef7ce41b3adf603f1be17ba3e2c10797ee3dfb5e15ff1ac3e8cf4e05c657e7c047f302f50baa42ba2d
-
Filesize
2B
MD581051bcc2cf1bedf378224b0a93e2877
SHA1ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA2567eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA5121b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d
-
Filesize
1015KB
MD5de150de21f1a2b72534eaa4aa4f03202
SHA139ed224cced1266d4adc5e68f6516979b8f52b33
SHA25603871db7d626d14e84d8ebf007139aa2c08038cd3403ac6259f1a2eb01ae1477
SHA51230eff193620724cda86e6de31c430f9d4426e677a553c7918f9b85dbfc67687acdecc2a29e45473666c01ce311b73833d9f79db8a93e80570c7ace8837ca531a
-
Filesize
174KB
MD588aeafdcc3f3fa04b9b20022906745b0
SHA19dc03428234000d19bbc3cb437d370b8e1863329
SHA256cd84c9c486c3e967ddd061718893ef5ee48eca24f77e3366b8fd3d2dd21f477f
SHA5125ea87730f26b16215eb2b892a6da689524546ef6cfaf4e6c1f4e0afa083ceec3e8f00c9259d316d84ef4cb05b01023a1362b4a676d10b55e06ee365557ab7986
-
Filesize
2.2MB
MD5e2749ff4266d5a933feb7685dfe375b2
SHA1f09a432c67f45fc2ed27c762db4176b7dd47e908
SHA256e4ee537b6a585ec7656afd9fc6fd3f655ff44bec6ff8ec291fc3e868caade27c
SHA5124efc6b0b8d39b47d9c415fc3bc7460e4f738e3694fac691bf94569549569a8d65270a54488af3ae49de9fabdbe518250ceee83f6633e1da407636e6e02bac8bb
-
Filesize
471KB
MD50b03f7123e8bc93a38d321a989448dcc
SHA1fc8bfdf092cdd6b9c1ec3b90389c035c37e50bd7
SHA256a7fbfdb3100c164f139e9d0ebcf47282308e5173ab610dcb20a05b6e0615b54b
SHA5126d00c65111c0f389ad189178705ed04712b2c6de8918f58de7c3747126a4b4e50b4a73525cc0993af02d35323b1430f34baf6f99712df822d6cdc63e24ed7ae5
-
Filesize
7.2MB
MD5dcebee7bb4e8b046b229edc10ded037f
SHA1f9bdf0b478e21389800542165f721e5018d8eb29
SHA2562eb0eefab534217953744c2cc36de2e1a1ced6ea882734e7b1f4b34a0b19689b
SHA5129827600a19da5a816f1b0d93aa2629cb48f13f6e5fc42cd44bb1031ecd2e942854b34e7da44335acb85e42c44b1e720e9da8bc1d9ad23a9b1de0190f026f4d30
-
Filesize
132KB
MD5342249e8c50e8849b62c4c7f83c81821
SHA1618aa180b34c50e243aefbf36bb6f69e36587feb
SHA25607bc6eb017005500d39e2c346824eef79b3e06f60c46fb11572f98d4fe4083c5
SHA51232a44252926881edf916ac517cb55d53b0b1b5adcc5952a674d1707d2c1431a68b27e593b4c4fcab0648e3cbeddf3d4e8024ff2a3385af9dbd2b2244e518340a
-
Filesize
33KB
MD599b169efb6e613c1cb55de6db0684ee9
SHA1e5c1e1423675a85e68594b37ef51432eba7e4edd
SHA256be79e370de50961e3f8ee485bbf7e0cc601dfe9bd27d4c4db2669c1acec9df82
SHA51212f99a4083481b80a9bcbb454036d2aebe1545888146fc6a0efb830792cfb5ad6bef3fcb8eef5e73af116fe00ef7c9fcf5992abec53fa9d4a0fe6bb06951279b
-
Filesize
33KB
MD543afbd3fbc2d2feb77dcf77289ddae57
SHA1985b059732481212dec77588ff126f46a71d34f8
SHA2569c607bcd3c386fae425987986d18f8b9b8752143e902903a014f5f2cafbcfee7
SHA51204fd0e01fd60d682a30528e19c0879ef99af39c3126ac7d34abea9159f1ad384370b1dd879a596fe49fb8af4575e98a18ce5b2207fcd2df9174345ece35ade14
-
Filesize
33KB
MD5576577e71cb782051152b729b45bd253
SHA1eebda5182fff8b8842807078182a2667607ca76f
SHA25626c5bd639e482cf2b755673d6b86f35f7bd71f868ebeda2a487b1031d0e9e8ca
SHA51216b4b9bc1d1770d72d35c43cd1f8cdf8901dccc60ebbd5435187de3f4f3ed9ae3339c75fc3ed2725ec60ca62b964ce8a699701b0d3b9fb4c263ea3620b57e5b0
-
Filesize
33KB
MD5013f24a484ab6d0a4a74d53a73ba8255
SHA1cfa297016ff2c754893c069fd22fe99b599b9b6c
SHA25676839e102f723673d5e7588134c6ce0f7d36be4f7dc77dc16848c904ac5625f4
SHA5128b2c6efd97551b3ca16eeb3be9fc6a27743c941e03a83b40ccac0e56283e80dab4ea238f7c05b741f70248008e46eb0a0d2266c32af4d48f6b33d794b61dba7b
-
Filesize
33KB
MD518da57a63d515a6f46eeb95203d0b6a4
SHA1ee4aa8e2f7dc49aa81d5a913aab39956b2538301
SHA256e3e06d042097b996d1a764b2829f44955ad90b7ed78e8776d77096f49afcae60
SHA512180a6136d230dcedb56017f8fbaa3556b1578fa0dfe3efeef266eb88cfdbd34962f1f03b3cf2bfbe51193fc766105fd941f51d56fc50b0bea096b44e7ba99c46
-
Filesize
33KB
MD5696e841a1ea1ddd66e4d814985de0051
SHA15200f182d26cba60cf1940c5d9c48d09ec487903
SHA256b02786aa0b835fea436d7b65124793e78f6ab892a8e0ae75967133101d62294f
SHA5129d127887b540bd86c78d87c0da4b517794d52c970a40a99600a0d80a0d7fac9da7f7a18f294fc98babc3de6c88a1c1652b7aeb92a60c9eb4ac23dc74aadf7eeb
-
Filesize
33KB
MD5c9b827a02941629e1087664d1ab4cd70
SHA10282dcf612b2fd1edf0c4e71a07609b2d69f3be0
SHA256b5d05c0a9028388fec071a20820504282c9793ce3dcac9142fa602af88bf8896
SHA512a79b182905eb63012813a3781af50643307f3ee518443c75844ef05e4d1fdf18cbf94dbf32766e10ddd61b5ffa0f70f163f319671e00cce055a07a983501c274
-
Filesize
33KB
MD5a8fb0ceb9631b5a36abe4a1d2995af65
SHA1ec9245dbb1a3b797832924483458795e8a9f4232
SHA2560e6fb61277e092f55039d782d22439db08ea5a251951334bffd49995978ed9ae
SHA5128a3f4072cca941deb23d8f3f2e645aaa685bd44440565e8986cbba1e18ee737c8b0177928ac3474d7b1bb00c74f18b08f33183d6313e98233e357555c75f0773
-
Filesize
33KB
MD5c805a38ae5a1a7bb3fd117a528efbcab
SHA1c9eaa86f232bad7debc1cedf933e650f03b766f5
SHA256cca4d83364f27c3a259f42e23d06aee41e3bb66147d4f7978cf6306849a641ed
SHA51259bb588cc88d3b981315b401528b04b9a522612db6b3f7041209f2b23a54b7ae394582c5cf68051c7f39ac70ec453c7633c9793512aa506a1cf4c4b0bd9de9e7
-
Filesize
33KB
MD57b32111028117df482103f82a6e0ed5a
SHA187bd88cd036ee87a375a678320c8382462579542
SHA256cf3dd4c0f6fe4c037759876afae2242a9d45fb0edc898a425c9fe7552e662cb6
SHA512b3893e49e4b3cf42c08af371638cb841169a7dfefb6aef3eddb89c8f1cb1476a39c87b2d14e19d15f5ffc4032c35f617b698e56d17a8779e2b76ceeea04d7443
-
Filesize
33KB
MD50c92644aa7036625763b213e1bb3def7
SHA15494b08da8ee019b5fc2f3ce3fcd804c85c61984
SHA2566f8231165cd6dd778749160a05584f992f1b3e26d0c7005d347f9d64a278e337
SHA512b972c4ddb095529c5eea2fecdd064a62517df774aad5da3ef8225ab1e9150912f3257d9aa8d47823f264536cca3dbca52c97d6d1b84e3109ed3a3ad4488905d7
-
Filesize
33KB
MD5e1260f5c966fa5287b009e04d61405ea
SHA164dff576186103ecc3589d9c09777e26e6b4c7eb
SHA25627fb107ae1d85f7e2623d4d9542153dc3d6374d674cc7f447b0cf8e738b44e1b
SHA51298535827ae3d05bfee0dd0fa04a4207f07e09e56c2097286c2cfcfa77f1cb475e338ebd3486730487e05f9f79ffbbed6314053af5544724e0cbf7e5e8fdaf019
-
Filesize
32KB
MD53fd44c30c0b8fe55da82b5cb06a1600f
SHA1832baf690603ed1f765b745d5f6f5b65d9b57e3b
SHA256d4d4947ae0615661c839d3ee698d989ad1d256ae34e65aad097e47728e6026d6
SHA5121f8c2c20dc70b02495a814615f0e520d6d64071533c4adefc5d1dfd718b8e37c67830097f15ebfc7e3b513d602c11be809dbb9d97fde795cbddaeca59aca321f
-
Filesize
33KB
MD54101b8be4abd8f7aef9fd08dbccd50ba
SHA1e50f391db528a01afc8e7876fe74adbd534937b5
SHA25633786dcaa84bd8f8d31b16cd3df677e8bcfafdeed5e76964654c02cd677030d8
SHA5125732f45a1fc3105922769deca76190d15a7d52dd49218616cb5dbcdecbb7e07c2afe6847bd4fe9677932fecca02963a581486871b7cb7889b086d861a1fa37a4
-
Filesize
154KB
MD584c848ca734892ea2e8ab90d84317ee3
SHA1a1b38d4f1b466061481bdfde7628139c908f7ee5
SHA25601c53abd5585992f9d62de40f4750899829b9e7e4a026b8d9f5d1cb1748a3fa9
SHA512cec124435d6d4c76497e7886ca317a0c12a9d8e77200ba94cf6a699b318b91cb4db886eba5a5161941a7dd349f827cd3694abb864d6e37a9084a208276bee7df
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18E6B4A57A6BC7EC9B861CDF2D6D0D02_EF52C1EC85F21F31CC0157A5C8803013
Filesize765B
MD5f1382455206b34aa38e2d8dd182fb525
SHA11a6a03acfd3dc66eae8e8d4ca47d07cda5cabf60
SHA25618d04aad7e1875b8c0e8a77ced64abfa907a2cfe4d37d4ae79f25d1731bbd8e5
SHA512edd7e0b5164be4df5c87b11e1e2bc8021bc1ba44cce39c828b6cd07fb1454772a1a8a1ed35c0068f4259ff62d1347344d3dc292b8b8470c50b38f18a35d29036
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3AA0DCD5A74331FBD6F344550EC48B87_D7025277F003EE88ED342C67F3525784
Filesize637B
MD5720c16d391ef70c6fe4742de4f2dae76
SHA189e1e7bcdbb8befea64211884e91f3f1d5ec3ade
SHA2568d862f89114cdae890efecef58c12e3b46eaca6ffe9076c0bf35e70fe23110ce
SHA512a5ab9f919af951d0fd05ae88188ec344ceb451e7568e1ebe8865482aeeeb7b94790b807250fc768dc5ab734c58794eae4a476edf64826c0b446a27f06e91ac76
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F
Filesize1KB
MD5c1657c09cbf653085fe5977265c03e1d
SHA1304d2bd99d40aa426d2620893045e7c8805f3906
SHA2563e9b4e775c00a2fd2b1db9d5c7b4e83d6df7f3683aaba7283a8137248dad751a
SHA51273cb77912b1482f76e4b5a091dac1f83401673f64973e458ab0a8184aba41f3c0560950c26941ea952a02cf2cde9722de726313a8820fd5daa07e06c97344f4a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18E6B4A57A6BC7EC9B861CDF2D6D0D02_EF52C1EC85F21F31CC0157A5C8803013
Filesize484B
MD5dd388eb9dfa030f2267059ff7797c896
SHA1a23644ed96c86d12a2014266fb045f0e98e50b45
SHA256c9b57da2a5624bed0cbbc56d40a4fea37388be921d4cb56af895bbb79c09d50b
SHA5124c673bdaf980b812785a4d617e565136abaaeb725f33316dbdced96ec7ab45f3efa1f3b44528ad6af81fc2dd649cdb16ec4ef20aaf1b4ae8a545a312369f5a77
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3AA0DCD5A74331FBD6F344550EC48B87_D7025277F003EE88ED342C67F3525784
Filesize480B
MD53e85076bd2978ddfdd6dee53e1c225e5
SHA113d973059ead11a45fd458e573c1475e7304fa9e
SHA25622d99d191b952c6a401579133e6ececc1f9b3508e25f05ce8def6659bc81513e
SHA512834021a71fea7c9a654b99684290066f549ab7e3045afddd3ca6d8bd510554d481e9cc96b9e667cedb51fa28f7f1b86979c54ab30897ae618bbb47b65b3ac0bb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F
Filesize482B
MD52197fbaee7fa0f1e121a38979f358c82
SHA1e6963a7dab24bccedf081044f80a74475453c5f1
SHA256a748b7ab870d0aaf3d2d6a6bca9c867f6daf88d33fa9fd9deb1e2eb548039657
SHA5121f86e54a7ce98e6a1ff1e248800d79eb27394cad7a62594edfcfe1729f414d645cff2970f6c1066b1e458fbceb5d7bce186323aaeaef2b3b80c3ab26a94e7f42
-
Filesize
898KB
MD54c3049f8e220c2264692cb192b741a30
SHA146c735f574daaa3e6605ef4c54c8189f5722ff2a
SHA2567f74b2c86e9f5706fc44c8d5093a027d1cd5856006aa80f270efae26d55c9131
SHA512b13dc855c3c06b56aa9bf181680b69003839adeaf16c5372912004a7bf42882e340c445c58e24e083692b4dcbb15c3e0cf244664458ccdd0dd7668b440277e0a
-
Filesize
294KB
MD558ccb4c9da26dbf5584194406ee2f4b3
SHA1ae91798532b747f410099ef7d0e36bffeca6361c
SHA2562f502689b799fd964bced77e57edf4206809bb11da16cf4f7895df1df54cdc97
SHA512dff6b4bf25fc5b5cf1a64ee645fb0310b072ec69c89a6e863cf9e0800e1d36f8dc4e567cf19c7dc8ac704d351b604cbf8d35959c3a64a10aa6b54f5c8fedb3c2
-
Filesize
1.9MB
MD560fd2d6645e5b41740828e73d4040d5f
SHA1c135e0d348ff99c0155b88ef3ab603fed3018c8c
SHA256a840bdaefb80641123d7ca786ebace65769da70f45e18bd3f0c7ef7b2ffcabdd
SHA512ed2a187666f23fb12d585611b5cf947b00ef881345aa57a96bb3f81883c3ec7a750c4044d0d7e1c64c00764e4f9e9b86147423b4506343c1c1efba1f04192b84
-
Filesize
226B
MD5feceaa82323f9de4d3578592d22f857d
SHA14c55c509e6d16466d1d4c31a0687ededf2eabc9a
SHA25661480b43136b02965f59e3256b8de1bf35caa7c084a7bcb3ed5f4236451d4484
SHA51282dac003d30eed4fc4e06ab4a426c9b7f355d777c243b710c5c0d3afc4c26d93874af2d0a542fca4a2038050b0d0fa8f63ed82e5f2771ae8a4de0f3b08d56d45
-
Filesize
37B
MD528151380c82f5de81c1323171201e013
SHA1ae515d813ba2b17c8c5ebdae196663dc81c26d3c
SHA256bb8582ce28db923f243c8d7a3f2eccb0ed25930f5b5c94133af8eefb57a8231d
SHA51246b29cba0dc813de0c58d2d83dc298fa677921fd1f19f41e2ed3c7909c497fab2236d10a9ae59b3f38e49cf167964ede45e15543673a1e0843266242b8e26253
-
Filesize
453KB
MD5fb30b403c1fa1d57fb65dc8b8e00e75c
SHA1161cf9d271aee2d7d2f7a0a5d0001830929c300b
SHA25683d9579e6b71561a9dafbdd309b4dbfaddf816c7ccc25e4672c8d9dfb14b6673
SHA512d0d15e51527bcfad38c01c46b4c43257407ead9c328bc4d48d21c9702c16872e52509e014444e78cd22f1ad96c11a88d281c2a745df0a4ca21243352f879de85
-
Filesize
16KB
MD5e7d405eec8052898f4d2b0440a6b72c9
SHA158cf7bfcec81faf744682f9479b905feed8e6e68
SHA256b63a0e5f93b26ad0eeb9efba66691f3b7e7f51e93a2f0098bde43833f7a24cc2
SHA512324507084bd56f7102459efe7b3c2d2560f4e89ed03ec4a38539ebb71bccdf1def7bc961c259f9b02f4b2be0d5e095136c9efcd5fc3108af3dc61d24970d6121
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3.1MB
MD59c682f5b5000cd003e76530706955a72
SHA11a69da76e05d114a317342dae3e9c7b10f107d43
SHA25636e6a3dd4bfc86c4e707f43cd9515707442d6c424b7661cb41766cfdca322522
SHA51233bd859542e1ae74d8c81427af44022cb91861dc02ee4202505f1e010487d06cb27e1aa83be6af17be4e2d8973289595b2ebe9bdf99a187956662df30b6dc88f
-
Filesize
476KB
MD535e7f1f850ca524d0eaa6522a4451834
SHA1e98db252a62c84fd87416d2ec347de46ec053ebd
SHA2562449fe334bbf8f09ff80422578a6c6961d20a0a456b214f6490c5ed1ae859c9e
SHA5123b013378a51a29652ff84f61050b344f504ef51a51944d469b1d0e629e4abad979416a56b9cffb6cfe20b80dfbebffec35dce6f5dc10b02907dee538f9f17a01
-
Filesize
662KB
MD50006ad7b9f2a9b304e5b3790f6f18807
SHA100db2c60fca8aec6b504dd8fd4861a2e59a21fe9
SHA256014d6c58dd7459c1664196ccd49b796f861d7d7e7e6c573bbb9cdc7cadc21450
SHA51231fcde22e25be698ef2efd44cc65b758e8c9e8b62504f3254f9cc44bfaabdaa0c94cefceac12833372f8b2797b6bd0205bb9c8f1626e25ee4117d886198fb7db
-
Filesize
40KB
MD5a182561a527f929489bf4b8f74f65cd7
SHA18cd6866594759711ea1836e86a5b7ca64ee8911f
SHA25642aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA5129bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558
-
Filesize
114KB
MD50095e79918f58883ba5b9d9194685394
SHA12d3fa3efbc94d865b4dc792238d883b5ae3ad44a
SHA256598518dd6c716abe51abf550d079a531f58e4d6de568d4949fe2d84a92cdf2ed
SHA51297d6a626a9ad12b8930113457b701d229732a938afd1a346c3acc69d3b2f0f78168f8011612cd3ee4be237edfac2913769fcb6be7cf45112c9b444ba8d76c3e6
-
Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
Filesize
20KB
MD549693267e0adbcd119f9f5e02adf3a80
SHA13ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2
-
Filesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
Filesize
96KB
MD540f3eb83cc9d4cdb0ad82bd5ff2fb824
SHA1d6582ba879235049134fa9a351ca8f0f785d8835
SHA256cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0
SHA512cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2
-
Filesize
285KB
MD582d54afa53f6733d6529e4495700cdd8
SHA1b3e578b9edde7aaaacca66169db4f251ee1f06b3
SHA2568f4894b9d19bfe5d8e54b5e120cef6c69abea8958db066cdd4905cc78ecd58b6
SHA51222476e0f001b6cf37d26e15dfb91c826c4197603ea6e1fbb9143c81392e41f18fa10a2d2d1e25425baaf754bff7fd179ef1df34966c10985e16d9da12a445150
-
Filesize
203KB
MD5d53b2b818b8c6a2b2bae3a39e988af10
SHA1ee57ec919035cf8125ee0f72bd84a8dd9e879959
SHA2562a81878be73b5c1d7d02c6afc8a82336d11e5f8749eaacf54576638d81ded6e2
SHA5123aaf8b993c0e8f8a833ef22ed7b106218c0f573dcd513c3609ead4daf90d37b7892d901a6881e1121f1900be3c4bbe9c556a52c41d4a4a5ec25c85db7f084d5e
-
Filesize
238B
MD5245eeb7365603f9f044068a8088633f2
SHA1e21b0be55bda21e4326a112502ee8d4fb3566210
SHA2560e169b18ce0e6a26365cf15797a62245d939ae7b2adc8fc1ae5a6dbd57fdbfdc
SHA512165cd389071466c457f40b4819d07c2bcb3cadd7b039a199ba93e5c3965c0f64ba89d071b99b9e92d91e855b5d0a58efc4e963af076b0fa2c8437d0eae8b7c2f