Resubmissions
12-08-2024 15:01
240812-sd558s1apb 1011-08-2024 12:42
240811-pxewlstgrh 1011-08-2024 03:59
240811-ekb9vayanf 6Analysis
-
max time kernel
356s -
max time network
361s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
11-08-2024 12:42
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://houseofgoodtones.org/richardmilliestpe/Aunteficator_em_BHdAOse8_installer_Win7-Win11_x86_x64.msi
Resource
win10-20240404-en
windows10-1703-x64
36 signatures
300 seconds
Behavioral task
behavioral2
Sample
https://houseofgoodtones.org/richardmilliestpe/Aunteficator_em_BHdAOse8_installer_Win7-Win11_x86_x64.msi
Resource
win7-20240729-en
windows7-x64
5 signatures
300 seconds
Behavioral task
behavioral3
Sample
https://houseofgoodtones.org/richardmilliestpe/Aunteficator_em_BHdAOse8_installer_Win7-Win11_x86_x64.msi
Resource
win10-20240404-en
windows10-1703-x64
36 signatures
300 seconds
Behavioral task
behavioral4
Sample
https://houseofgoodtones.org/richardmilliestpe/Aunteficator_em_BHdAOse8_installer_Win7-Win11_x86_x64.msi
Resource
win10v2004-20240802-en
windows10-2004-x64
9 signatures
300 seconds
Behavioral task
behavioral5
Sample
https://houseofgoodtones.org/richardmilliestpe/Aunteficator_em_BHdAOse8_installer_Win7-Win11_x86_x64.msi
Resource
win11-20240802-en
windows11-21h2-x64
8 signatures
300 seconds
General
-
Target
https://houseofgoodtones.org/richardmilliestpe/Aunteficator_em_BHdAOse8_installer_Win7-Win11_x86_x64.msi
Malware Config
Signatures
-
SectopRAT payload 1 IoCs
resource yara_rule behavioral3/memory/2752-5578-0x0000000000400000-0x00000000004C6000-memory.dmp family_sectoprat -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Executes dropped EXE 10 IoCs
pid Process 4384 python_x86_Lib.exe 32 ITSMService.exe 2864 ITSMAgent.exe 1112 ITSMAgent.exe 2896 ITSMAgent.exe 4456 RmmService.exe 3812 RmmService.exe 2744 RmmService.exe 2328 RmmService.exe 3352 AutoIt3.exe -
Loads dropped DLL 64 IoCs
pid Process 1960 MsiExec.exe 1960 MsiExec.exe 1960 MsiExec.exe 1960 MsiExec.exe 4532 MsiExec.exe 4532 MsiExec.exe 4532 MsiExec.exe 32 ITSMService.exe 32 ITSMService.exe 32 ITSMService.exe 32 ITSMService.exe 32 ITSMService.exe 32 ITSMService.exe 32 ITSMService.exe 32 ITSMService.exe 32 ITSMService.exe 32 ITSMService.exe 32 ITSMService.exe 32 ITSMService.exe 32 ITSMService.exe 32 ITSMService.exe 32 ITSMService.exe 32 ITSMService.exe 32 ITSMService.exe 32 ITSMService.exe 32 ITSMService.exe 32 ITSMService.exe 32 ITSMService.exe 32 ITSMService.exe 32 ITSMService.exe 32 ITSMService.exe 32 ITSMService.exe 2864 ITSMAgent.exe 2864 ITSMAgent.exe 2864 ITSMAgent.exe 2864 ITSMAgent.exe 2864 ITSMAgent.exe 2864 ITSMAgent.exe 2864 ITSMAgent.exe 1112 ITSMAgent.exe 1112 ITSMAgent.exe 1112 ITSMAgent.exe 1112 ITSMAgent.exe 1112 ITSMAgent.exe 1112 ITSMAgent.exe 1112 ITSMAgent.exe 2864 ITSMAgent.exe 2864 ITSMAgent.exe 2864 ITSMAgent.exe 2864 ITSMAgent.exe 2864 ITSMAgent.exe 2864 ITSMAgent.exe 2864 ITSMAgent.exe 2864 ITSMAgent.exe 2864 ITSMAgent.exe 2864 ITSMAgent.exe 2864 ITSMAgent.exe 2864 ITSMAgent.exe 2864 ITSMAgent.exe 2864 ITSMAgent.exe 2864 ITSMAgent.exe 2864 ITSMAgent.exe 2896 ITSMAgent.exe 2896 ITSMAgent.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Endpoint Manager = "C:\\Program Files (x86)\\COMODO\\Endpoint Manager\\ITSMAgent.exe" msiexec.exe -
Blocklisted process makes network request 2 IoCs
flow pid Process 58 1600 msiexec.exe 59 1600 msiexec.exe -
Checks for any installed AV software in registry 1 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Esm ITSMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\COMODO\CIS ITSMService.exe Key queried \REGISTRY\MACHINE\SOFTWARE\COMODO\CIS ITSMService.exe Key queried \REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Esm ITSMService.exe Key opened \REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Esm\ ITSMService.exe Delete value \REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Esm\RemovalSecurity ITSMService.exe Key opened \REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Esm\RemovalSecurity ITSMService.exe Key opened \REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Esm ITSMService.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe -
Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs
Using AutoIT for possible automate script.
pid Process 3352 AutoIt3.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache ITSMService.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData ITSMService.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E455012CBF4BA8A2AC67618C00590908 ITSMService.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content ITSMService.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E455012CBF4BA8A2AC67618C00590908 ITSMService.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft ITSMService.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3352 set thread context of 2752 3352 AutoIt3.exe 116 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Etc\Greenwich python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\US\Indiana-Starke python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tix8.4.3\pref\TK.csc python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tk8.5\demos\spin.tcl python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\collections.py python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\America\St_Kitts python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\pip\_vendor\distlib\markers.py python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\msgs\kok_in.msg python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Asia\Bangkok python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tk8.5\images\pwrdLogo175.gif python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\pip\_vendor\html5lib\treewalkers\lxmletree.py python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\pip\_vendor\requests\packages\chardet\big5freq.py python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\encodings\gbk.py python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\America\Fortaleza python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Asia\Kathmandu python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tk8.5\ttk python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\pip\_vendor\cachecontrol python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\encodings\cp1006.py python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\America\Nipigon python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\msgs\kw.msg python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\hotshot\__init__.py python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\lib2to3\fixes\fix_map.py python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tix8.4.3\bitmaps\minus.xpm python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tix8.4.3\pref\10Point.fs python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tk8.5\demos\ttkmenu.tcl python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\idlelib\ObjectBrowser.py python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\lib-tk\tkFileDialog.py python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\encoding\macJapan.enc python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tk8.5\demos\images\face.xbm python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\pip\_vendor\packaging\_structures.py python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\stat.py python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\setuptools\command\install_lib.py python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\msgs\gv.msg python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\America\Argentina\ComodRivadavia python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Asia\Vladivostok python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Etc\GMT-12 python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Europe\Gibraltar python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\ctypes\__init__.py python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\gyp-0.1-py2.7.egg\gyp\MSVSNew.py python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Pacific\Majuro python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\lib2to3\fixes\fix_asserts.py python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\pip\_vendor\distlib\locators.py python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\msgs\es_mx.msg python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\msgs\gl.msg python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\America\Mazatlan python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Europe\Andorra python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\sqldrivers\qsqlite.dll msiexec.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\lib-tk\Tkconstants.py python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tk8.5\entry.tcl python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\encoding\jis0201.enc python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\America\Montevideo python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tix8.4.3\pref\SGIGray.csc python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tix8.4.3\pref\WmDefault.tcl python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\xml\etree\ElementInclude.py python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tix8.4.3\demos\bitmaps python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\distutils\command\check.py python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\gyp-0.1-py2.7.egg\gyp\generator\xcode.py python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Africa\El_Aaiun python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\America\Kentucky\Monticello python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Asia\Damascus python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\lib2to3\fixes\fix_xrange.py python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\lib2to3\fixes\__init__.py python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\pip\_vendor\requests\packages\urllib3\packages\__init__.py python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\America\Sitka python_x86_Lib.exe -
Drops file in Windows directory 24 IoCs
description ioc Process File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe File opened for modification C:\Windows\Installer\MSI8425.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB233.tmp msiexec.exe File opened for modification C:\Windows\Installer\{373FFE70-5FF7-492D-A2F4-0C6A15D8D503}\icon.ico msiexec.exe File created C:\Windows\Installer\wix{373FFE70-5FF7-492D-A2F4-0C6A15D8D503}.SchedServiceConfig.rmi MsiExec.exe File opened for modification C:\Windows\Installer\MSID06A.tmp msiexec.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdge.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI8A63.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI933F.tmp msiexec.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe File created C:\Windows\Installer\e5a8128.msi msiexec.exe File opened for modification C:\Windows\Installer\e5a8128.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI85CC.tmp msiexec.exe File created C:\Windows\Installer\{373FFE70-5FF7-492D-A2F4-0C6A15D8D503}\icon.ico msiexec.exe File opened for modification C:\Windows\Installer\MSI8978.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI940B.tmp msiexec.exe File created C:\Windows\Installer\e5a812a.msi msiexec.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{373FFE70-5FF7-492D-A2F4-0C6A15D8D503} msiexec.exe File opened for modification C:\Windows\Installer\MSI88EA.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 17 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ITSMService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ITSMAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RmmService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language python_x86_Lib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ITSMAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RmmService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AutoIt3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ITSMAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RmmService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RmmService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AutoIt3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString AutoIt3.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe -
Modifies data under HKEY_USERS 60 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs ITSMService.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" python_x86_Lib.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\40CEF3046C916ED7AE557F60E76842828B51DE53 ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ python_x86_Lib.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates ITSMService.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" python_x86_Lib.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs ITSMService.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1A\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople ITSMService.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My ITSMService.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs ITSMService.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\40CEF3046C916ED7AE557F60E76842828B51DE53\Blob = 03000000010000001400000040cef3046c916ed7ae557f60e76842828b51de5314000000010000001400000017d9d6252767f931c24943d93036448c6ca94feb040000000100000010000000886ea78b530e0fd5bda4e12527ab6a2c0f00000001000000300000005d2164164eb6f3820b9b8d7a5601b60ebf70d832d2029c6c3c966db107dfcb1ba12a25700f26ca3d5b36e4a6cb576cfa19000000010000001000000092a08f142bb795a2197a0d3c7af066f55c000000010000000400000000080000180000000100000010000000ea6089055218053dd01e37e1d806eedf20000000010000001d0600003082061930820401a0030201020210137d539caa7c31a9a433701968847a8d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3138313130323030303030305a170d3330313233313233353935395a308195310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f726431183016060355040a130f5365637469676f204c696d69746564313d303b060355040313345365637469676f20525341204f7267616e697a6174696f6e2056616c69646174696f6e205365637572652053657276657220434130820122300d06092a864886f70d01010105000382010f003082010a02820101009c930246454a524892fc578df92dea53beb32cd5d8a8a5ec5b6903c01d10f65933defe0748a8e88c7a674af1f58dc33766d03291f7c49d0460c4b54ae2838ba7ae26d45d3a5ef8d11671bb8abd71a27dc8cea26024b052a03a4551de78936c6260f1e4569cb73bf73c55d8dfd57a317c357f125170e12cbe04accbfa4fe17c656ac040a7d97ca5638419e1f7caefaab4e8585ad999e326df8e12b2b8dc33b236da141d965842406e0b22851c5122aec4c806456d92e667b71923e4d8366b85d07fc752e3cfb07501e089b4a8bf8a364ea3e06ceb8441cea52f482213975062451e09a5cc9f6c57704006db20e81bd6f3938ba7329eb7441509d7affd7c011cdb0203010001a382016e3082016a301f0603551d230418301680145379bf5aaa2b4acf5480e1d89bc09df2b20366cb301d0603551d0e0416041417d9d6252767f931c24943d93036448c6ca94feb300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff020100301d0603551d250416301406082b0601050507030106082b06010505070302301b0603551d200414301230060604551d20003008060667810c01020230500603551d1f044930473045a043a041863f687474703a2f2f63726c2e7573657274727573742e636f6d2f55534552547275737452534143657274696669636174696f6e417574686f726974792e63726c307606082b06010505070101046a3068303f06082b060105050730028633687474703a2f2f6372742e7573657274727573742e636f6d2f555345525472757374525341416464547275737443412e637274302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010c050003820201004e134096c9c3e66e5bc0e3baf417e1ae091fc9bfcb0c2516f27353b3761ab7ab4806d6cd007c204543456c165a1b1361d749baa402a4ace8cece2dc92a74a3dcdeaeabd06836f891af3c01f777d50bcf97abeb87e715a8fa305a617120b1c043c4b98f6d8a31eb153624fb62d50b9c8fe966bde661519793b61d87bdb0b56cfea6112906613431303d20277351d0de8583d37739204696daa7c65a162785b2cf4e0f4e8c5cbebe3800f84bf9727bd4f27ad7a22985d004bad3422c5188522ed13d246747ec55cc1bf4ca34ea26c1deddc42189f6ba7b321e8e965e844538cf80aa37698b6017741548919c6df04ea377ca1b1c48faf9cf49e85f4f850ae28f901bab704c9aebb7a63fb4ac5da45fcfe6d88a9690f74f268160765d0f247791b32a319f165ab25d8c1c29aa489c8e6fd3784070db77ecdde3d15705702de64998880584620570567686394ed3226f1dfe6df10eb362c43ccbc085b9611ebae1158059940cae05bb8c7f56be1cd25abf97f26a4cb0c67076b0908dc10b36b911d8d6285cea4ffe24b7180a9b0cd0c17c5cfb69bdcca24dc690bca64df2b1bad69a675b960252d082f9c40a5c0d28e03fc8fa959589d5a4be496c40b23ea86bb8d525b2c4fef1d3d7e7d6dc43017630fb3b8b5df74a897c9a35befccaf05701f08d3fa087327b475a974b82d266c2c42dea3f24f4a7f9a8b9e36ad91861a03b8c15 ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs ITSMService.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" ITSMService.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" python_x86_Lib.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates ITSMService.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" python_x86_Lib.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b\52C64B7E ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs ITSMService.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 ITSMService.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus MicrosoftEdgeCP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\07EFF3737FF5D2942A4FC0A6518D5D30\DefaultFeature msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 9d47ee1becebda01 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed MicrosoftEdge.exe Key created \REGISTRY\MACHINE\Software\Classes\CDM ITSMService.exe Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 4 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\PackageCode = "D7076E96D3235814DB26ACC95D2BAD84" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\PersistedStorageItemTable\System\{B90BE346-6377-4643-AD72-518E1E3AC6 = a6c5226decebda01 browser_broker.exe Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 35f15c01ecebda01 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CRLs MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\PersistedStorageItemTable\System\{B90BE346-6377-4643-AD72-518E1E3AC6 = "0" browser_broker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{55B9945E-19A3-4F3C-BB43-52665C20E5E3} = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\PersistedStorageItemTable\System\{B90BE346-6377-4643-AD72-518E1E3AC6 = "8320" browser_broker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\InstanceType = "0" msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CacheLimit = "1" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\Certificates MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople MicrosoftEdge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\SourceList msiexec.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B7216 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = e5081301ecebda01 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "395205405" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\MrtCache MicrosoftEdge.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\Aunteficator_em_BHdAOse8_installer_Win7-Win11_x86_x64.msi.52z8u9u.partial:Zone.Identifier browser_broker.exe -
Suspicious behavior: AddClipboardFormatListener 3 IoCs
pid Process 2864 ITSMAgent.exe 1112 ITSMAgent.exe 2896 ITSMAgent.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 696 msiexec.exe 696 msiexec.exe 32 ITSMService.exe 32 ITSMService.exe 2752 RegAsm.exe 2752 RegAsm.exe 2752 RegAsm.exe 2752 RegAsm.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
pid Process 2240 MicrosoftEdgeCP.exe 2240 MicrosoftEdgeCP.exe 2240 MicrosoftEdgeCP.exe 2240 MicrosoftEdgeCP.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5064 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 5064 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 5064 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 5064 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 2696 MicrosoftEdge.exe Token: SeDebugPrivilege 2696 MicrosoftEdge.exe Token: SeShutdownPrivilege 1600 msiexec.exe Token: SeIncreaseQuotaPrivilege 1600 msiexec.exe Token: SeSecurityPrivilege 696 msiexec.exe Token: SeCreateTokenPrivilege 1600 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1600 msiexec.exe Token: SeLockMemoryPrivilege 1600 msiexec.exe Token: SeIncreaseQuotaPrivilege 1600 msiexec.exe Token: SeMachineAccountPrivilege 1600 msiexec.exe Token: SeTcbPrivilege 1600 msiexec.exe Token: SeSecurityPrivilege 1600 msiexec.exe Token: SeTakeOwnershipPrivilege 1600 msiexec.exe Token: SeLoadDriverPrivilege 1600 msiexec.exe Token: SeSystemProfilePrivilege 1600 msiexec.exe Token: SeSystemtimePrivilege 1600 msiexec.exe Token: SeProfSingleProcessPrivilege 1600 msiexec.exe Token: SeIncBasePriorityPrivilege 1600 msiexec.exe Token: SeCreatePagefilePrivilege 1600 msiexec.exe Token: SeCreatePermanentPrivilege 1600 msiexec.exe Token: SeBackupPrivilege 1600 msiexec.exe Token: SeRestorePrivilege 1600 msiexec.exe Token: SeShutdownPrivilege 1600 msiexec.exe Token: SeDebugPrivilege 1600 msiexec.exe Token: SeAuditPrivilege 1600 msiexec.exe Token: SeSystemEnvironmentPrivilege 1600 msiexec.exe Token: SeChangeNotifyPrivilege 1600 msiexec.exe Token: SeRemoteShutdownPrivilege 1600 msiexec.exe Token: SeUndockPrivilege 1600 msiexec.exe Token: SeSyncAgentPrivilege 1600 msiexec.exe Token: SeEnableDelegationPrivilege 1600 msiexec.exe Token: SeManageVolumePrivilege 1600 msiexec.exe Token: SeImpersonatePrivilege 1600 msiexec.exe Token: SeCreateGlobalPrivilege 1600 msiexec.exe Token: SeBackupPrivilege 216 vssvc.exe Token: SeRestorePrivilege 216 vssvc.exe Token: SeAuditPrivilege 216 vssvc.exe Token: SeBackupPrivilege 696 msiexec.exe Token: SeRestorePrivilege 696 msiexec.exe Token: SeRestorePrivilege 696 msiexec.exe Token: SeTakeOwnershipPrivilege 696 msiexec.exe Token: SeRestorePrivilege 696 msiexec.exe Token: SeTakeOwnershipPrivilege 696 msiexec.exe Token: SeRestorePrivilege 696 msiexec.exe Token: SeTakeOwnershipPrivilege 696 msiexec.exe Token: SeRestorePrivilege 696 msiexec.exe Token: SeTakeOwnershipPrivilege 696 msiexec.exe Token: SeRestorePrivilege 696 msiexec.exe Token: SeTakeOwnershipPrivilege 696 msiexec.exe Token: SeRestorePrivilege 696 msiexec.exe Token: SeTakeOwnershipPrivilege 696 msiexec.exe Token: SeRestorePrivilege 696 msiexec.exe Token: SeTakeOwnershipPrivilege 696 msiexec.exe Token: SeRestorePrivilege 696 msiexec.exe Token: SeTakeOwnershipPrivilege 696 msiexec.exe Token: SeRestorePrivilege 696 msiexec.exe Token: SeTakeOwnershipPrivilege 696 msiexec.exe Token: SeBackupPrivilege 596 srtasks.exe Token: SeRestorePrivilege 596 srtasks.exe Token: SeSecurityPrivilege 596 srtasks.exe -
Suspicious use of FindShellTrayWindow 21 IoCs
pid Process 1600 msiexec.exe 2864 ITSMAgent.exe 2864 ITSMAgent.exe 2864 ITSMAgent.exe 2864 ITSMAgent.exe 2864 ITSMAgent.exe 2864 ITSMAgent.exe 2864 ITSMAgent.exe 2864 ITSMAgent.exe 1600 msiexec.exe 2864 ITSMAgent.exe 2864 ITSMAgent.exe 2864 ITSMAgent.exe 2864 ITSMAgent.exe 2864 ITSMAgent.exe 2864 ITSMAgent.exe 2864 ITSMAgent.exe 2864 ITSMAgent.exe 2864 ITSMAgent.exe 2864 ITSMAgent.exe 2864 ITSMAgent.exe -
Suspicious use of SendNotifyMessage 19 IoCs
pid Process 2864 ITSMAgent.exe 2864 ITSMAgent.exe 2864 ITSMAgent.exe 2864 ITSMAgent.exe 2864 ITSMAgent.exe 2864 ITSMAgent.exe 2864 ITSMAgent.exe 2864 ITSMAgent.exe 2864 ITSMAgent.exe 2864 ITSMAgent.exe 2864 ITSMAgent.exe 2864 ITSMAgent.exe 2864 ITSMAgent.exe 2864 ITSMAgent.exe 2864 ITSMAgent.exe 2864 ITSMAgent.exe 2864 ITSMAgent.exe 2864 ITSMAgent.exe 2864 ITSMAgent.exe -
Suspicious use of SetWindowsHookEx 22 IoCs
pid Process 2696 MicrosoftEdge.exe 2240 MicrosoftEdgeCP.exe 5064 MicrosoftEdgeCP.exe 2240 MicrosoftEdgeCP.exe 32 ITSMService.exe 32 ITSMService.exe 32 ITSMService.exe 32 ITSMService.exe 32 ITSMService.exe 32 ITSMService.exe 32 ITSMService.exe 32 ITSMService.exe 32 ITSMService.exe 2864 ITSMAgent.exe 1112 ITSMAgent.exe 32 ITSMService.exe 2896 ITSMAgent.exe 32 ITSMService.exe 32 ITSMService.exe 32 ITSMService.exe 32 ITSMService.exe 2752 RegAsm.exe -
Suspicious use of WriteProcessMemory 57 IoCs
description pid Process procid_target PID 2240 wrote to memory of 1788 2240 MicrosoftEdgeCP.exe 77 PID 2240 wrote to memory of 1788 2240 MicrosoftEdgeCP.exe 77 PID 2240 wrote to memory of 1788 2240 MicrosoftEdgeCP.exe 77 PID 2240 wrote to memory of 1084 2240 MicrosoftEdgeCP.exe 78 PID 2240 wrote to memory of 1084 2240 MicrosoftEdgeCP.exe 78 PID 2240 wrote to memory of 1084 2240 MicrosoftEdgeCP.exe 78 PID 524 wrote to memory of 1600 524 browser_broker.exe 79 PID 524 wrote to memory of 1600 524 browser_broker.exe 79 PID 696 wrote to memory of 596 696 msiexec.exe 85 PID 696 wrote to memory of 596 696 msiexec.exe 85 PID 696 wrote to memory of 1960 696 msiexec.exe 87 PID 696 wrote to memory of 1960 696 msiexec.exe 87 PID 696 wrote to memory of 1960 696 msiexec.exe 87 PID 696 wrote to memory of 4532 696 msiexec.exe 88 PID 696 wrote to memory of 4532 696 msiexec.exe 88 PID 696 wrote to memory of 4532 696 msiexec.exe 88 PID 4532 wrote to memory of 3604 4532 MsiExec.exe 89 PID 4532 wrote to memory of 3604 4532 MsiExec.exe 89 PID 4532 wrote to memory of 3604 4532 MsiExec.exe 89 PID 3604 wrote to memory of 4384 3604 cmd.exe 91 PID 3604 wrote to memory of 4384 3604 cmd.exe 91 PID 3604 wrote to memory of 4384 3604 cmd.exe 91 PID 4384 wrote to memory of 4420 4384 python_x86_Lib.exe 92 PID 4384 wrote to memory of 4420 4384 python_x86_Lib.exe 92 PID 4384 wrote to memory of 4420 4384 python_x86_Lib.exe 92 PID 32 wrote to memory of 2864 32 ITSMService.exe 97 PID 32 wrote to memory of 2864 32 ITSMService.exe 97 PID 32 wrote to memory of 2864 32 ITSMService.exe 97 PID 32 wrote to memory of 1112 32 ITSMService.exe 98 PID 32 wrote to memory of 1112 32 ITSMService.exe 98 PID 32 wrote to memory of 1112 32 ITSMService.exe 98 PID 32 wrote to memory of 2896 32 ITSMService.exe 99 PID 32 wrote to memory of 2896 32 ITSMService.exe 99 PID 32 wrote to memory of 2896 32 ITSMService.exe 99 PID 32 wrote to memory of 4456 32 ITSMService.exe 107 PID 32 wrote to memory of 4456 32 ITSMService.exe 107 PID 32 wrote to memory of 4456 32 ITSMService.exe 107 PID 3812 wrote to memory of 2744 3812 RmmService.exe 110 PID 3812 wrote to memory of 2744 3812 RmmService.exe 110 PID 3812 wrote to memory of 2744 3812 RmmService.exe 110 PID 2744 wrote to memory of 2752 2744 RmmService.exe 112 PID 2744 wrote to memory of 2752 2744 RmmService.exe 112 PID 2744 wrote to memory of 2752 2744 RmmService.exe 112 PID 2752 wrote to memory of 2328 2752 cmd.exe 113 PID 2752 wrote to memory of 2328 2752 cmd.exe 113 PID 2752 wrote to memory of 2328 2752 cmd.exe 113 PID 2744 wrote to memory of 3872 2744 RmmService.exe 114 PID 2744 wrote to memory of 3872 2744 RmmService.exe 114 PID 2744 wrote to memory of 3872 2744 RmmService.exe 114 PID 3872 wrote to memory of 3352 3872 cmd.exe 115 PID 3872 wrote to memory of 3352 3872 cmd.exe 115 PID 3872 wrote to memory of 3352 3872 cmd.exe 115 PID 3352 wrote to memory of 2752 3352 AutoIt3.exe 116 PID 3352 wrote to memory of 2752 3352 AutoIt3.exe 116 PID 3352 wrote to memory of 2752 3352 AutoIt3.exe 116 PID 3352 wrote to memory of 2752 3352 AutoIt3.exe 116 PID 3352 wrote to memory of 2752 3352 AutoIt3.exe 116 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\LaunchWinApp.exe"C:\Windows\system32\LaunchWinApp.exe" "https://houseofgoodtones.org/richardmilliestpe/Aunteficator_em_BHdAOse8_installer_Win7-Win11_x86_x64.msi"1⤵PID:3328
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2696
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\Aunteficator_em_BHdAOse8_installer_Win7-Win11_x86_x64.msi"2⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1600
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2240
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5064
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
PID:1788
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
PID:1084
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:596
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding ACF531634B98CC4451101B94D936B8872⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1960
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 845DB7DAE3FC6B7B321375EB29B00BCF E Global\MSI00002⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe" /C "cd "C:\Program Files (x86)\COMODO\Endpoint Manager\" && "C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe"C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "5⤵
- System Location Discovery: System Language Discovery
PID:4420
-
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:216
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4240
-
C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMService.exe"C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMService.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:32 -
C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe"C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2864
-
-
C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe"C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe" noui2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1112
-
-
C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe"C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2896
-
-
C:\Program Files (x86)\COMODO\Endpoint Manager\RmmService.exe"C:\Program Files (x86)\COMODO\Endpoint Manager\RmmService.exe" --start2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4456
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:484
-
C:\Program Files (x86)\COMODO\Endpoint Manager\RmmService.exe"C:\Program Files (x86)\COMODO\Endpoint Manager\RmmService.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Program Files (x86)\COMODO\Endpoint Manager\RmmService.exe"C:\Program Files (x86)\COMODO\Endpoint Manager\RmmService.exe" --run_procedure --in Global\sharedInputMemory_1 --out Global\sharedOutputMemory_2 --err Global\sharedErrorMemory_32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\COMODO\Endpoint Manager\RmmService.exe" "C:\Program Files (x86)\COMODO\Endpoint Manager\RmmService.exe""3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Program Files (x86)\COMODO\Endpoint Manager\RmmService.exe"C:\Program Files (x86)\COMODO\Endpoint Manager\RmmService.exe" "C:\Program Files (x86)\COMODO\Endpoint Manager\RmmService.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2328
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Salome\AutoIt3.exe C:\Users\Admin\AppData\Local\Temp\Salome\script.a3x"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Users\Admin\AppData\Local\Temp\Salome\AutoIt3.exeC:\Users\Admin\AppData\Local\Temp\Salome\AutoIt3.exe C:\Users\Admin\AppData\Local\Temp\Salome\script.a3x4⤵
- Executes dropped EXE
- Command and Scripting Interpreter: AutoIT
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2752
-
-
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:4128
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:3732
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
709KB
MD5fde2e8fdeacb1d402a12ccfe22441cab
SHA1fa30cffc8f55013f1c8cfae8c6622e3dd40317b3
SHA2562b19a1a9d8b45816f08fd37a5ba658238db72d6a72bfe13d16fa857ec4754461
SHA5124d8c4e0de8ab28771b96835d29088dbc5e4d81e2a8e5cb85d0bc34ba5f689c17a90710cff47e5839686c2fb2fb07a02903dac6969e7ceaf2f384452b76cc4b71
-
Filesize
3.0MB
MD5a5b010d5b518932fd78fcfb0cb0c7aeb
SHA1957fd0c136c9405aa984231a1ab1b59c9b1e904f
SHA2565a137bfe1f0e6fc8a7b6957d5e9f10df997c485e0869586706b566015ff36763
SHA512e0ca4b29f01f644ef64669ed5595965b853ae9eaa7c6c7d86df7634437041ef15ceb3c2d1ab9dec4171c80511684a7d7b06fc87b658e5a646699eb9523bc4994
-
Filesize
8.4MB
MD56b4752088a02d0016156d9e778bb5349
SHA1bd13b1f7b04e0fe23db6b3e4bd0aa91c810e1745
SHA256f64f13bf19726624a9cbaedda03a156597737581d6bc025c24e80517f5cab011
SHA5120fe982b0b551238fc881511cdd0656ee71f22aca3a5e83ef7ce41b3adf603f1be17ba3e2c10797ee3dfb5e15ff1ac3e8cf4e05c657e7c047f302f50baa42ba2d
-
Filesize
2B
MD581051bcc2cf1bedf378224b0a93e2877
SHA1ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA2567eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA5121b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d
-
Filesize
74KB
MD51a84957b6e681fca057160cd04e26b27
SHA18d7e4c98d1ec858db26a3540baaaa9bbf96b5bfe
SHA2569faeaa45e8cc986af56f28350b38238b03c01c355e9564b849604b8d690919c5
SHA5125f54c9e87f2510c56f3cf2ceeb5b5ad7711abd9f85a1ff84e74dd82d15181505e7e5428eae6ff823f1190964eb0a82a569273a4562ec4131cecfa00a9d0d02aa
-
Filesize
7.2MB
MD5dcebee7bb4e8b046b229edc10ded037f
SHA1f9bdf0b478e21389800542165f721e5018d8eb29
SHA2562eb0eefab534217953744c2cc36de2e1a1ced6ea882734e7b1f4b34a0b19689b
SHA5129827600a19da5a816f1b0d93aa2629cb48f13f6e5fc42cd44bb1031ecd2e942854b34e7da44335acb85e42c44b1e720e9da8bc1d9ad23a9b1de0190f026f4d30
-
Filesize
33KB
MD593cec90673300d3ad2ba441ed13b9a17
SHA1b7658f6f3fe5b105b867c129a2c2869e6c848960
SHA256e3b0be8a98f820a47b0f55dd72e8d5aadbbdeb01346b397565b12937a11c1837
SHA5125fd910082bfa4eb368219a486bcd40849eea59464be82c15013eb13237bb14fbf62212518330bdd45331cbbbb318da599d82164deb3b7f9388b660629d312550
-
Filesize
33KB
MD54f2f218bf6331d5cf84c9f881ca9c6e6
SHA15d5fc291055c20b87517291a7210152fb0780df8
SHA2568695ba37eb5267e86e3fc333bd48577cf285c22fe2621b2e11cf7d7b40081a0c
SHA512fb17b54185d54061c79341e128a3f53104f9d8fa17edac22c2b2a4b3eaae81835323cce656f5e8717827ee673b1c3240fc30d7626703be25d25ae05515ae79c2
-
Filesize
33KB
MD5b949d1346a1a03cb95e4f371569a8238
SHA1275ba04311e45471556098e585bacb2e72403a55
SHA256fce96af077dfddbebdb0afd47998945cb0509fd7d4d9fa9db47536bed677859b
SHA5120db5e985ba0a0010e3a1830e54b1c3f815b9d708fc9e3250e2b64127ce488ba17b173b18cb62fc4cb4d19e92154b5d77fd17ba8705e0720516a0fb5e98ba0d8c
-
Filesize
33KB
MD5dcc94d252e60f485f166e0097cb6d6bd
SHA1ed8838c3d1865164710cb1537ecdea5b82b97d0a
SHA256ed74e85d74735feb71a97258cbb492ab77e33e772b4ff4570dbd85606c7f8f16
SHA5125aa6f1108622ac32e75e22cda5e7c879a97bbdafb3158d0b130650c34793d47ea71b6947caa7ba1c0f2ddc98f2f5aa96a590d0c401ddef5fd567c7045e56efa2
-
Filesize
33KB
MD5fffaa229e4b676a5713a393f24686852
SHA1ea760e25ed1499c4f2e0233a41c33a9d0fff94ca
SHA25603da901e9a38462255d5162312059899102adce815b426cc858743d5d4a8b6ed
SHA5125470565ea8d5a0a3b598d570bc947be55cb5979f6e5e9a529103a597640f8104421066e22b57ca480e61890d2603bfced300ec08a830725a37508b47ffc5e97e
-
Filesize
33KB
MD5550436a6bf4fb1014a2999ffce7c695c
SHA15eb9595cddb5fc79f6c0a0d93a945759f06c2ddb
SHA256cc325bdc20ea9e4c95f8621cb77c55c31b2a1392617ed413ae349d71dedccf93
SHA512c448baafb22926eb73550bdbdd7a2f3575b40c43c5c0d34bdd41568f26e0c15d697abcd1613040bab8a7a42ea418b981f13e3aa307e325e0f2f0f9392414f602
-
Filesize
33KB
MD5ac3c26ac0b59e73cd62cc3bb17a70895
SHA1ce065d49f467cd5d5805913d11064787f7cf83b8
SHA2564e7d0c4ce8fdbe01c02c0c4679f013596331fab1c9ca417a070c7e2a7971077b
SHA5126200be600cd5f404358dbe80b34642b772a2f10684cb9fc5a908685933702475100cf4c7ca1c9bb6b4ab5834181798dd99ac3c4d5d155ce9f98b83997387a240
-
Filesize
32KB
MD5a6e53c8e6057f56f1eee070f386ee6ca
SHA19fa9bef04fa50fd7a3bbf09a4951f14fa24c49f7
SHA25678c3f93c4a8f2a46f6d2dbc16b722b1ea409b0d7aa6149f4277646ae99dd38bc
SHA51210d59cd1e609ee89554fe3076adf68edbfff1f9f7f219e351278d2d7345b79557186989b055c0604b3c83bdd45f37c528c2d13d5a3f9b9e612b27f6fc33d0fd7
-
Filesize
33KB
MD5bbfd491d0a771b36f8216da77ec2d14a
SHA152a4890bc2a546c1512a8b3e4f2ac4317be9b782
SHA256126436ea15a2d945455ab08730da8d283c5bc600781ac8e88fa102dea16f146f
SHA5128e6d8ec7017a950c38ecc70680e2c2737d7375ebabb8adecd32196acdd5d3483b2b648e7e7a8c3cabc0bd05e4d25a5db080ec8aaef5e7959792e64b4c0a6957e
-
Filesize
33KB
MD54d2a5d7c62a2fcf6baff47c663b5caa4
SHA14937c36d06aa91224628b9a6162759d0203832bc
SHA25699e1baa8bb11ac02478b728e658dfc3922a68395d79711a2ac310e61a91f4ace
SHA5123546e10bd408abbbdaa02f8e06c6c95c70d438ec763efce3241a7376f05ac7733877d519018bd0ba24665396a97a9b328233eaef6fbcde8245299fa1893b8e05
-
Filesize
33KB
MD5cee7e154d0bfa2a2490913c77da5ec10
SHA1b023c08a3ae62186ab4d02bcd953197bf37a851b
SHA256a407d75e4c3388e83d9b682f6c1dcb0140b2f15d0cad64c26976edd5c2005fcd
SHA5127ca2467ffcb50d16dba290a40a0f78b8db2ab6500cc3671e94c0c72d0cf6eb08a8bf0657f38421fe657801e60e9a704e68576bfb4b250318f0b1edaee2d0f964
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18E6B4A57A6BC7EC9B861CDF2D6D0D02_EF52C1EC85F21F31CC0157A5C8803013
Filesize765B
MD5fff2cc217cec93b9b4e91ea34e23efaa
SHA1c6a7f0e18796e1c6b789ec9fb7e98fbc639bc1df
SHA2569bd2f914e637e30ba764c0af86102be829546122e443b30588e5e9723a15873b
SHA512f426e383b51806458533ddd15e4aec6cddde1acf497b8a84542818c4dffa3b5c21093a075a79a8e46ce5ddf6d16be9ed66c339724c63f76c6be7bd048cef5a3a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3AA0DCD5A74331FBD6F344550EC48B87_D7025277F003EE88ED342C67F3525784
Filesize637B
MD5f29448db915ce12024c00f8db2735a37
SHA18c42cc59bf9684c8913d77b6481d6f9a35291fe2
SHA2561220fbb03d07705373e10fff29e767a41a523ff3bbd1280f1e6c313421bd6930
SHA512932aa9847dc8630259827605dbf4cca4a778fda7ae164b814d6d552086812395441389179094c01c0225477aafdf9f3e2daa235e5884cf6eba01d32ee54b6b01
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F
Filesize1KB
MD58991f83c49d2736793a0c917c3d8ae4d
SHA171752a06511633fcb9d2df14b507e555e4d1b17a
SHA256a94ee10e4836486a24b1020e70055b440e46b52913a6e9cd66d0cae467276990
SHA5126fedbb05506b87ca954be1e413a1ca2824ae3b060242e89a1002a06d6549838f2d9e09768a878211a1929ef9cd260415bb061a8a28d16ee6e647780fc7e8b3cd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18E6B4A57A6BC7EC9B861CDF2D6D0D02_EF52C1EC85F21F31CC0157A5C8803013
Filesize484B
MD56e5860c9043964827beaf7b7cea45515
SHA17abe9c3eef9c404244781f265f0d06c3ffc6a7be
SHA256f4fdda46ffd317f0c4c8b03049181239b902454546894749e64ed0af60f6481d
SHA512c64d5c08029278e7b11a10ca1d3b643d6268c4d06b8d62269a5c9f4b5e05d6c5574c203dc430411c4f6a490b3f6065c3d15a9631611f4e78284106f61b8ef028
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3AA0DCD5A74331FBD6F344550EC48B87_D7025277F003EE88ED342C67F3525784
Filesize480B
MD5ceb242bd9933dc1f83c20a3d947b84bc
SHA145da81fdc801dc78bb5b431c576256cd6eb46501
SHA256ca1a2f6791ed88259ba783dcd38d8b8031b6c01df3147c0617ed2f75f47f1a7d
SHA512161349c17d7863246a987e2619e17c83f9a8bc8383cb57e7166f87a41c5a568cd05de79d2f87716390f3959f260768a08177b0eec19e0627dce901c7a3dee516
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F
Filesize482B
MD50228fd66c5f8121407d04268cb011222
SHA1a7203ef7717f8bb83b635083a5b73a5d678ecc75
SHA25655f74893f86e0d095183f75c6fa69484a4f43c22e4396a57f9e8fb2e92dccc9d
SHA512aeecbb180d45076b2cb4a4ed8eb0d1e5ff9914c67668094a4ea6a2c0d79cdd10d79b5429c6ba2f60a7dafeb56c0fbf2c2efaaf0addaf875aa6c092b3f6ed6cc2
-
Filesize
74KB
MD5d4fc49dc14f63895d997fa4940f24378
SHA13efb1437a7c5e46034147cbbc8db017c69d02c31
SHA256853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1
SHA512cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\YWCI917P\suggestions[1].en-US
Filesize17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\HPAPK8O7\Aunteficator_em_BHdAOse8_installer_Win7-Win11_x86_x64[1].msi
Filesize159KB
MD58f3a1acca9d9d5fea7ace4414f36b9fb
SHA1f66fc6ec6d0433c2b54865f32f717024372a8088
SHA256d81c192d537cfa7f11d232da00bf84e95fbae98c081c2bcb4f22d54b5c06612c
SHA512a0292848fdff640c1d4277c8594f4086257d3be6798e18d08e1e4e77dd1fcab20eea005d411afa298631eb74cd5435559e3f1adc3c3b896f076c494cfd784f0e
-
Filesize
226B
MD5feceaa82323f9de4d3578592d22f857d
SHA14c55c509e6d16466d1d4c31a0687ededf2eabc9a
SHA25661480b43136b02965f59e3256b8de1bf35caa7c084a7bcb3ed5f4236451d4484
SHA51282dac003d30eed4fc4e06ab4a426c9b7f355d777c243b710c5c0d3afc4c26d93874af2d0a542fca4a2038050b0d0fa8f63ed82e5f2771ae8a4de0f3b08d56d45
-
Filesize
20KB
MD5c9ff7748d8fcef4cf84a5501e996a641
SHA102867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA2564d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73
-
Filesize
285KB
MD582d54afa53f6733d6529e4495700cdd8
SHA1b3e578b9edde7aaaacca66169db4f251ee1f06b3
SHA2568f4894b9d19bfe5d8e54b5e120cef6c69abea8958db066cdd4905cc78ecd58b6
SHA51222476e0f001b6cf37d26e15dfb91c826c4197603ea6e1fbb9143c81392e41f18fa10a2d2d1e25425baaf754bff7fd179ef1df34966c10985e16d9da12a445150
-
Filesize
203KB
MD5d53b2b818b8c6a2b2bae3a39e988af10
SHA1ee57ec919035cf8125ee0f72bd84a8dd9e879959
SHA2562a81878be73b5c1d7d02c6afc8a82336d11e5f8749eaacf54576638d81ded6e2
SHA5123aaf8b993c0e8f8a833ef22ed7b106218c0f573dcd513c3609ead4daf90d37b7892d901a6881e1121f1900be3c4bbe9c556a52c41d4a4a5ec25c85db7f084d5e
-
\??\Volume{38fc7460-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{9156199c-b64d-43da-828f-dcc5a5ffd0c1}_OnDiskSnapshotProp
Filesize5KB
MD5f7413342d04187e1b48b54cae2965c85
SHA13cc43bf50caf67d057483921763a3383a7c1fb62
SHA256e4608671406a289813242e2667a8a81256a65a850b64aebf000acda94edb47d0
SHA512252595579220fde3a66d3fbdd8107a97339585dcf5e0beea3d2086b08afde177313cc52565edbc0e7ad0d97e7088b8162a2d46afc1e728a35f7f2abdaf0f08c2
-
Filesize
87KB
MD525c603e78d833ff781442886c4a01fe6
SHA16808adc90eb5db03163103ec91f7bc58ee8aa6d0
SHA25694afd301c1baa84b18e3b72d017b6a009145c16c6592891c92f50c127e55169e
SHA51284e33be97d97ae341d74fc8273d191df519616f12bec8ac2f89454897c30a5f7bf9115f208c8dae78da83f0ca7bf9e5f07544d37d87b07f63408fbc91e449d54
-
Filesize
5.1MB
MD59356330cdf731eea1e628b215e599ce5
SHA188645c60b3c931314354d763231137a9ec650f1b
SHA256ad045d1d084a88fe3f48c12aee48746b22cb3a579f9140840c54ae61f7af3478
SHA5123d9ab9b1cdecad6809be96d82df2d1b9b8c9e1a7cf0ac79a820a92b11c8fa079f5a2c3875ba0b733503742c6977d6239ce22acec023a22038b2e7ee1ebd62d90
-
Filesize
1015KB
MD5de150de21f1a2b72534eaa4aa4f03202
SHA139ed224cced1266d4adc5e68f6516979b8f52b33
SHA25603871db7d626d14e84d8ebf007139aa2c08038cd3403ac6259f1a2eb01ae1477
SHA51230eff193620724cda86e6de31c430f9d4426e677a553c7918f9b85dbfc67687acdecc2a29e45473666c01ce311b73833d9f79db8a93e80570c7ace8837ca531a
-
Filesize
174KB
MD588aeafdcc3f3fa04b9b20022906745b0
SHA19dc03428234000d19bbc3cb437d370b8e1863329
SHA256cd84c9c486c3e967ddd061718893ef5ee48eca24f77e3366b8fd3d2dd21f477f
SHA5125ea87730f26b16215eb2b892a6da689524546ef6cfaf4e6c1f4e0afa083ceec3e8f00c9259d316d84ef4cb05b01023a1362b4a676d10b55e06ee365557ab7986
-
Filesize
163KB
MD54bac5e44b4b2f138f6608c661330dad0
SHA1b08ff311b24d9bbc48d4014d7a0cd0de129a19e7
SHA25659ba9deba38b1e652a046fd6b58847a58883f2d8c5c1e81acfa78d2daad98a1c
SHA51274871aaaf8dc3fc006f7a1fdc42eabf5a86e34674d34362b2b00bdebe023d78fa0e6a5ef4676dc038178a6eeb01a0ba1676f68a1cc6828ac8d4ece550106ee0a
-
Filesize
2.2MB
MD5e2749ff4266d5a933feb7685dfe375b2
SHA1f09a432c67f45fc2ed27c762db4176b7dd47e908
SHA256e4ee537b6a585ec7656afd9fc6fd3f655ff44bec6ff8ec291fc3e868caade27c
SHA5124efc6b0b8d39b47d9c415fc3bc7460e4f738e3694fac691bf94569549569a8d65270a54488af3ae49de9fabdbe518250ceee83f6633e1da407636e6e02bac8bb
-
Filesize
2.5MB
MD58f4ccd26ddd75c67e79ac60afa0c711f
SHA16a8b00598ac4690c194737a8ce27d1d90482bd8b
SHA256ab7af6f3f78cf4d5ed4a2b498ef542a7efe168059b4a1077230a925b1c076a27
SHA5129a52ac91876eea1d8d243c309dadb00dfae7f16705bde51aa22e3c16d99ccf7cc5d10b262a96cfbb3312981ac632b63a3787e8f1de27c9bb961b5be6ff2ba9f4
-
Filesize
471KB
MD50b03f7123e8bc93a38d321a989448dcc
SHA1fc8bfdf092cdd6b9c1ec3b90389c035c37e50bd7
SHA256a7fbfdb3100c164f139e9d0ebcf47282308e5173ab610dcb20a05b6e0615b54b
SHA5126d00c65111c0f389ad189178705ed04712b2c6de8918f58de7c3747126a4b4e50b4a73525cc0993af02d35323b1430f34baf6f99712df822d6cdc63e24ed7ae5
-
Filesize
426KB
MD58ff1898897f3f4391803c7253366a87b
SHA19bdbeed8f75a892b6b630ef9e634667f4c620fa0
SHA25651398691feef7ae0a876b523aec47c4a06d9a1ee62f1a0aee27de6d6191c68ad
SHA512cb071ad55beaa541b5baf1f7d5e145f2c26fbee53e535e8c31b8f2b8df4bf7723f7bef214b670b2c3de57a4a75711dd204a940a2158939ad72f551e32da7ab03
-
Filesize
132KB
MD5342249e8c50e8849b62c4c7f83c81821
SHA1618aa180b34c50e243aefbf36bb6f69e36587feb
SHA25607bc6eb017005500d39e2c346824eef79b3e06f60c46fb11572f98d4fe4083c5
SHA51232a44252926881edf916ac517cb55d53b0b1b5adcc5952a674d1707d2c1431a68b27e593b4c4fcab0648e3cbeddf3d4e8024ff2a3385af9dbd2b2244e518340a
-
Filesize
154KB
MD584c848ca734892ea2e8ab90d84317ee3
SHA1a1b38d4f1b466061481bdfde7628139c908f7ee5
SHA25601c53abd5585992f9d62de40f4750899829b9e7e4a026b8d9f5d1cb1748a3fa9
SHA512cec124435d6d4c76497e7886ca317a0c12a9d8e77200ba94cf6a699b318b91cb4db886eba5a5161941a7dd349f827cd3694abb864d6e37a9084a208276bee7df