lumma | ba3cdc5190b44da96e5ecb5f39e2cbe3713984dc8062cdab679c759de51500b1

Analysis

max time kernel
1199s
max time network
1173s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
11-08-2024 15:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

em_wh1U8LEO_installer_Win7-Win11_x86_x64.msi
Size

94.2MB
MD5

f740670bd608f6a564366606e0bba8da
SHA1

c635e8453bf0f06c34d41d3319670e5dc966a5f4
SHA256

ba3cdc5190b44da96e5ecb5f39e2cbe3713984dc8062cdab679c759de51500b1
SHA512

88f1e800265e4e72f914e50240a6a7cca630ea4bcd6981be13237cc6f42b182741542b907737490a367453c179ace55fb64c3e0fb2cb6ecf1bace7a442458e0e
SSDEEP

1572864:SX+lBWb7cVOxi2CDRq/SUx6EIL2CjmFkm+pF7Vxo81MOL9vh12epl37cTLiAhRLh:nLYxsRq/76L2CjmCZpRXouxvD6LbhRHJ

Score

10^/10

lumma discovery execution persistence privilege_escalation stealer

Malware Config

Extracted

Family

lumma

https://swinngydisaosp.shop/api

https://writerospzm.shop/api

https://deallerospfosu.shop/api

https://bassizcellskz.shop/api

https://mennyudosirso.shop/api

https://languagedscie.shop/api

https://complaintsipzzx.shop/api

https://quialitsuzoxm.shop/api

https://tenntysjuxmz.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Endpoint Manager = "C:\\Program Files (x86)\\COMODO\\Endpoint Manager\\ITSMAgent.exe"	msiexec.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
2	600	msiexec.exe
5	600	msiexec.exe
7	600	msiexec.exe

Checks for any installed AV software in registry 1 TTPs 8 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS	ITSMService.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Esm	ITSMService.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Esm\	ITSMService.exe
Delete value	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Esm\RemovalSecurity	ITSMService.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Esm\RemovalSecurity	ITSMService.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Esm	ITSMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Esm	ITSMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS	ITSMService.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs

Using AutoIT for possible automate script.

execution

AutoHotKey & AutoIT

T1059.010

pid	Process
5076	AutoIt3.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	ITSMService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E455012CBF4BA8A2AC67618C00590908	ITSMService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	ITSMService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	ITSMService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	ITSMService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E455012CBF4BA8A2AC67618C00590908	ITSMService.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5076 set thread context of 2356	5076	AutoIt3.exe	103

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\idlelib\AutoExpand.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\pip\_vendor\distlib\_backport\misc.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\setuptools\command\install_lib.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tix8.4.3\demos\bitmaps\justify.xbm	python_x86_Lib.exe
File created	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\bsddb\dbrecio.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\pip\_vendor\html5lib\trie\__init__.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Africa\Maseru	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Etc\GMT-9	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tk8.5\demos\bitmap.tcl	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tk8.5\xmfbox.tcl	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\xml\sax\handler.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\pip\_vendor\distlib\wheel.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\America\New_York	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Australia\Victoria	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tix8.4.3\Variable.tcl	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Asia\Omsk	python_x86_Lib.exe
File created	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Europe\Brussels	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tix8.4.3\bitmaps\resize2.xbm	python_x86_Lib.exe
File created	C:\Program Files (x86)\COMODO\Endpoint Manager\DLLs\unicodedata.pyd	python_x86_Lib.exe
File created	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\rfc822.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\pip\_vendor\requests\packages\chardet\hebrewprober.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\encoding\macJapan.enc	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\hotshot\stats.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\pip\_vendor\requests\packages\chardet\mbcharsetprober.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\pip\_vendor\requests\packages\chardet\sbcsgroupprober.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\setuptools\version.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Africa\Algiers	python_x86_Lib.exe
File created	C:\Program Files (x86)\COMODO\Endpoint Manager\edr-plugin.dll	msiexec.exe
File created	C:\Program Files (x86)\COMODO\Endpoint Manager\token.ini	MsiExec.exe
File opened for modification	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\copy_reg.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\gyp-0.1-py2.7.egg\gyp\generator\msvs_test.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\poplib.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Antarctica\Syowa	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\compiler\ast.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\pip\_vendor\html5lib\sanitizer.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\America\North_Dakota	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\symtable.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\msgs\nl_be.msg	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\America\Los_Angeles	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\America\Manaus	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\pip-7.1.2.dist-info\RECORD	python_x86_Lib.exe
File created	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\msgs\mk.msg	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Asia\Vladivostok	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\xml\dom\xmlbuilder.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\pip\_vendor\requests\packages\urllib3\util\connection.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\encoding\cp1254.enc	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\msgs\da.msg	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Australia\Lord_Howe	python_x86_Lib.exe
File created	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\contextlib.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\email\mime\text.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\encodings\cp865.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\idlelib\macosxSupport.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Europe\Samara	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tix8.4.3\demos\bitmaps\filebox.xbm	python_x86_Lib.exe
File created	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tk8.5\demos\images\face.xbm	python_x86_Lib.exe
File created	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tk8.5\images\README	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\_strptime.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\setuptools\command\install_egg_info.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\setuptools\site-patch.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\msgs\id.msg	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\America\Antigua	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\README.txt	python_x86_Lib.exe
File created	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Asia\Ulaanbaatar	python_x86_Lib.exe
File created	C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tk8.5\images\tai-ku.gif	python_x86_Lib.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI959A.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{373FFE70-5FF7-492D-A2F4-0C6A15D8D503}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI97AE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{373FFE70-5FF7-492D-A2F4-0C6A15D8D503}\icon.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB908.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5792e9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI94DD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI98AA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9DFB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9E5A.tmp	msiexec.exe
File created	C:\Windows\Installer\e5792e9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI983C.tmp	msiexec.exe
File created	C:\Windows\Installer\{373FFE70-5FF7-492D-A2F4-0C6A15D8D503}\icon.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAC07.tmp	msiexec.exe
File created	C:\Windows\Installer\wix{373FFE70-5FF7-492D-A2F4-0C6A15D8D503}.SchedServiceConfig.rmi	MsiExec.exe
File created	C:\Windows\Installer\e5792eb.msi	msiexec.exe

Executes dropped EXE 9 IoCs

pid	Process
1628	python_x86_Lib.exe
4344	ITSMService.exe
1032	ITSMAgent.exe
3952	ITSMAgent.exe
1112	ITSMAgent.exe
2732	RmmService.exe
3428	RmmService.exe
2752	RmmService.exe
5076	AutoIt3.exe

Loads dropped DLL 64 IoCs

pid	Process
4808	MsiExec.exe
4808	MsiExec.exe
4808	MsiExec.exe
4808	MsiExec.exe
2264	MsiExec.exe
2264	MsiExec.exe
2264	MsiExec.exe
4344	ITSMService.exe
4344	ITSMService.exe
4344	ITSMService.exe
4344	ITSMService.exe
4344	ITSMService.exe
4344	ITSMService.exe
4344	ITSMService.exe
4344	ITSMService.exe
4344	ITSMService.exe
4344	ITSMService.exe
4344	ITSMService.exe
4344	ITSMService.exe
4344	ITSMService.exe
4344	ITSMService.exe
1032	ITSMAgent.exe
1032	ITSMAgent.exe
1032	ITSMAgent.exe
1032	ITSMAgent.exe
1032	ITSMAgent.exe
1032	ITSMAgent.exe
1032	ITSMAgent.exe
3952	ITSMAgent.exe
3952	ITSMAgent.exe
3952	ITSMAgent.exe
3952	ITSMAgent.exe
3952	ITSMAgent.exe
3952	ITSMAgent.exe
3952	ITSMAgent.exe
1032	ITSMAgent.exe
1032	ITSMAgent.exe
1032	ITSMAgent.exe
1032	ITSMAgent.exe
1032	ITSMAgent.exe
1032	ITSMAgent.exe
1032	ITSMAgent.exe
1032	ITSMAgent.exe
1032	ITSMAgent.exe
1032	ITSMAgent.exe
1032	ITSMAgent.exe
2264	MsiExec.exe
1032	ITSMAgent.exe
1032	ITSMAgent.exe
1032	ITSMAgent.exe
1032	ITSMAgent.exe
1032	ITSMAgent.exe
1112	ITSMAgent.exe
1112	ITSMAgent.exe
1112	ITSMAgent.exe
1112	ITSMAgent.exe
1112	ITSMAgent.exe
1112	ITSMAgent.exe
1112	ITSMAgent.exe
1112	ITSMAgent.exe
1112	ITSMAgent.exe
1112	ITSMAgent.exe
1112	ITSMAgent.exe
1112	ITSMAgent.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
600	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python_x86_Lib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ITSMAgent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RmmService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ITSMService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RmmService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoIt3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdateCore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ITSMAgent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ITSMAgent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RmmService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AutoIt3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AutoIt3.exe

Modifies data under HKEY_USERS 60 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	python_x86_Lib.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	python_x86_Lib.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b\52C64B7E	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	ITSMService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	python_x86_Lib.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	ITSMService.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1A\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	ITSMService.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	ITSMService.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	ITSMService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	python_x86_Lib.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	python_x86_Lib.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\40CEF3046C916ED7AE557F60E76842828B51DE53	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	ITSMService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	ITSMService.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\40CEF3046C916ED7AE557F60E76842828B51DE53\Blob = 03000000010000001400000040cef3046c916ed7ae557f60e76842828b51de5314000000010000001400000017d9d6252767f931c24943d93036448c6ca94feb040000000100000010000000886ea78b530e0fd5bda4e12527ab6a2c0f00000001000000300000005d2164164eb6f3820b9b8d7a5601b60ebf70d832d2029c6c3c966db107dfcb1ba12a25700f26ca3d5b36e4a6cb576cfa19000000010000001000000092a08f142bb795a2197a0d3c7af066f55c000000010000000400000000080000180000000100000010000000ea6089055218053dd01e37e1d806eedf20000000010000001d0600003082061930820401a0030201020210137d539caa7c31a9a433701968847a8d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3138313130323030303030305a170d3330313233313233353935395a308195310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f726431183016060355040a130f5365637469676f204c696d69746564313d303b060355040313345365637469676f20525341204f7267616e697a6174696f6e2056616c69646174696f6e205365637572652053657276657220434130820122300d06092a864886f70d01010105000382010f003082010a02820101009c930246454a524892fc578df92dea53beb32cd5d8a8a5ec5b6903c01d10f65933defe0748a8e88c7a674af1f58dc33766d03291f7c49d0460c4b54ae2838ba7ae26d45d3a5ef8d11671bb8abd71a27dc8cea26024b052a03a4551de78936c6260f1e4569cb73bf73c55d8dfd57a317c357f125170e12cbe04accbfa4fe17c656ac040a7d97ca5638419e1f7caefaab4e8585ad999e326df8e12b2b8dc33b236da141d965842406e0b22851c5122aec4c806456d92e667b71923e4d8366b85d07fc752e3cfb07501e089b4a8bf8a364ea3e06ceb8441cea52f482213975062451e09a5cc9f6c57704006db20e81bd6f3938ba7329eb7441509d7affd7c011cdb0203010001a382016e3082016a301f0603551d230418301680145379bf5aaa2b4acf5480e1d89bc09df2b20366cb301d0603551d0e0416041417d9d6252767f931c24943d93036448c6ca94feb300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff020100301d0603551d250416301406082b0601050507030106082b06010505070302301b0603551d200414301230060604551d20003008060667810c01020230500603551d1f044930473045a043a041863f687474703a2f2f63726c2e7573657274727573742e636f6d2f55534552547275737452534143657274696669636174696f6e417574686f726974792e63726c307606082b06010505070101046a3068303f06082b060105050730028633687474703a2f2f6372742e7573657274727573742e636f6d2f555345525472757374525341416464547275737443412e637274302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010c050003820201004e134096c9c3e66e5bc0e3baf417e1ae091fc9bfcb0c2516f27353b3761ab7ab4806d6cd007c204543456c165a1b1361d749baa402a4ace8cece2dc92a74a3dcdeaeabd06836f891af3c01f777d50bcf97abeb87e715a8fa305a617120b1c043c4b98f6d8a31eb153624fb62d50b9c8fe966bde661519793b61d87bdb0b56cfea6112906613431303d20277351d0de8583d37739204696daa7c65a162785b2cf4e0f4e8c5cbebe3800f84bf9727bd4f27ad7a22985d004bad3422c5188522ed13d246747ec55cc1bf4ca34ea26c1deddc42189f6ba7b321e8e965e844538cf80aa37698b6017741548919c6df04ea377ca1b1c48faf9cf49e85f4f850ae28f901bab704c9aebb7a63fb4ac5da45fcfe6d88a9690f74f268160765d0f247791b32a319f165ab25d8c1c29aa489c8e6fd3784070db77ecdde3d15705702de64998880584620570567686394ed3226f1dfe6df10eb362c43ccbc085b9611ebae1158059940cae05bb8c7f56be1cd25abf97f26a4cb0c67076b0908dc10b36b911d8d6285cea4ffe24b7180a9b0cd0c17c5cfb69bdcca24dc690bca64df2b1bad69a675b960252d082f9c40a5c0d28e03fc8fa959589d5a4be496c40b23ea86bb8d525b2c4fef1d3d7e7d6dc43017630fb3b8b5df74a897c9a35befccaf05701f08d3fa087327b475a974b82d266c2c42dea3f24f4a7f9a8b9e36ad91861a03b8c15	ITSMService.exe

Modifies registry class 25 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\07EFF3737FF5D2942A4FC0A6518D5D30\DefaultFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CDM\proxy = "false"	ITSMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\ProductIcon = "C:\\Windows\\Installer\\{373FFE70-5FF7-492D-A2F4-0C6A15D8D503}\\icon.ico"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\Version = "151109272"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\DeploymentFlags = "3"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\Language = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CDM	ITSMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\SourceList	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DD4D523EF099D7E42B1DBDFD40CF9061	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DD4D523EF099D7E42B1DBDFD40CF9061\07EFF3737FF5D2942A4FC0A6518D5D30	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\SourceList\PackageName = "em_wh1U8LEO_installer_Win7-Win11_x86_x64.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\PackageCode = "D7076E96D3235814DB26ACC95D2BAD84"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\07EFF3737FF5D2942A4FC0A6518D5D30	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\ProductName = "Endpoint Manager Communication Client"	msiexec.exe

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
1032	ITSMAgent.exe
3952	ITSMAgent.exe
1112	ITSMAgent.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1484	msiexec.exe
1484	msiexec.exe
4344	ITSMService.exe
4344	ITSMService.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	600	msiexec.exe
Token: SeIncreaseQuotaPrivilege	600	msiexec.exe
Token: SeSecurityPrivilege	1484	msiexec.exe
Token: SeCreateTokenPrivilege	600	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	600	msiexec.exe
Token: SeLockMemoryPrivilege	600	msiexec.exe
Token: SeIncreaseQuotaPrivilege	600	msiexec.exe
Token: SeMachineAccountPrivilege	600	msiexec.exe
Token: SeTcbPrivilege	600	msiexec.exe
Token: SeSecurityPrivilege	600	msiexec.exe
Token: SeTakeOwnershipPrivilege	600	msiexec.exe
Token: SeLoadDriverPrivilege	600	msiexec.exe
Token: SeSystemProfilePrivilege	600	msiexec.exe
Token: SeSystemtimePrivilege	600	msiexec.exe
Token: SeProfSingleProcessPrivilege	600	msiexec.exe
Token: SeIncBasePriorityPrivilege	600	msiexec.exe
Token: SeCreatePagefilePrivilege	600	msiexec.exe
Token: SeCreatePermanentPrivilege	600	msiexec.exe
Token: SeBackupPrivilege	600	msiexec.exe
Token: SeRestorePrivilege	600	msiexec.exe
Token: SeShutdownPrivilege	600	msiexec.exe
Token: SeDebugPrivilege	600	msiexec.exe
Token: SeAuditPrivilege	600	msiexec.exe
Token: SeSystemEnvironmentPrivilege	600	msiexec.exe
Token: SeChangeNotifyPrivilege	600	msiexec.exe
Token: SeRemoteShutdownPrivilege	600	msiexec.exe
Token: SeUndockPrivilege	600	msiexec.exe
Token: SeSyncAgentPrivilege	600	msiexec.exe
Token: SeEnableDelegationPrivilege	600	msiexec.exe
Token: SeManageVolumePrivilege	600	msiexec.exe
Token: SeImpersonatePrivilege	600	msiexec.exe
Token: SeCreateGlobalPrivilege	600	msiexec.exe
Token: SeBackupPrivilege	4168	vssvc.exe
Token: SeRestorePrivilege	4168	vssvc.exe
Token: SeAuditPrivilege	4168	vssvc.exe
Token: SeBackupPrivilege	1484	msiexec.exe
Token: SeRestorePrivilege	1484	msiexec.exe
Token: SeRestorePrivilege	1484	msiexec.exe
Token: SeTakeOwnershipPrivilege	1484	msiexec.exe
Token: SeRestorePrivilege	1484	msiexec.exe
Token: SeTakeOwnershipPrivilege	1484	msiexec.exe
Token: SeRestorePrivilege	1484	msiexec.exe
Token: SeTakeOwnershipPrivilege	1484	msiexec.exe
Token: SeBackupPrivilege	1596	srtasks.exe
Token: SeRestorePrivilege	1596	srtasks.exe
Token: SeSecurityPrivilege	1596	srtasks.exe
Token: SeTakeOwnershipPrivilege	1596	srtasks.exe
Token: SeRestorePrivilege	1484	msiexec.exe
Token: SeTakeOwnershipPrivilege	1484	msiexec.exe
Token: SeRestorePrivilege	1484	msiexec.exe
Token: SeTakeOwnershipPrivilege	1484	msiexec.exe
Token: SeRestorePrivilege	1484	msiexec.exe
Token: SeTakeOwnershipPrivilege	1484	msiexec.exe
Token: SeRestorePrivilege	1484	msiexec.exe
Token: SeTakeOwnershipPrivilege	1484	msiexec.exe
Token: SeBackupPrivilege	1596	srtasks.exe
Token: SeRestorePrivilege	1596	srtasks.exe
Token: SeSecurityPrivilege	1596	srtasks.exe
Token: SeTakeOwnershipPrivilege	1596	srtasks.exe
Token: SeRestorePrivilege	1484	msiexec.exe
Token: SeTakeOwnershipPrivilege	1484	msiexec.exe
Token: SeRestorePrivilege	1484	msiexec.exe
Token: SeTakeOwnershipPrivilege	1484	msiexec.exe
Token: SeRestorePrivilege	1484	msiexec.exe

Suspicious use of FindShellTrayWindow 22 IoCs

pid	Process
600	msiexec.exe
1032	ITSMAgent.exe
1032	ITSMAgent.exe
1032	ITSMAgent.exe
1032	ITSMAgent.exe
600	msiexec.exe
1032	ITSMAgent.exe
1032	ITSMAgent.exe
1032	ITSMAgent.exe
1032	ITSMAgent.exe
1032	ITSMAgent.exe
1032	ITSMAgent.exe
1032	ITSMAgent.exe
1032	ITSMAgent.exe
1032	ITSMAgent.exe
1032	ITSMAgent.exe
1032	ITSMAgent.exe
1032	ITSMAgent.exe
1032	ITSMAgent.exe
1032	ITSMAgent.exe
1032	ITSMAgent.exe
1032	ITSMAgent.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
1032	ITSMAgent.exe
1032	ITSMAgent.exe
1032	ITSMAgent.exe
1032	ITSMAgent.exe
1032	ITSMAgent.exe
1032	ITSMAgent.exe
1032	ITSMAgent.exe
1032	ITSMAgent.exe
1032	ITSMAgent.exe
1032	ITSMAgent.exe
1032	ITSMAgent.exe
1032	ITSMAgent.exe
1032	ITSMAgent.exe
1032	ITSMAgent.exe
1032	ITSMAgent.exe
1032	ITSMAgent.exe
1032	ITSMAgent.exe
1032	ITSMAgent.exe
1032	ITSMAgent.exe
1032	ITSMAgent.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
4344	ITSMService.exe
4344	ITSMService.exe
4344	ITSMService.exe
4344	ITSMService.exe
4344	ITSMService.exe
4344	ITSMService.exe
4344	ITSMService.exe
4344	ITSMService.exe
4344	ITSMService.exe
1032	ITSMAgent.exe
3952	ITSMAgent.exe
4344	ITSMService.exe
1112	ITSMAgent.exe
4344	ITSMService.exe
4344	ITSMService.exe
4344	ITSMService.exe
4344	ITSMService.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 1596	1484	msiexec.exe	77
PID 1484 wrote to memory of 1596	1484	msiexec.exe	77
PID 1484 wrote to memory of 4808	1484	msiexec.exe	79
PID 1484 wrote to memory of 4808	1484	msiexec.exe	79
PID 1484 wrote to memory of 4808	1484	msiexec.exe	79
PID 1484 wrote to memory of 2264	1484	msiexec.exe	80
PID 1484 wrote to memory of 2264	1484	msiexec.exe	80
PID 1484 wrote to memory of 2264	1484	msiexec.exe	80
PID 2264 wrote to memory of 2440	2264	MsiExec.exe	81
PID 2264 wrote to memory of 2440	2264	MsiExec.exe	81
PID 2264 wrote to memory of 2440	2264	MsiExec.exe	81
PID 2440 wrote to memory of 1628	2440	cmd.exe	83
PID 2440 wrote to memory of 1628	2440	cmd.exe	83
PID 2440 wrote to memory of 1628	2440	cmd.exe	83
PID 1628 wrote to memory of 5080	1628	python_x86_Lib.exe	84
PID 1628 wrote to memory of 5080	1628	python_x86_Lib.exe	84
PID 1628 wrote to memory of 5080	1628	python_x86_Lib.exe	84
PID 4344 wrote to memory of 1032	4344	ITSMService.exe	88
PID 4344 wrote to memory of 1032	4344	ITSMService.exe	88
PID 4344 wrote to memory of 1032	4344	ITSMService.exe	88
PID 4344 wrote to memory of 3952	4344	ITSMService.exe	89
PID 4344 wrote to memory of 3952	4344	ITSMService.exe	89
PID 4344 wrote to memory of 3952	4344	ITSMService.exe	89
PID 4344 wrote to memory of 1112	4344	ITSMService.exe	90
PID 4344 wrote to memory of 1112	4344	ITSMService.exe	90
PID 4344 wrote to memory of 1112	4344	ITSMService.exe	90
PID 4344 wrote to memory of 2732	4344	ITSMService.exe	96
PID 4344 wrote to memory of 2732	4344	ITSMService.exe	96
PID 4344 wrote to memory of 2732	4344	ITSMService.exe	96
PID 3428 wrote to memory of 2752	3428	RmmService.exe	99
PID 3428 wrote to memory of 2752	3428	RmmService.exe	99
PID 3428 wrote to memory of 2752	3428	RmmService.exe	99
PID 2752 wrote to memory of 2256	2752	RmmService.exe	101
PID 2752 wrote to memory of 2256	2752	RmmService.exe	101
PID 2752 wrote to memory of 2256	2752	RmmService.exe	101
PID 2256 wrote to memory of 5076	2256	cmd.exe	102
PID 2256 wrote to memory of 5076	2256	cmd.exe	102
PID 2256 wrote to memory of 5076	2256	cmd.exe	102
PID 5076 wrote to memory of 2356	5076	AutoIt3.exe	103
PID 5076 wrote to memory of 2356	5076	AutoIt3.exe	103
PID 5076 wrote to memory of 2356	5076	AutoIt3.exe	103
PID 5076 wrote to memory of 2356	5076	AutoIt3.exe	103
PID 5076 wrote to memory of 2356	5076	AutoIt3.exe	103

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\em_wh1U8LEO_installer_Win7-Win11_x86_x64.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:600

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1596
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 963C39A03ABE35E976C6B951E7BBA706
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4808
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 0B1F20B3CA74936C04A0537E30B7BAE0 E Global\MSI0000
  2⤵
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\SysWOW64\cmd.exe" /C "cd "C:\Program Files (x86)\COMODO\Endpoint Manager\" && "C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2440
  - - C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe
      "C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe"
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious use of WriteProcessMemory
      PID:1628
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5080

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4168

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:1692

C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMService.exe
"C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMService.exe"
1⤵
- Checks for any installed AV software in registry
- Drops file in System32 directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4344
- C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe
  "C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1032
- C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe
  "C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe" noui
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:3952
- C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe
  "C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:1112
- C:\Program Files (x86)\COMODO\Endpoint Manager\RmmService.exe
  "C:\Program Files (x86)\COMODO\Endpoint Manager\RmmService.exe" --start
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2732

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1368

C:\Program Files (x86)\COMODO\Endpoint Manager\RmmService.exe
"C:\Program Files (x86)\COMODO\Endpoint Manager\RmmService.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3428
- C:\Program Files (x86)\COMODO\Endpoint Manager\RmmService.exe
  "C:\Program Files (x86)\COMODO\Endpoint Manager\RmmService.exe" --run_procedure --in Global\sharedInputMemory_1 --out Global\sharedOutputMemory_2 --err Global\sharedErrorMemory_3
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "AutoIt3.exe script.a3x"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2256
  - - C:\Users\Admin\AppData\Local\Temp\theistically\AutoIt3.exe
      AutoIt3.exe script.a3x
      4⤵
      Command and Scripting Interpreter: AutoIT
      Suspicious use of SetThreadContext
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious use of WriteProcessMemory
      PID:5076
    - - C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2356

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:736

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3904

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

AutoHotKey & AutoIT

T1059.010

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5792ea.rbs

Filesize
709KB

MD5
a413fe93a83e5368e752a2d78cb8d931

SHA1
cf834a10ce7f1b5f7dbde1fad8cfcb02c0f07b07

SHA256
6169fe65e55c8484adc9a3542c5c19f505261a68559f01d74cdee4408cd76e54

SHA512
7ed4fa33ab9ce0caf191e8113e579ac3bc645baf62d8cc357fe0b456c9fc9a133d0edfccda19ef5d01d7470f671cb0b2700890effee44d40c8708c15aeb85753

Download Submit
C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe

Filesize
3.0MB

MD5
a5b010d5b518932fd78fcfb0cb0c7aeb

SHA1
957fd0c136c9405aa984231a1ab1b59c9b1e904f

SHA256
5a137bfe1f0e6fc8a7b6957d5e9f10df997c485e0869586706b566015ff36763

SHA512
e0ca4b29f01f644ef64669ed5595965b853ae9eaa7c6c7d86df7634437041ef15ceb3c2d1ab9dec4171c80511684a7d7b06fc87b658e5a646699eb9523bc4994

Download Submit
C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMService.exe

Filesize
8.4MB

MD5
6b4752088a02d0016156d9e778bb5349

SHA1
bd13b1f7b04e0fe23db6b3e4bd0aa91c810e1745

SHA256
f64f13bf19726624a9cbaedda03a156597737581d6bc025c24e80517f5cab011

SHA512
0fe982b0b551238fc881511cdd0656ee71f22aca3a5e83ef7ce41b3adf603f1be17ba3e2c10797ee3dfb5e15ff1ac3e8cf4e05c657e7c047f302f50baa42ba2d

Download Submit
C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\setuptools-18.2.dist-info\zip-safe

Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
C:\Program Files (x86)\COMODO\Endpoint Manager\MSVCP140.dll

Filesize
426KB

MD5
8ff1898897f3f4391803c7253366a87b

SHA1
9bdbeed8f75a892b6b630ef9e634667f4c620fa0

SHA256
51398691feef7ae0a876b523aec47c4a06d9a1ee62f1a0aee27de6d6191c68ad

SHA512
cb071ad55beaa541b5baf1f7d5e145f2c26fbee53e535e8c31b8f2b8df4bf7723f7bef214b670b2c3de57a4a75711dd204a940a2158939ad72f551e32da7ab03

Download Submit
C:\Program Files (x86)\COMODO\Endpoint Manager\Qt5Core.dll

Filesize
5.1MB

MD5
9356330cdf731eea1e628b215e599ce5

SHA1
88645c60b3c931314354d763231137a9ec650f1b

SHA256
ad045d1d084a88fe3f48c12aee48746b22cb3a579f9140840c54ae61f7af3478

SHA512
3d9ab9b1cdecad6809be96d82df2d1b9b8c9e1a7cf0ac79a820a92b11c8fa079f5a2c3875ba0b733503742c6977d6239ce22acec023a22038b2e7ee1ebd62d90

Download Submit
C:\Program Files (x86)\COMODO\Endpoint Manager\Qt5Gui.dll

Filesize
5.2MB

MD5
d29d11da9f344f6d679a0de7b3174890

SHA1
b4cac4aa9c6b82e8d2d0c43991e8073261c13089

SHA256
079e3a248d169143a3d5da48d24dbcc0ce5fb8aaccbc02a6fce61c5fe2461b9f

SHA512
b43f2ef86d6fe4beb28a10e19834a4f76dbaddd071d16353b2641b72f2faa552a3bdba33a606da71a34ebb932f57dd142758b4a0a240231022c8bed8ee97cad6

Download Submit
C:\Program Files (x86)\COMODO\Endpoint Manager\Qt5Network.dll

Filesize
1015KB

MD5
de150de21f1a2b72534eaa4aa4f03202

SHA1
39ed224cced1266d4adc5e68f6516979b8f52b33

SHA256
03871db7d626d14e84d8ebf007139aa2c08038cd3403ac6259f1a2eb01ae1477

SHA512
30eff193620724cda86e6de31c430f9d4426e677a553c7918f9b85dbfc67687acdecc2a29e45473666c01ce311b73833d9f79db8a93e80570c7ace8837ca531a

Download Submit
C:\Program Files (x86)\COMODO\Endpoint Manager\Qt5Sql.dll

Filesize
174KB

MD5
88aeafdcc3f3fa04b9b20022906745b0

SHA1
9dc03428234000d19bbc3cb437d370b8e1863329

SHA256
cd84c9c486c3e967ddd061718893ef5ee48eca24f77e3366b8fd3d2dd21f477f

SHA512
5ea87730f26b16215eb2b892a6da689524546ef6cfaf4e6c1f4e0afa083ceec3e8f00c9259d316d84ef4cb05b01023a1362b4a676d10b55e06ee365557ab7986

Download Submit
C:\Program Files (x86)\COMODO\Endpoint Manager\Qt5Widgets.dll

Filesize
4.4MB

MD5
13f078d5c63cb192f68b45f5767a9e6f

SHA1
6149189a1553c2e0e6d715d3177c16c11af7d33a

SHA256
b0abf95a23e1616f3542a8cb794aac5b7463dff3db8621e3cd719ab1dd7f6226

SHA512
f3293fcdccb4901d4eb405706ad20da361140842a335e6f6a7ce54222fe028a1da2179be14ec40dbb5a1784ed5d33bd467174091606e6fcac12039dc0f48e52a

Download Submit
C:\Program Files (x86)\COMODO\Endpoint Manager\libssl-1_1.dll

Filesize
533KB

MD5
bf2cae7a6256b95e1ba1782e6a6c5015

SHA1
3fbdc3afa52673c7bdfab16b500bbe56f1db096b

SHA256
352d2fd16675855e20cc525b6376734933539b76bc4b40d679d3069008fe4cfc

SHA512
90755eb718ba404b0e48a6713d4680db252f8156328a58fc347e74d84b8bd53a7a6276755c672240c0e5d78200130e3ddf86990779ddd86c6d10cebf2bc02c9e

Download Submit
C:\Program Files (x86)\COMODO\Endpoint Manager\log4cplusU.dll

Filesize
471KB

MD5
0b03f7123e8bc93a38d321a989448dcc

SHA1
fc8bfdf092cdd6b9c1ec3b90389c035c37e50bd7

SHA256
a7fbfdb3100c164f139e9d0ebcf47282308e5173ab610dcb20a05b6e0615b54b

SHA512
6d00c65111c0f389ad189178705ed04712b2c6de8918f58de7c3747126a4b4e50b4a73525cc0993af02d35323b1430f34baf6f99712df822d6cdc63e24ed7ae5

Download Submit
C:\Program Files (x86)\COMODO\Endpoint Manager\proxy_settings.ini

Filesize
101B

MD5
273ec42863e3d9f999381f09c13d313b

SHA1
008d1954b2a7d1c692a697c891f9692f41f10481

SHA256
4dd2c699bbb8c398788067be6fc82edc68c8246b8f6765169776bb24ebd0c487

SHA512
940df3f73592ccabc27bf2cc77de98eade7eb8988d30144060c817eda614085e36eadb699b02123c63774416e827194c269acd1267fad1d560b7df86a79ed89b

Download Submit
C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe

Filesize
7.2MB

MD5
dcebee7bb4e8b046b229edc10ded037f

SHA1
f9bdf0b478e21389800542165f721e5018d8eb29

SHA256
2eb0eefab534217953744c2cc36de2e1a1ced6ea882734e7b1f4b34a0b19689b

SHA512
9827600a19da5a816f1b0d93aa2629cb48f13f6e5fc42cd44bb1031ecd2e942854b34e7da44335acb85e42c44b1e720e9da8bc1d9ad23a9b1de0190f026f4d30

Download Submit
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log

Filesize
65KB

MD5
97ecc9d2f0e8122c390da2fba3ce0a30

SHA1
d81b4720f1aa2351a7e5ae845c6aff308a71792e

SHA256
128e105f0960c8fb0203fccb7182d9d36b25a76c2224854237dd41f780b25b93

SHA512
957b7fcf0844024f55d678837e8c740bc9aa01078c81c3a03152ff454d37e20c0b269d1ffe5efdc5738aefd53c4bc7a2d60fdb859330c26d635c400f114ec476

Download Submit
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.1

Filesize
33KB

MD5
da6764e2bdb3b988b7c7eecd62c39b36

SHA1
cb883a4feab90b85e8ed5277f8770615bf748308

SHA256
4feb733a6106068d2f4c642ccc4aff70ab539033ca52ecdb89253b3761cb025d

SHA512
4cce4e1fb7a3ae0757a78453504cc8d0deb5f24d575a23b13c5c7c9a20538bcb47c91913b2ed0dab9b110dbbed140266e6aeae76770a0e2abec2f170912b879f

Download Submit
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.2

Filesize
33KB

MD5
3223c316cee2e46b52caa6f13f67f0a3

SHA1
33885c0aa4e5a65b4a6ca8463bf680068d2c8cf8

SHA256
9ba8b32e39dc43db5e29990f4a15f5fc0f1867ae6919f3362713ec0b1a8a5381

SHA512
66110cb7a910495a7c9c8c51e669bff38d76e07286db4447294b7c42164caf3aea4af99b22a01d5c458a2a518f014a3c24baab5f312893f0d3e69fcc1bd330fc

Download Submit
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.3

Filesize
33KB

MD5
1ef70ca2bf2c84d80efbfb5420eaa9bf

SHA1
7afb50f809a80d87a48d9f187a5df6610d2a0eef

SHA256
3ec0ce3b15f713c06493f208891dff683d1e2e50abda7c66419a9b200cc21c5e

SHA512
4a2d1636ed6c85e8096202f6943591f56cf8a96f480abd597317ac673cc133822169a573604da220a2aed2b258704f59eb3762b7f7d11208cfbe3e7356312457

Download Submit
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4

Filesize
33KB

MD5
5917f4630e308f3f741735cdb1f468b8

SHA1
92be32db04ea7c34706fa24b4b2a217cc9a99972

SHA256
2d1aa572f0cfb627d8264ab16bbd385a8ec2fd8e0d58afbf16b66416ac52aef7

SHA512
bb1ca46984e05e5612d34dc36cca851b170ad73b4d292d096fb25389b54610ea053065fb8f3ce831641ef3ab436810a63374e1ae87e3fbbe071303197c43af93

Download Submit
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4

Filesize
33KB

MD5
16f34b1b87cd763228be48aee1bfe5ed

SHA1
591140c1e23ccc22cf2231b9f3444fe8b609eb88

SHA256
02c6957abbdc1ecb3941ee9e8a487233cc48ad2e005fd00cca8d87d79b8e310f

SHA512
6cc1cb4c46514df6006db2b4193c38003beaf22ffcc69d5fdd2e0c1bfaa1408e2f7a41919290a515d29fd90a61791a56fda0b55d0f161abbbcdccf8d68eb97c8

Download Submit
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4

Filesize
33KB

MD5
e19ca9db4c9556bb771cce90734eec6b

SHA1
90c386db3888997acf3d50372bf2e60bfe241254

SHA256
a416ce654ed32535c38c3e7d673911ad37674fb09aeb65f43caac22c29eddc74

SHA512
a751fa846f307ec3d70e5140409be8e7dc10411bc01fbb4bd2d49b8e8aeb3557e525f31918b77732ad626e300e6a0225e45386673efd9e6f07ce3e435e377686

Download Submit
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4

Filesize
33KB

MD5
ff059d2419b3c85ed252779327de80d2

SHA1
5fd1b51a887de814f89c88a00b141e413252f77d

SHA256
5f5fdfb46494de0f268f6705dbbb02f4200d5f22a5704356b68d1453cf309533

SHA512
3bf12b481d43c2e356d5713517c630dc9cd6134aa1dd87f7e1a0547624741b220fc6baa1e511b002a83dd9b7353cf2e86640d69cdd6d503e38e5dd3b38471164

Download Submit
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4

Filesize
33KB

MD5
b02cc3ea04df6ae2cf40ad89ecdc8aa0

SHA1
a1a4d62518604e1f81b4c428267e1aec1fed8db2

SHA256
2a4a616d70cb616f1fb82c55b189c1857e4b11844f7d700462e946c30dae0509

SHA512
da529b1e52ef62806ee4421ac31dfdcac17eb41a20c69afb4e919dd9b5339313ca258f3b9e6ee7de550568985176578f71d3d4147143c1c889041217d066e1e0

Download Submit
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4

Filesize
33KB

MD5
24fb990b8b6e7206932c6072cf2fab3c

SHA1
0604fc3de7beaa57b527415e208e8a371d22989f

SHA256
402093c82277243451a4eec3541a43cbf8493e893f51c332f6ad8a8be5d71b62

SHA512
7c5504a77c1efa3e5140d01b869b48d6fdd5490587ed2eb83d991a1123dd762e0836327163730456f7ab9b81aedfbd1fcba3a26de5473a88b7e2b46cbb927244

Download Submit
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4

Filesize
33KB

MD5
a93b67dc4da1378756eda9b8141c854f

SHA1
7df567cf798c14c26fd1f6770d851b250f5645b8

SHA256
04a9af4d8fd51ab00407322d9818a9b7bc4995419a685f63a57d0290602f629c

SHA512
44650f7f78cac16d1bb9925f3dc4f6da9b9f1f2cd1b69bd8a50246c9a9852ad06feabec9ef3603b3106be7527e001295b775872e80387cd0cb0eacbe518b4613

Download Submit
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4

Filesize
33KB

MD5
43e6c2f0559d17a9e84dd697dc57423d

SHA1
f9e0201b93b87b7552f2624ef165f90467b8b4f2

SHA256
11b22762903fd4d1092b787f7c1e37157964e09d5dbbb59892202cf7df5bd896

SHA512
fa35fefe90c52b6ce2280ac2228e5ba57909fbcec5d0a790ac789cff83f9298f5f2a75ead564d109bc1160b5ff07aee2265b0a4a4640bd89b56b961b12290168

Download Submit
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4

Filesize
33KB

MD5
1ddafb47aa7d9e1de92fde3915ed6142

SHA1
faf90c17a0beebff92ab977351c4b8c39288e91e

SHA256
6d1b0a18497f9cd60848ce503bd6a02f08b7007157ce6f0cc700bca1d1dcbee3

SHA512
97a75b8c0ce5e18bb849e9b44c150bcfd4bdf6de0f6d4e2cc3efa406c40ba50f58f2ae4d1eb42a3dc78989c6be3f3cd1efa214dda40015d0297672ad3a881320

Download Submit
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4

Filesize
33KB

MD5
6812c7faed51ea7323cd396495187595

SHA1
6a09ea805c3fbcbf83dfe1e5fc115a8edf4de93d

SHA256
df1f4094179966f9b8d3ab4857da0a014f87324aefb8ba76202b37a7294e2fe8

SHA512
b8102bd4c65e0999a42e7af2b22c839316e5aa57ba1043f1c0261c76659e589ad2af680f8e2f53b1a57ffe7ed26b6ce5a21604ab3517b4afea3ad14db30be2b8

Download Submit
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4

Filesize
33KB

MD5
773ba123a936d78845d30468a7bf2863

SHA1
26b68bfe684fa4fa9e97e4de5a632c6fc90ea3dd

SHA256
1b0a3d1eb4cf1c0ede33b7ceef149eb192a513e9b13642e3c653553a8ade71e8

SHA512
47f73fab486c5787ebf1262431757c175fdf8131d9cd60562ca8c6ad2b05457c02e0006f9f8bbd487c3afdb381e932fb8102d39cf99f984d8d11376a63bff57d

Download Submit
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4

Filesize
33KB

MD5
63b7c6d6bd0a181d20e199b3ff02a9f7

SHA1
470672b848bdcaa08537697a9736b75196cf9255

SHA256
4162939bfe818ce2b6ef3b10562b341c702db8a976cfad0edcc78c1d8c8f84b7

SHA512
f58c624d35926de54bdad7b66c12d546bd7fff3cce8dda85451401c1f07ac1561fbb0ee1a652d3299c58b5d5ac15a8656baa5a77e12bb4334040360502a3eb17

Download Submit
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4

Filesize
33KB

MD5
b81ce80a2257d2440801bc3eb62fc3d0

SHA1
d21326b530bafc2edc8dc3dd54aab80e5ad353d5

SHA256
9f25e57822f1ad0109572fb6dfa35f1764ba4218a08f661e711460c5e843a17a

SHA512
ece6acc0cb975dbec76311de20cf008bf832ad6758cf01d8a78c78b3d1eec7bbc81872a78e3fd7d95962df04b2af3edec66b5525b41dc3d25f2827843180ce5c

Download Submit
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4

Filesize
33KB

MD5
7a586dbf0fc1770ea5cf70927e729003

SHA1
27a988b1e2cbfb809f47e6960f47ebc549093797

SHA256
6b7d591089dbce8fe83a515055a014073615211ac7d73760677e60c73d3b01c5

SHA512
4192ec9da5df9a5376798afb6dda744ef72bc580469c23c851b80e47c9a956f63d2c9922537111af5061f7833ffe13b552ff8aa366cfa0e831ce649756f979b4

Download Submit
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4

Filesize
32KB

MD5
b83940967d9098174d5dc1efbd444218

SHA1
5044a57bb2a6dcfd8ff6f9cd32139a7a292e5468

SHA256
b56c0a9ffe883624b1d7d82b83bad731fcae75a8facc3fd05e58e37a050cbfe5

SHA512
32e87d07c65c2a1f5987b38c3be8fe7f7665f62b1ac3a64fa96966d55dd97072b493757492e8cd486908bea59da3feb9d311fe657db3ebaec74452dae9d30a4f

Download Submit
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4

Filesize
33KB

MD5
0ef05dbd08e57cd2725d0618a0d50cad

SHA1
bb5647fa99dab33dbb4766f67b26a4d38bdd6286

SHA256
29e318782729f2bb36165b1bc5add685849fd78c55920cb42348c733f054cfac

SHA512
03add5d378bc0146e95024639991105c7c26f5ca433bae10cf1a5c2b46c94aa85573b50e6b2ed0eba2136984dd344802f2345346bbe04bd73b7a8686dfc23cf8

Download Submit
C:\Program Files (x86)\COMODO\Endpoint Manager\token.ini

Filesize
8B

MD5
16674a4fdd74f7a049320075c9665d93

SHA1
574c925e2d534034b08dff253071fcc1c2309e3a

SHA256
c7df218540f5780d54f5591c888acdee8ee5fbc3337bf6b8d8bad66709895446

SHA512
44b7ac04e901b7e5876f5fe8c44a91258836dffa73b7eadf8b8daec78f3dc124eb140f1cc0bc2442ec75742c429aa4b8f878582c52b77d65c8d562099082e371

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18E6B4A57A6BC7EC9B861CDF2D6D0D02_EF52C1EC85F21F31CC0157A5C8803013

Filesize
765B

MD5
fff2cc217cec93b9b4e91ea34e23efaa

SHA1
c6a7f0e18796e1c6b789ec9fb7e98fbc639bc1df

SHA256
9bd2f914e637e30ba764c0af86102be829546122e443b30588e5e9723a15873b

SHA512
f426e383b51806458533ddd15e4aec6cddde1acf497b8a84542818c4dffa3b5c21093a075a79a8e46ce5ddf6d16be9ed66c339724c63f76c6be7bd048cef5a3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3AA0DCD5A74331FBD6F344550EC48B87_D7025277F003EE88ED342C67F3525784

Filesize
637B

MD5
f29448db915ce12024c00f8db2735a37

SHA1
8c42cc59bf9684c8913d77b6481d6f9a35291fe2

SHA256
1220fbb03d07705373e10fff29e767a41a523ff3bbd1280f1e6c313421bd6930

SHA512
932aa9847dc8630259827605dbf4cca4a778fda7ae164b814d6d552086812395441389179094c01c0225477aafdf9f3e2daa235e5884cf6eba01d32ee54b6b01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F

Filesize
1KB

MD5
8991f83c49d2736793a0c917c3d8ae4d

SHA1
71752a06511633fcb9d2df14b507e555e4d1b17a

SHA256
a94ee10e4836486a24b1020e70055b440e46b52913a6e9cd66d0cae467276990

SHA512
6fedbb05506b87ca954be1e413a1ca2824ae3b060242e89a1002a06d6549838f2d9e09768a878211a1929ef9cd260415bb061a8a28d16ee6e647780fc7e8b3cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18E6B4A57A6BC7EC9B861CDF2D6D0D02_EF52C1EC85F21F31CC0157A5C8803013

Filesize
484B

MD5
08e416c63188c5e2bcff64e070451596

SHA1
e63e9e40e936bd0455cd0b07aef788ebf779e0e7

SHA256
28c05dbcf00e662482bf1bc990f977e697afb8c8aecc852ec0c7642317ac727f

SHA512
68477763b4b9ff9e616ae2d58a9dc316f4159e83e18f4d28841160c0e0834b6693597f1af50862de1d28ea40b657e10c82b1a2ec6b8a32fc57ada3a5d84bb464

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3AA0DCD5A74331FBD6F344550EC48B87_D7025277F003EE88ED342C67F3525784

Filesize
480B

MD5
6218561f4b84a2e4d7d3d2d43d859d51

SHA1
07adba9cff1167f62c459225518e69982a667efa

SHA256
3cdbecc799b5c263182ffa531c6dc9396133d27210e8a93ba7a27d4c2a40caef

SHA512
b06c617145e7224147db5212f06e6661380f5225a6523986cf7a522f42e549c926d247ea43434e83029f829532a0ba9b0a514516d3edc8e3abd27d7dbd4a9bcc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F

Filesize
482B

MD5
dd6544622fd79dbc330dd02c24b58f76

SHA1
ba43d12ac68447c3e5cb26f4f027139ce94569d5

SHA256
a218108690c69eea429740a2aa4ddeab3dc9190e9e4ad0d1516c17e9ed053a78

SHA512
96daf6eeca30e52981a95b03071e5d4a83b45d4cf8447c33bef0023246dd5530dd4ca703d3ed469ed881050e73025b4205a33639194d1f8cd1da979baf8f29c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

Filesize
226B

MD5
feceaa82323f9de4d3578592d22f857d

SHA1
4c55c509e6d16466d1d4c31a0687ededf2eabc9a

SHA256
61480b43136b02965f59e3256b8de1bf35caa7c084a7bcb3ed5f4236451d4484

SHA512
82dac003d30eed4fc4e06ab4a426c9b7f355d777c243b710c5c0d3afc4c26d93874af2d0a542fca4a2038050b0d0fa8f63ed82e5f2771ae8a4de0f3b08d56d45

Download Submit
C:\Windows\Installer\MSI94DD.tmp

Filesize
285KB

MD5
82d54afa53f6733d6529e4495700cdd8

SHA1
b3e578b9edde7aaaacca66169db4f251ee1f06b3

SHA256
8f4894b9d19bfe5d8e54b5e120cef6c69abea8958db066cdd4905cc78ecd58b6

SHA512
22476e0f001b6cf37d26e15dfb91c826c4197603ea6e1fbb9143c81392e41f18fa10a2d2d1e25425baaf754bff7fd179ef1df34966c10985e16d9da12a445150

Download Submit
C:\Windows\Installer\MSI959A.tmp

Filesize
203KB

MD5
d53b2b818b8c6a2b2bae3a39e988af10

SHA1
ee57ec919035cf8125ee0f72bd84a8dd9e879959

SHA256
2a81878be73b5c1d7d02c6afc8a82336d11e5f8749eaacf54576638d81ded6e2

SHA512
3aaf8b993c0e8f8a833ef22ed7b106218c0f573dcd513c3609ead4daf90d37b7892d901a6881e1121f1900be3c4bbe9c556a52c41d4a4a5ec25c85db7f084d5e

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
26.0MB

MD5
b0353995e921ab2e666d92a9b56c0981

SHA1
d507f5cfb4b6a18adb077a77b331269611052873

SHA256
c7692867340b8366651655af9c4a16832a3b9974730340d91d9e4b4f66ca088b

SHA512
a1c5f58aaaab8b22a1aa50ca0772f7e80f304db51b2515c0448ef80de5bde0717228d0a84d6bb2d9d859d83ba263d63fadf1662c4b885fbb44c2fdd23dcfbf8b

Download Submit
\??\Volume{38fc5f00-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{8b328b46-73f4-4d6c-8c39-9ca306f1a2c1}_OnDiskSnapshotProp

Filesize
5KB

MD5
c065149247ecc5601270ed28af79bbcb

SHA1
898173599c13af47c6fb726fc3c0c071c33a3611

SHA256
11c061118c696c244faab3c31f8c1b9d8f1b7b05c76b795ed776a563c5c49caf

SHA512
0e0b4844d0ab6045c5b4c21296561940ff74cec4e0f80732a43aa18250cdbb8470631ebea1dd489111032b0c27c489ba921d6dd47d6229599f3fcc36ae83e93c

Download Submit
\Program Files (x86)\COMODO\Endpoint Manager\ApplicationManagement.dll

Filesize
87KB

MD5
25c603e78d833ff781442886c4a01fe6

SHA1
6808adc90eb5db03163103ec91f7bc58ee8aa6d0

SHA256
94afd301c1baa84b18e3b72d017b6a009145c16c6592891c92f50c127e55169e

SHA512
84e33be97d97ae341d74fc8273d191df519616f12bec8ac2f89454897c30a5f7bf9115f208c8dae78da83f0ca7bf9e5f07544d37d87b07f63408fbc91e449d54

Download Submit
\Program Files (x86)\COMODO\Endpoint Manager\Qt5Xml.dll

Filesize
163KB

MD5
4bac5e44b4b2f138f6608c661330dad0

SHA1
b08ff311b24d9bbc48d4014d7a0cd0de129a19e7

SHA256
59ba9deba38b1e652a046fd6b58847a58883f2d8c5c1e81acfa78d2daad98a1c

SHA512
74871aaaf8dc3fc006f7a1fdc42eabf5a86e34674d34362b2b00bdebe023d78fa0e6a5ef4676dc038178a6eeb01a0ba1676f68a1cc6828ac8d4ece550106ee0a

Download Submit
\Program Files (x86)\COMODO\Endpoint Manager\Qt5XmlPatterns.dll

Filesize
2.2MB

MD5
e2749ff4266d5a933feb7685dfe375b2

SHA1
f09a432c67f45fc2ed27c762db4176b7dd47e908

SHA256
e4ee537b6a585ec7656afd9fc6fd3f655ff44bec6ff8ec291fc3e868caade27c

SHA512
4efc6b0b8d39b47d9c415fc3bc7460e4f738e3694fac691bf94569549569a8d65270a54488af3ae49de9fabdbe518250ceee83f6633e1da407636e6e02bac8bb

Download Submit
\Program Files (x86)\COMODO\Endpoint Manager\libcrypto-1_1.dll

Filesize
2.5MB

MD5
8f4ccd26ddd75c67e79ac60afa0c711f

SHA1
6a8b00598ac4690c194737a8ce27d1d90482bd8b

SHA256
ab7af6f3f78cf4d5ed4a2b498ef542a7efe168059b4a1077230a925b1c076a27

SHA512
9a52ac91876eea1d8d243c309dadb00dfae7f16705bde51aa22e3c16d99ccf7cc5d10b262a96cfbb3312981ac632b63a3787e8f1de27c9bb961b5be6ff2ba9f4

Download Submit
\Program Files (x86)\COMODO\Endpoint Manager\qdjango-db0.dll

Filesize
132KB

MD5
342249e8c50e8849b62c4c7f83c81821

SHA1
618aa180b34c50e243aefbf36bb6f69e36587feb

SHA256
07bc6eb017005500d39e2c346824eef79b3e06f60c46fb11572f98d4fe4083c5

SHA512
32a44252926881edf916ac517cb55d53b0b1b5adcc5952a674d1707d2c1431a68b27e593b4c4fcab0648e3cbeddf3d4e8024ff2a3385af9dbd2b2244e518340a

Download Submit
\Program Files (x86)\COMODO\Endpoint Manager\rmmproxy.dll

Filesize
154KB

MD5
84c848ca734892ea2e8ab90d84317ee3

SHA1
a1b38d4f1b466061481bdfde7628139c908f7ee5

SHA256
01c53abd5585992f9d62de40f4750899829b9e7e4a026b8d9f5d1cb1748a3fa9

SHA512
cec124435d6d4c76497e7886ca317a0c12a9d8e77200ba94cf6a699b318b91cb4db886eba5a5161941a7dd349f827cd3694abb864d6e37a9084a208276bee7df

Download Submit
\Program Files (x86)\COMODO\Endpoint Manager\sqldrivers\qsqlite.dll

Filesize
1.1MB

MD5
d9d7b0d7386cd57e4301d57cb7294b4b

SHA1
dcf385b8d3f9f99a07e1b7757508e5e4080f336c

SHA256
a4ee1bc55369a13b3e721aa48e44de31c6f00439838e923ab7a66438fbab4002

SHA512
e1568ce01edd46aabc795dd4eacab565ffc8dc0271129b5aa770f3763fba756a5de59aa4329510e65282bb19537874c6f307712a7fa2b6971f50dbee7b2664d7

Download Submit
\Program Files (x86)\COMODO\Endpoint Manager\vcruntime140.dll

Filesize
74KB

MD5
1a84957b6e681fca057160cd04e26b27

SHA1
8d7e4c98d1ec858db26a3540baaaa9bbf96b5bfe

SHA256
9faeaa45e8cc986af56f28350b38238b03c01c355e9564b849604b8d690919c5

SHA512
5f54c9e87f2510c56f3cf2ceeb5b5ad7711abd9f85a1ff84e74dd82d15181505e7e5428eae6ff823f1190964eb0a82a569273a4562ec4131cecfa00a9d0d02aa

Download Submit
memory/2356-5645-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2356-5646-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download