Analysis

  • max time kernel
    1200s
  • max time network
    1156s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    11-08-2024 15:36

General

  • Target

    em_wh1U8LEO_installer_Win7-Win11_x86_x64.msi

  • Size

    94.2MB

  • MD5

    f740670bd608f6a564366606e0bba8da

  • SHA1

    c635e8453bf0f06c34d41d3319670e5dc966a5f4

  • SHA256

    ba3cdc5190b44da96e5ecb5f39e2cbe3713984dc8062cdab679c759de51500b1

  • SHA512

    88f1e800265e4e72f914e50240a6a7cca630ea4bcd6981be13237cc6f42b182741542b907737490a367453c179ace55fb64c3e0fb2cb6ecf1bace7a442458e0e

  • SSDEEP

    1572864:SX+lBWb7cVOxi2CDRq/SUx6EIL2CjmFkm+pF7Vxo81MOL9vh12epl37cTLiAhRLh:nLYxsRq/76L2CjmCZpRXouxvD6LbhRHJ

Malware Config

Extracted

Family

lumma

C2

https://swinngydisaosp.shop/api

https://deallerospfosu.shop/api

https://bassizcellskz.shop/api

https://mennyudosirso.shop/api

https://languagedscie.shop/api

https://complaintsipzzx.shop/api

https://quialitsuzoxm.shop/api

https://tenntysjuxmz.shop/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Blocklisted process makes network request 4 IoCs
  • Checks for any installed AV software in registry 1 TTPs 8 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs

    Using AutoIT for possible automate script.

  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 22 IoCs
  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 25 IoCs
  • Suspicious behavior: AddClipboardFormatListener 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 21 IoCs
  • Suspicious use of SendNotifyMessage 19 IoCs
  • Suspicious use of SetWindowsHookEx 17 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\em_wh1U8LEO_installer_Win7-Win11_x86_x64.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2532
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2616
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 33CF2474294946FC6E8659275E4D03DF
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2460
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding B14C21B2B285295289E9D00E20C7B2C9 M Global\MSI0000
      2⤵
      • Drops file in Windows directory
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1796
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\SysWOW64\cmd.exe" /C "cd "C:\Program Files (x86)\COMODO\Endpoint Manager\" && "C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1716
        • C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe
          "C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe"
          4⤵
          • Drops file in Program Files directory
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Modifies data under HKEY_USERS
          • Suspicious use of WriteProcessMemory
          PID:2412
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2028
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:864
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005D4" "00000000000004C0"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2652
  • C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMService.exe
    "C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMService.exe"
    1⤵
    • Checks for any installed AV software in registry
    • Drops file in System32 directory
    • Executes dropped EXE
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1340
    • C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe
      "C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:1348
    • C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe
      "C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe" noui
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:788
    • C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe
      "C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2468
    • C:\Program Files (x86)\COMODO\Endpoint Manager\RmmService.exe
      "C:\Program Files (x86)\COMODO\Endpoint Manager\RmmService.exe" --start
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:992
  • C:\Windows\system32\wbem\WmiApSrv.exe
    C:\Windows\system32\wbem\WmiApSrv.exe
    1⤵
      PID:2292
    • C:\Program Files (x86)\COMODO\Endpoint Manager\RmmService.exe
      "C:\Program Files (x86)\COMODO\Endpoint Manager\RmmService.exe"
      1⤵
      • Drops file in Windows directory
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:1596
      • C:\Program Files (x86)\COMODO\Endpoint Manager\RmmService.exe
        "C:\Program Files (x86)\COMODO\Endpoint Manager\RmmService.exe" --run_procedure --in Global\sharedInputMemory_1 --out Global\sharedOutputMemory_2 --err Global\sharedErrorMemory_3
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1540
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c "AutoIt3.exe script.a3x"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2828
          • C:\Users\Admin\AppData\Local\Temp\theistically\AutoIt3.exe
            AutoIt3.exe script.a3x
            4⤵
            • Command and Scripting Interpreter: AutoIT
            • Suspicious use of SetThreadContext
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Checks processor information in registry
            • Suspicious use of WriteProcessMemory
            PID:2820
            • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
              "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2296
    • C:\Windows\system32\wbem\WmiApSrv.exe
      C:\Windows\system32\wbem\WmiApSrv.exe
      1⤵
        PID:3068

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Config.Msi\f789002.rbs
        Filesize

        711KB

        MD5

        4d323f4a9fbd056b54246c04aeb9e9b5

        SHA1

        61acb6a6da45a4b65d421a793f32cf99046fecbe

        SHA256

        31655aa6f12d6ad8ea425e38a9ed48022fcbdab68514497738caa8d4d1767d66

        SHA512

        952dae2ce15e8e3387c1b19501b76b3dad03b36994f67127090ed5d08956dcb0fde81bcb49a2daefd48c9c3422f5e2800f059ce9b099a0b000635baea34c0c95

      • C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe
        Filesize

        3.0MB

        MD5

        a5b010d5b518932fd78fcfb0cb0c7aeb

        SHA1

        957fd0c136c9405aa984231a1ab1b59c9b1e904f

        SHA256

        5a137bfe1f0e6fc8a7b6957d5e9f10df997c485e0869586706b566015ff36763

        SHA512

        e0ca4b29f01f644ef64669ed5595965b853ae9eaa7c6c7d86df7634437041ef15ceb3c2d1ab9dec4171c80511684a7d7b06fc87b658e5a646699eb9523bc4994

      • C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMService.exe
        Filesize

        8.4MB

        MD5

        6b4752088a02d0016156d9e778bb5349

        SHA1

        bd13b1f7b04e0fe23db6b3e4bd0aa91c810e1745

        SHA256

        f64f13bf19726624a9cbaedda03a156597737581d6bc025c24e80517f5cab011

        SHA512

        0fe982b0b551238fc881511cdd0656ee71f22aca3a5e83ef7ce41b3adf603f1be17ba3e2c10797ee3dfb5e15ff1ac3e8cf4e05c657e7c047f302f50baa42ba2d

      • C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\setuptools-18.2.dist-info\zip-safe
        Filesize

        2B

        MD5

        81051bcc2cf1bedf378224b0a93e2877

        SHA1

        ba8ab5a0280b953aa97435ff8946cbcbb2755a27

        SHA256

        7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

        SHA512

        1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

      • C:\Program Files (x86)\COMODO\Endpoint Manager\api-ms-win-core-file-l1-2-0.dll
        Filesize

        10KB

        MD5

        7d64aefb7e8b31292da55c6e12808cdb

        SHA1

        568c2a19a33bb18a3c6e19c670945630b9687d50

        SHA256

        62a4810420d997c7fdd9e86a42917a44b78fb367a9d3c0a204e44b3ff05de6d4

        SHA512

        68479da21f3a2246d60db8afd2ae3383a430c61458089179c35df3e25ca1a15eba86a2a473e661c1364613baa93dcb38652443eb5c5d484b571ab30728598f9b

      • C:\Program Files (x86)\COMODO\Endpoint Manager\api-ms-win-core-file-l2-1-0.dll
        Filesize

        10KB

        MD5

        dcd09014f2b8041e89270fecd2c078b2

        SHA1

        b9f08affdd9ff5622c16561e6a6e6120a786e315

        SHA256

        6572965fd3909af60310db1e00c8820b2deef4864612e757d3babab896f59ed7

        SHA512

        ef2ac73100184e6d80e03ce5aa089dbddb9e2a52adf878c34b7683274f879dcf2b066491cfc666f26453acbd44543d9741f36369015bd5d07e36b49d435751f6

      • C:\Program Files (x86)\COMODO\Endpoint Manager\api-ms-win-core-localization-l1-2-0.dll
        Filesize

        13KB

        MD5

        3979437d6817cdf82da474c8a1eefb0d

        SHA1

        5e96fe40993acbc7c2e9a104d51a728950ad872e

        SHA256

        3dd2e16b6f135cdd45bce4065f6493540ebbaf2f7f1553085a2442ea2cf80a10

        SHA512

        4f64c6d232fdae3e7e583cb1aa39878abbfbbc9466108b97a5dce089c35eb30af502b5b212b043c27c1b12b23c165bd2b559060c43d9e2efcdda777b34f0066b

      • C:\Program Files (x86)\COMODO\Endpoint Manager\api-ms-win-core-processthreads-l1-1-1.dll
        Filesize

        11KB

        MD5

        4da67feefeb86b58a20b3482b93285b3

        SHA1

        6cd7f344d7ca70cf983caddb88ff6baa40385ef1

        SHA256

        3a5d176b1f2c97bca7d4e7a52590b84b726796191ae892d38ad757fd595f414d

        SHA512

        b9f420d30143cf3f5c919fa454616765602f27c678787d34f502943567e3e5dfb068fec8190fea6fa8db70153ed620eb4fe5dc3092f9b35b7d46b00cc238e3ba

      • C:\Program Files (x86)\COMODO\Endpoint Manager\api-ms-win-core-timezone-l1-1-0.dll
        Filesize

        11KB

        MD5

        3339350008a663975ba4953018c38673

        SHA1

        78614a1aad7fc83d6999dcc0f467b43693be3d47

        SHA256

        4f77abb5c5014769f907a194fd2e43b3c977df1fb87f8c98dd15a7b950d1e092

        SHA512

        a303fd57dd59f478a8d6c66785768886509625a2baf8bf2b357bb249fc93f193ac8c5c2c9193e53738805700e49b941bf741d6c4850a43f29a82424ccdda191b

      • C:\Program Files (x86)\COMODO\Endpoint Manager\api-ms-win-crt-convert-l1-1-0.dll
        Filesize

        14KB

        MD5

        392b572dc6275d079270ad8e751a2433

        SHA1

        8347bba17ed3e7d5c2491f2177af3f35881e4420

        SHA256

        347ceeb26c97124fb49add1e773e24883e84bf9e23204291066855cd0baea173

        SHA512

        dbdbd159b428d177c5f5b57620da18a509350707881fb5040ac10faf2228c2ccfd6126ea062c5dd4d13998624a4f5745ed947118e8a1220190fdb93b6a3c20b7

      • C:\Program Files (x86)\COMODO\Endpoint Manager\api-ms-win-crt-environment-l1-1-0.dll
        Filesize

        11KB

        MD5

        9806f2f88ba292b8542a964c0b102876

        SHA1

        c02e1541a264a04963add31d2043fa954b069b6b

        SHA256

        cf601a7b883bb4fb87c28b4a1d9f823d2454b298cdbcb4da4f508db8bd1278ba

        SHA512

        d68cb926de3caa498ad2aea60e2c5dbb72f30836a6ad9bb11a48f2ca706656981d9332dae44769ccf6f8de3b2ea1507983440afbe1322520f2fd1674cd8de823

      • C:\Program Files (x86)\COMODO\Endpoint Manager\api-ms-win-crt-filesystem-l1-1-0.dll
        Filesize

        12KB

        MD5

        1747189e90f6d3677c27dc77382699d8

        SHA1

        17e07200fc40914e9aa5cbfc9987117b4dc8db02

        SHA256

        6cc23b34f63ba8861742c207f0020f7b89530d6cdd8469c567246a5879d62b82

        SHA512

        d2cc7223819b9109b7ce2475dfb2a58da78d0d3d606b05b6f24895d2f05fb1b83ee4c1d7a863f3c3488f5d1b014cd5b429070577bd53d00bb1e0a0a9b958f0b1

      • C:\Program Files (x86)\COMODO\Endpoint Manager\api-ms-win-crt-heap-l1-1-0.dll
        Filesize

        11KB

        MD5

        1bcb55590ab80c2c78f8ce71eadeb3dc

        SHA1

        8625e6ed37c1a5678c3b4713801599f792dc1367

        SHA256

        a3f13fa93131a17e05ad0c4253c34b4db30d15eae2b43c9d7ec56fdc6709d371

        SHA512

        d80374ec9b17692b157031f771c6c86dc52247c3298594a936067473528bbb511be4e033203144bbf2ec2acfd7e3e935f898c945eb864dcf8b43ae48e3754439

      • C:\Program Files (x86)\COMODO\Endpoint Manager\api-ms-win-crt-runtime-l1-1-0.dll
        Filesize

        15KB

        MD5

        047c779f39ebb4f57020cd5b6fb2d083

        SHA1

        440077fc83d1c756fe24f9fb5eae67c5e4abd709

        SHA256

        078d2551f53ca55715f5c6a045de1260ce331b97fd6d047f8455e06d97ef88dc

        SHA512

        95a57d79c47d11f43796aea8fd1183d3db9448dee60530144b64a2dd3cd863f5b413356076c26101d96dd007ebf8aff9e23cf721ba4e03d932c333b8e5536b73

      • C:\Program Files (x86)\COMODO\Endpoint Manager\api-ms-win-crt-stdio-l1-1-0.dll
        Filesize

        16KB

        MD5

        10e9dfc88bf784847e7b9aab82e28d0c

        SHA1

        cb750cf87d561ca32f5860854da374dae6c9f2ad

        SHA256

        e6bab87156c9e7ae14ce36a754eb6891891a22ddfff584b706538152017fbb0f

        SHA512

        29c2edb44cada75ee8ccae1b55a405c8282c937450913196d54b6da1a1e121451c6e14a92a200574984961fa8c649d8a40caf58ea50a33d42a7dfae4439091c2

      • C:\Program Files (x86)\COMODO\Endpoint Manager\api-ms-win-crt-time-l1-1-0.dll
        Filesize

        13KB

        MD5

        fa5327c2a3d284385d8dc3d65935604b

        SHA1

        a878b7cdf4ad027422e0e2182dad694ed436e949

        SHA256

        704ad27cab084be488b5757395ad5129e28f57a7c6680976af0f096b3d536e66

        SHA512

        473ff715f73839b766b5f28555a861d03b009c6b26c225bc104f4aab4e4ea766803f38000b444d4d433ff9ea68a3f940e66792bae1826781342f475860973816

      • C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log
        Filesize

        33KB

        MD5

        65a146f7dd5563d27a276c30561264dd

        SHA1

        2e36aaf5640721c59483008a313b74bf8f81e957

        SHA256

        ad4986f5e2ab72ae8dd621eaba878ee4c06f471f98055f04cdb3b401aa3d9b25

        SHA512

        9ed4475eb8ac3655ceb41b5980c88faa0b7d4ce96230e938ba694ef6cd619f670c1fa098e63e9e1e532726cd11665633917e6ff9d231ffdd8d60801fbca79489

      • C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.2
        Filesize

        33KB

        MD5

        c309e2433be5f96acde254312684aee0

        SHA1

        51d1bf62dc09d747d8a684c582461c829e2864f3

        SHA256

        bb25cd88c44850ff74e39a11da8ca05f6b620bb129c30fa258e96b70eeb457e1

        SHA512

        c78b08f2b18db960eadcaf2d41b2ee5e8f10e623632b429052a31bcfbf568c2bfb5c739d88243f98cfdbc46a5be31519f2b3c0fca8274a73e2dae3728bede607

      • C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.3
        Filesize

        33KB

        MD5

        612bf2cfba447c3875e141e513906ca1

        SHA1

        663fa12be883e279e9409489237e5321ee95843f

        SHA256

        b0a69cf675b84e398c8d0936e0bb83a3d341a7734be32642eeb43fb6a957c529

        SHA512

        6567ac12a5a324db6c8b16e1072975554c31f8c0f07aae0abeacc5e974428abbdedcc2e1e773657e8e77c00af199b49f5d8eab7fffa8e17c6fe879b5a5dd44b5

      • C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4
        Filesize

        33KB

        MD5

        9a04cff65bfd51c076615c118935536a

        SHA1

        8c42aa23e6479c72054534b6ebdc29f7ef5d12f5

        SHA256

        55a02ec11d991ec0a8f22668f7eca74d9fc6ee463d22946201c5eee7140493dd

        SHA512

        0dfeb855ca3337a75c39a009ffac81e95151c1edef6882426cdbb5174671e20fe09277a431b74b495266fbe930bc93bcc70ec362e74ccc80c7a537495fadd2c0

      • C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4
        Filesize

        33KB

        MD5

        266dffc9f0ec10752ea5abecd3ec6779

        SHA1

        e2c3d033710497040761e7c806a02e0f01bc174a

        SHA256

        613a42b7140752d65f99e76a0902c69d31c7368ad23328ef5c24cac62acca687

        SHA512

        5be7e004e27b5a9e1482076515f86c016f1d9c9c9638f5ebbf78cddd57b0d9e4e2fd0c561a01d9db888f0f8990f5a1ad8b44cb246a5182bfafa88090662a9804

      • C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4
        Filesize

        33KB

        MD5

        0090618c8b916561a8c7cf7c67c8de29

        SHA1

        2faf09a3cb4d6ca801f8884f40e3d072fd4ac426

        SHA256

        1bcf934566cc7087780769e12e70037fbf4b213267e137aacc41e25fc4c9f8e9

        SHA512

        978950c5457a67fabe22dcf8ce85499e600919e33b8dddcf4f3d238f4b69b575e5dff6c7f2b27e21ed1c905024633ec15970fb4f2b414f6d507860737b222e79

      • C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4
        Filesize

        33KB

        MD5

        1d326a8359b6970132f0007b7aa1d643

        SHA1

        ab424cd1ac2957741e70b0951f251f9343ce4457

        SHA256

        383c39c7108b268170476953d881e9765a835c7ed4836f7ff581dd96cb9d5c19

        SHA512

        1a9ca119b2db02da23f1e03767b960df01b7c85ac4662694cdcb975581db7e84dfb2adde166109ca5beae076a1b254b7a18bfcb847cbc99c102ecac1493385ff

      • C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4
        Filesize

        33KB

        MD5

        13004c24f20710ffbc1d6ca6e412d148

        SHA1

        ae08cff43427c001ea91ff08396340540cf5dd54

        SHA256

        205aa2349e946b0fd526c3fc2b115b074bb3186699354d0f6235ab82ea89538b

        SHA512

        8cd701157d5c4a6edcf68fbb83ba32688b97c57e50e752a1449ebd09e62a89509da712106b30180ab9742292dcfa959b14bbbdfcce896d4118437f3f40cd809e

      • C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4
        Filesize

        33KB

        MD5

        0b1b51f44093eb20bf870d200e98f9a2

        SHA1

        e217c8f05511fb87ec333027be220ce1259fdcfe

        SHA256

        c34f944c4c07471f480c4d6be30d141d4dd0a9c4236412fa7bd7f46efbbec59e

        SHA512

        fbdd41ad3492c8534ea0106fe87a13e50da724da500d59a5aa032e108c1818d3b713a4ff22178d708f1ea56b5667bd203184fadf8329dd5434347014d3692c5a

      • C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4
        Filesize

        33KB

        MD5

        e8dc138c18fd4ea6f1ce3ac65c8c6c89

        SHA1

        a096b9a9f3157a27c962496060008abe0d467b01

        SHA256

        ce8bd7a610caf271239713a3412a9ad8b84f56707aa7ed7bd57c7f3c71443c47

        SHA512

        84d5ad721cbbd560a3bccad9e565bb351f333cf268a6e40c06325f8d1dc94f077bcd3ba55780b69ac15ca5d7c8597a8b23b8c867ca0ac72659e60149dd38ff00

      • C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4
        Filesize

        33KB

        MD5

        8ab3abbb33742e8d2b4b7f155ff25482

        SHA1

        1c60a2e6485435e3976e1a0064097fa58e7f56b3

        SHA256

        a58996f75160afdef2ceea0bdac2f81393530994e6a28223fd57f363799a306f

        SHA512

        caf167cde342763e77fd31264d1adbfae57acdbb63768046d7faf4e737c83f650127585c9aa4c1f3a93e9b8f71fc101ea476e6ae7558777ae90ef590992dc3bc

      • C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4
        Filesize

        33KB

        MD5

        c72d4425c5a868e04bd30524755a0658

        SHA1

        4e56a054dc5c92e7724ce0a7f3dd22dcdc8896da

        SHA256

        d203417bfbcf901bb31a81ff15b902e5cc61422492933f408b116c9e77b2292a

        SHA512

        10017edcc335a686d3b004e15c1ce07d58197219b2ead5c7f9b0ca4937b6f39b5f6de925f047a19e8009ece65b95a8e75d86dbc9550b8a3f26a10ad945f2186a

      • C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4
        Filesize

        32KB

        MD5

        8c0dbc925b04d4e4b4faec84ff785f62

        SHA1

        96dea61050b15f8bea7bcac52068b7e6c98581dc

        SHA256

        7ec9d7deddb7adc8968ddc1a005f7c4b3ac7298938407e6ddb890408771c1d51

        SHA512

        f847a390bf80ff58d24a2bbdc626edca13d6021f24f88a20238d90686391b32e8b04d5bfa17019ad06d93020931864ff3a4b8d50f946d4420a6b7e9a10ce3e73

      • C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4
        Filesize

        33KB

        MD5

        5964c19317dbccc04b5579244480bb14

        SHA1

        d1bf80bc9f427894e887f8b972488cfcc8dd7bc4

        SHA256

        cfc559fbe0fc757ec349073eacb49f49fe6087f59f31709c91de71b635be8acb

        SHA512

        ec0368431146ed87cfc3285aca6665a366d6768b2cafada41bd99f8898a34308404c90618a072d8d8ac057f4d4b9b7639fde72f30eb95c9ea0e0ee1884688b28

      • C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4
        Filesize

        33KB

        MD5

        8ecd999b13c0c91744e671cfeb80b1a4

        SHA1

        3f457202afaf8ad98b90b54e83d0f0f80366eed0

        SHA256

        65c2611eacb89f78f7c3fdf304c7dc97fd01bf4eb22f028042340cfe88c6600e

        SHA512

        98650221a1c7bc9a48f18999a5969d6a3f3014c0275f0993b1501351ea0b447b77080cd038532a25fa1ed609a2953be348ada0f40a5592e202bd7bd5b670d9d2

      • C:\Program Files (x86)\COMODO\Endpoint Manager\ucrtbase.DLL
        Filesize

        1.1MB

        MD5

        126fb99e7037b6a56a14d701fd27178b

        SHA1

        0969f27c4a0d8270c34edb342510de4f388752cd

        SHA256

        10f8f24aa678db8e38e6917748c52bbcd219161b9a07286d6f8093ab1d0318fa

        SHA512

        d787a9530bce036d405988770621b6f15162347a892506ce637839ac83ac6c23001dc5b2292afd652e0804bd327a7536d5f1b92412697c3be335a03133d5fe17

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18E6B4A57A6BC7EC9B861CDF2D6D0D02_EF52C1EC85F21F31CC0157A5C8803013
        Filesize

        765B

        MD5

        fff2cc217cec93b9b4e91ea34e23efaa

        SHA1

        c6a7f0e18796e1c6b789ec9fb7e98fbc639bc1df

        SHA256

        9bd2f914e637e30ba764c0af86102be829546122e443b30588e5e9723a15873b

        SHA512

        f426e383b51806458533ddd15e4aec6cddde1acf497b8a84542818c4dffa3b5c21093a075a79a8e46ce5ddf6d16be9ed66c339724c63f76c6be7bd048cef5a3a

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3AA0DCD5A74331FBD6F344550EC48B87_D7025277F003EE88ED342C67F3525784
        Filesize

        637B

        MD5

        f29448db915ce12024c00f8db2735a37

        SHA1

        8c42cc59bf9684c8913d77b6481d6f9a35291fe2

        SHA256

        1220fbb03d07705373e10fff29e767a41a523ff3bbd1280f1e6c313421bd6930

        SHA512

        932aa9847dc8630259827605dbf4cca4a778fda7ae164b814d6d552086812395441389179094c01c0225477aafdf9f3e2daa235e5884cf6eba01d32ee54b6b01

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F
        Filesize

        1KB

        MD5

        8991f83c49d2736793a0c917c3d8ae4d

        SHA1

        71752a06511633fcb9d2df14b507e555e4d1b17a

        SHA256

        a94ee10e4836486a24b1020e70055b440e46b52913a6e9cd66d0cae467276990

        SHA512

        6fedbb05506b87ca954be1e413a1ca2824ae3b060242e89a1002a06d6549838f2d9e09768a878211a1929ef9cd260415bb061a8a28d16ee6e647780fc7e8b3cd

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18E6B4A57A6BC7EC9B861CDF2D6D0D02_EF52C1EC85F21F31CC0157A5C8803013
        Filesize

        484B

        MD5

        143277119f5b776602cb6e066a592ef9

        SHA1

        d71bc83bb1887788dc9343ff1ca4e46c3d99302a

        SHA256

        1f3a5dedfc14a1601a198a160c73f737c729b9ae24d663daa065da4b5cc58b5e

        SHA512

        bcf6365797b2beb39665946591bcbaa46866226383ef1d56e83d1050c3db423775df1ca6ddde0880050675bfeae8f5e4ed2de71b70c5efd7235a0a4d4c7f12a2

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3AA0DCD5A74331FBD6F344550EC48B87_D7025277F003EE88ED342C67F3525784
        Filesize

        480B

        MD5

        9493968fd466bbe91a581c59bbabc7f3

        SHA1

        92ecf33c08abcc0c4f639b5e9ca1690844d055be

        SHA256

        26bf160842112d4ad74ac220d88f467b1bf4c2b877dabef525803ddbb0dc167a

        SHA512

        d24ec47225b91f95bf01d4e43b812d0408ac122c957bd36b05ed4f5c18231b8cbd0f94ed18de8743f909c5737b7cf069bf35c29139ea961323a90216466c621b

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        bfdc1b8228c0011487de1f74135e365e

        SHA1

        d577fa41126bee00d798c1bb1ee3614c51ae33c0

        SHA256

        e45ca302e9048419044b4ca466611f0b2610c2a1173ff8fc1c31378f40633ac6

        SHA512

        e0848fd1747112c8e8584a92a588a23c4f9b00fd84e144da6e9e98445daea019de653bc746020a51fe2214bb2c9b60d0852c9453740199d039e30fd5cd8601fb

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F
        Filesize

        482B

        MD5

        20319835c12d04ca96bc49027d3d61f0

        SHA1

        e4c2084e4b2ea1200e4cdfa82d7cde5f83e6b6d1

        SHA256

        ef8f3c8c93799e69900d90fa63ccc19f614e7f808ce2e0876dd8a35987cf3dce

        SHA512

        94b5da867413fca1a514937a948de4704b07a9e21461906d500ea195e81479738d34015d4e1ed754f84becc2ec6f85642f5eb973c795c3b4a63490f5389853ca

      • C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd
        Filesize

        226B

        MD5

        feceaa82323f9de4d3578592d22f857d

        SHA1

        4c55c509e6d16466d1d4c31a0687ededf2eabc9a

        SHA256

        61480b43136b02965f59e3256b8de1bf35caa7c084a7bcb3ed5f4236451d4484

        SHA512

        82dac003d30eed4fc4e06ab4a426c9b7f355d777c243b710c5c0d3afc4c26d93874af2d0a542fca4a2038050b0d0fa8f63ed82e5f2771ae8a4de0f3b08d56d45

      • C:\Users\Admin\AppData\Local\Temp\Cab2906.tmp
        Filesize

        70KB

        MD5

        49aebf8cbd62d92ac215b2923fb1b9f5

        SHA1

        1723be06719828dda65ad804298d0431f6aff976

        SHA256

        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

        SHA512

        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      • C:\Users\Admin\AppData\Local\Temp\Tar2918.tmp
        Filesize

        181KB

        MD5

        4ea6026cf93ec6338144661bf1202cd1

        SHA1

        a1dec9044f750ad887935a01430bf49322fbdcb7

        SHA256

        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

        SHA512

        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      • C:\Windows\Installer\MSI96D5.tmp
        Filesize

        285KB

        MD5

        82d54afa53f6733d6529e4495700cdd8

        SHA1

        b3e578b9edde7aaaacca66169db4f251ee1f06b3

        SHA256

        8f4894b9d19bfe5d8e54b5e120cef6c69abea8958db066cdd4905cc78ecd58b6

        SHA512

        22476e0f001b6cf37d26e15dfb91c826c4197603ea6e1fbb9143c81392e41f18fa10a2d2d1e25425baaf754bff7fd179ef1df34966c10985e16d9da12a445150

      • C:\Windows\Installer\MSI9BA6.tmp
        Filesize

        203KB

        MD5

        d53b2b818b8c6a2b2bae3a39e988af10

        SHA1

        ee57ec919035cf8125ee0f72bd84a8dd9e879959

        SHA256

        2a81878be73b5c1d7d02c6afc8a82336d11e5f8749eaacf54576638d81ded6e2

        SHA512

        3aaf8b993c0e8f8a833ef22ed7b106218c0f573dcd513c3609ead4daf90d37b7892d901a6881e1121f1900be3c4bbe9c556a52c41d4a4a5ec25c85db7f084d5e

      • \Program Files (x86)\COMODO\Endpoint Manager\api-ms-win-core-synch-l1-2-0.dll
        Filesize

        11KB

        MD5

        c250b2e4ff04d22306bf8ce286afd158

        SHA1

        e5c60b7892ff64cbff02d551f9dbf25218c8195b

        SHA256

        42367b6b7285bddc185c0badefe49e883646f574b1d7d832c226f2d1ce489c5b

        SHA512

        a78c4ddf98330698c9da8d1d2c7c3176f22dfabf0900008cff1f294f56a2a14b52becd09ba37a065d544f58617911b3f5850614b5aabd0ec7daf236f29c9b10b

      • \Program Files (x86)\COMODO\Endpoint Manager\api-ms-win-crt-locale-l1-1-0.dll
        Filesize

        11KB

        MD5

        7481e20041cf8e366d737962d23ec9de

        SHA1

        a13c9a2d6cf6c92050eaae5ecb090a401359d992

        SHA256

        4615ec9effc0c27fc0cfd23ad9d87534cbe745998b7d318ae84ece5ea1338551

        SHA512

        f7a8e381d1ac2704d61258728a9175834cf414f7f2ff79bd8853e8359d6468839585cb643f0871334b943b0f7b0d868e077f6bd3f61668e54785ee8b94bf7903

      • \Program Files (x86)\COMODO\Endpoint Manager\api-ms-win-crt-string-l1-1-0.dll
        Filesize

        17KB

        MD5

        1f1d50aa4553e77f6b90ae13bd56a95c

        SHA1

        cf421a298f485c2a000791e1840ededeea19bad0

        SHA256

        d343529d2a49cbb89d644deafce573b873ab45e0bf57e2d906b2f2a964d7bd9a

        SHA512

        a08bdcc2883066a8bdb9336eec5c7f8593202c367ce75a7d7390ed4c6e0e1dbe80b7afadeee78f12ac0386d70ac360af12bf0ff3285acda0425789038951f180

      • \Program Files (x86)\COMODO\Endpoint Manager\log4cplusU.dll
        Filesize

        471KB

        MD5

        0b03f7123e8bc93a38d321a989448dcc

        SHA1

        fc8bfdf092cdd6b9c1ec3b90389c035c37e50bd7

        SHA256

        a7fbfdb3100c164f139e9d0ebcf47282308e5173ab610dcb20a05b6e0615b54b

        SHA512

        6d00c65111c0f389ad189178705ed04712b2c6de8918f58de7c3747126a4b4e50b4a73525cc0993af02d35323b1430f34baf6f99712df822d6cdc63e24ed7ae5

      • \Program Files (x86)\COMODO\Endpoint Manager\msvcp140.dll
        Filesize

        426KB

        MD5

        8ff1898897f3f4391803c7253366a87b

        SHA1

        9bdbeed8f75a892b6b630ef9e634667f4c620fa0

        SHA256

        51398691feef7ae0a876b523aec47c4a06d9a1ee62f1a0aee27de6d6191c68ad

        SHA512

        cb071ad55beaa541b5baf1f7d5e145f2c26fbee53e535e8c31b8f2b8df4bf7723f7bef214b670b2c3de57a4a75711dd204a940a2158939ad72f551e32da7ab03

      • \Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe
        Filesize

        7.2MB

        MD5

        dcebee7bb4e8b046b229edc10ded037f

        SHA1

        f9bdf0b478e21389800542165f721e5018d8eb29

        SHA256

        2eb0eefab534217953744c2cc36de2e1a1ced6ea882734e7b1f4b34a0b19689b

        SHA512

        9827600a19da5a816f1b0d93aa2629cb48f13f6e5fc42cd44bb1031ecd2e942854b34e7da44335acb85e42c44b1e720e9da8bc1d9ad23a9b1de0190f026f4d30

      • \Program Files (x86)\COMODO\Endpoint Manager\vcruntime140.dll
        Filesize

        74KB

        MD5

        1a84957b6e681fca057160cd04e26b27

        SHA1

        8d7e4c98d1ec858db26a3540baaaa9bbf96b5bfe

        SHA256

        9faeaa45e8cc986af56f28350b38238b03c01c355e9564b849604b8d690919c5

        SHA512

        5f54c9e87f2510c56f3cf2ceeb5b5ad7711abd9f85a1ff84e74dd82d15181505e7e5428eae6ff823f1190964eb0a82a569273a4562ec4131cecfa00a9d0d02aa

      • memory/1340-5180-0x00000000015F0000-0x000000000163C000-memory.dmp
        Filesize

        304KB

      • memory/1348-5116-0x0000000000850000-0x000000000085A000-memory.dmp
        Filesize

        40KB

      • memory/1348-5115-0x0000000000850000-0x000000000085A000-memory.dmp
        Filesize

        40KB

      • memory/1348-5132-0x0000000000880000-0x000000000088A000-memory.dmp
        Filesize

        40KB

      • memory/1348-5131-0x0000000000880000-0x000000000088A000-memory.dmp
        Filesize

        40KB

      • memory/1348-5508-0x0000000000880000-0x000000000088A000-memory.dmp
        Filesize

        40KB

      • memory/1348-5509-0x0000000000880000-0x000000000088A000-memory.dmp
        Filesize

        40KB

      • memory/2296-5608-0x0000000000400000-0x0000000000459000-memory.dmp
        Filesize

        356KB

      • memory/2296-5609-0x0000000000400000-0x0000000000459000-memory.dmp
        Filesize

        356KB

      • memory/2468-5137-0x0000000000180000-0x000000000018A000-memory.dmp
        Filesize

        40KB

      • memory/2468-5158-0x00000000002B0000-0x00000000002BA000-memory.dmp
        Filesize

        40KB

      • memory/2468-5157-0x00000000002B0000-0x00000000002BA000-memory.dmp
        Filesize

        40KB

      • memory/2468-5161-0x00000000002B0000-0x00000000002B6000-memory.dmp
        Filesize

        24KB