Analysis
-
max time kernel
1200s -
max time network
1156s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
11-08-2024 15:36
Static task
static1
Behavioral task
behavioral1
Sample
em_wh1U8LEO_installer_Win7-Win11_x86_x64.msi
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
em_wh1U8LEO_installer_Win7-Win11_x86_x64.msi
Resource
win7-20240704-en
Behavioral task
behavioral3
Sample
em_wh1U8LEO_installer_Win7-Win11_x86_x64.msi
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
em_wh1U8LEO_installer_Win7-Win11_x86_x64.msi
Resource
win11-20240802-en
General
-
Target
em_wh1U8LEO_installer_Win7-Win11_x86_x64.msi
-
Size
94.2MB
-
MD5
f740670bd608f6a564366606e0bba8da
-
SHA1
c635e8453bf0f06c34d41d3319670e5dc966a5f4
-
SHA256
ba3cdc5190b44da96e5ecb5f39e2cbe3713984dc8062cdab679c759de51500b1
-
SHA512
88f1e800265e4e72f914e50240a6a7cca630ea4bcd6981be13237cc6f42b182741542b907737490a367453c179ace55fb64c3e0fb2cb6ecf1bace7a442458e0e
-
SSDEEP
1572864:SX+lBWb7cVOxi2CDRq/SUx6EIL2CjmFkm+pF7Vxo81MOL9vh12epl37cTLiAhRLh:nLYxsRq/76L2CjmCZpRXouxvD6LbhRHJ
Malware Config
Extracted
lumma
https://swinngydisaosp.shop/api
https://deallerospfosu.shop/api
https://bassizcellskz.shop/api
https://mennyudosirso.shop/api
https://languagedscie.shop/api
https://complaintsipzzx.shop/api
https://quialitsuzoxm.shop/api
https://tenntysjuxmz.shop/api
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
msiexec.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Endpoint Manager = "C:\\Program Files (x86)\\COMODO\\Endpoint Manager\\ITSMAgent.exe" msiexec.exe -
Blocklisted process makes network request 4 IoCs
Processes:
msiexec.exeflow pid process 3 2532 msiexec.exe 5 2532 msiexec.exe 7 2532 msiexec.exe 9 2532 msiexec.exe -
Checks for any installed AV software in registry 1 TTPs 8 IoCs
Processes:
ITSMService.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\COMODO\CIS ITSMService.exe Key queried \REGISTRY\MACHINE\SOFTWARE\COMODO\CIS ITSMService.exe Key queried \REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Esm ITSMService.exe Key opened \REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Esm\ ITSMService.exe Delete value \REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Esm\RemovalSecurity ITSMService.exe Key opened \REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Esm\RemovalSecurity ITSMService.exe Key opened \REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Esm ITSMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Esm ITSMService.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe -
Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs
Using AutoIT for possible automate script.
-
Drops file in System32 directory 4 IoCs
Processes:
ITSMService.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0968A1E3A40D2582E7FD463BAEB59CD ITSMService.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0968A1E3A40D2582E7FD463BAEB59CD ITSMService.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E455012CBF4BA8A2AC67618C00590908 ITSMService.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E455012CBF4BA8A2AC67618C00590908 ITSMService.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
AutoIt3.exedescription pid process target process PID 2820 set thread context of 2296 2820 AutoIt3.exe GoogleUpdateCore.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
Processes:
python_x86_Lib.exemsiexec.exedescription ioc process File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\pip\_vendor\requests\packages\chardet\sbcharsetprober.py python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\msgs\th.msg python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\America\Araguaina python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tix8.4.3\Grid.tcl python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\RDesktop.exe msiexec.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\pty.py python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tk8.5\demos\images\noletter.xbm python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tk8.5\msgs\eo.msg python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tk8.5\tk.tcl python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tty.py python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\pip\_vendor\retrying.py python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Asia\Aqtau python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\opt0.4\optparse.tcl python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Atlantic\Faroe python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\setuptools\command\bdist_egg.py python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\msgs\en_be.msg python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tix8.4.3\bitmaps\act_fold.gif python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tk8.5\msgs\pt.msg python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\encoding\macTurkish.enc python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Pacific\Gambier python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\US\Eastern python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tix8.4.3\demos\bitmaps\bold.xbm python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\idlelib\WindowList.py python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\setuptools-18.2.dist-info\DESCRIPTION.rst python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Asia\Tokyo python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tix8.4.3\demos\MkScroll.tcl python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\doctest.py python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\hotshot\__init__.py python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Etc\GMT-5 python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\US\Alaska python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\platform.py python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\America\Guatemala python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\America\Iqaluit python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tk8.5\demos\square python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\pip\_vendor\html5lib\treewalkers\_base.py python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\America\Asuncion python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\idlelib\SearchEngine.py python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\pip\_vendor\cachecontrol\caches\redis_cache.py python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\setuptools\command\install.py python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Africa\Nairobi python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tix8.4.3\demos\widget python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tix8.4.3\pref\12Point.fs python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\email\mime\text.py python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\idlelib\FileList.py python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\msgs\en_bw.msg python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Indian\Mayotte python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\MST7MDT python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\xml\etree python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\encoding\cp874.enc python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\init.tcl python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\encodings\iso2022_kr.py python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tk8.5\demos\license.terms python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\audiodev.py python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\ctypes\wintypes.py python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Asia\Jerusalem python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Asia\Qyzylorda python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Japan python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tix8.4.3\DirTree.tcl python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tk8.5\scrlbar.tcl python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\msgs\sq.msg python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Africa\Johannesburg python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\pip\_vendor\requests\__init__.py python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\pkg_resources\_vendor\packaging\version.py python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\xml\parsers\expat.py python_x86_Lib.exe -
Drops file in Windows directory 22 IoCs
Processes:
msiexec.exeDrvInst.exeMsiExec.exeRmmService.exedescription ioc process File opened for modification C:\Windows\Installer\f789000.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIA098.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB801.tmp msiexec.exe File opened for modification C:\Windows\Installer\{373FFE70-5FF7-492D-A2F4-0C6A15D8D503}\icon.ico msiexec.exe File created C:\Windows\Installer\f789003.msi msiexec.exe File opened for modification C:\Windows\Installer\f789001.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\Installer\MSI9F11.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA200.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIBAD0.tmp msiexec.exe File created C:\Windows\Installer\{373FFE70-5FF7-492D-A2F4-0C6A15D8D503}\icon.ico msiexec.exe File created C:\Windows\Installer\wix{373FFE70-5FF7-492D-A2F4-0C6A15D8D503}.SchedServiceConfig.rmi MsiExec.exe File opened for modification C:\Windows\WindowsUpdate.log RmmService.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\f789001.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIF6F7.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI96D5.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9BA6.tmp msiexec.exe File created C:\Windows\Installer\f789000.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIE579.tmp msiexec.exe -
Executes dropped EXE 9 IoCs
Processes:
python_x86_Lib.exeITSMService.exeITSMAgent.exeITSMAgent.exeITSMAgent.exeRmmService.exeRmmService.exeRmmService.exeAutoIt3.exepid process 2412 python_x86_Lib.exe 1340 ITSMService.exe 1348 ITSMAgent.exe 788 ITSMAgent.exe 2468 ITSMAgent.exe 992 RmmService.exe 1596 RmmService.exe 1540 RmmService.exe 2820 AutoIt3.exe -
Loads dropped DLL 64 IoCs
Processes:
MsiExec.exeMsiExec.execmd.exeITSMService.exeITSMAgent.exepid process 2460 MsiExec.exe 2460 MsiExec.exe 2460 MsiExec.exe 2460 MsiExec.exe 1796 MsiExec.exe 1796 MsiExec.exe 1716 cmd.exe 1796 MsiExec.exe 1340 ITSMService.exe 1340 ITSMService.exe 1340 ITSMService.exe 1340 ITSMService.exe 1340 ITSMService.exe 1340 ITSMService.exe 1340 ITSMService.exe 1340 ITSMService.exe 1340 ITSMService.exe 1340 ITSMService.exe 1340 ITSMService.exe 1340 ITSMService.exe 1340 ITSMService.exe 1340 ITSMService.exe 1340 ITSMService.exe 1340 ITSMService.exe 1340 ITSMService.exe 1340 ITSMService.exe 1340 ITSMService.exe 1340 ITSMService.exe 1340 ITSMService.exe 1340 ITSMService.exe 1340 ITSMService.exe 1340 ITSMService.exe 1340 ITSMService.exe 1340 ITSMService.exe 1340 ITSMService.exe 1340 ITSMService.exe 1340 ITSMService.exe 1340 ITSMService.exe 1340 ITSMService.exe 1340 ITSMService.exe 1340 ITSMService.exe 1340 ITSMService.exe 1340 ITSMService.exe 1348 ITSMAgent.exe 1348 ITSMAgent.exe 1348 ITSMAgent.exe 1348 ITSMAgent.exe 1348 ITSMAgent.exe 1348 ITSMAgent.exe 1348 ITSMAgent.exe 1348 ITSMAgent.exe 1348 ITSMAgent.exe 1348 ITSMAgent.exe 1348 ITSMAgent.exe 1348 ITSMAgent.exe 1348 ITSMAgent.exe 1348 ITSMAgent.exe 1348 ITSMAgent.exe 1348 ITSMAgent.exe 1348 ITSMAgent.exe 1348 ITSMAgent.exe 1348 ITSMAgent.exe 1348 ITSMAgent.exe 1348 ITSMAgent.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
ITSMAgent.exeRmmService.exeMsiExec.exepython_x86_Lib.exeITSMAgent.execmd.exeGoogleUpdateCore.execmd.exeITSMAgent.exeRmmService.exeMsiExec.execmd.exeRmmService.exeITSMService.exeAutoIt3.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ITSMAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RmmService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language python_x86_Lib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ITSMAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GoogleUpdateCore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ITSMAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RmmService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RmmService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ITSMService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AutoIt3.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AutoIt3.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AutoIt3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString AutoIt3.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
ITSMService.exeDrvInst.exepython_x86_Lib.exemsiexec.exeRmmService.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" python_x86_Lib.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople ITSMService.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs ITSMService.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111 = "Performs object-based (command-line) functions" RmmService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet." RmmService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot ITSMService.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95 ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\40CEF3046C916ED7AE557F60E76842828B51DE53 ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" ITSMService.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 RmmService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@"%windir%\System32\ie4uinit.exe",-738 = "Start Internet Explorer without ActiveX controls or browser extensions." RmmService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ python_x86_Lib.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs ITSMService.exe -
Modifies registry class 25 IoCs
Processes:
msiexec.exeITSMService.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CDM ITSMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\Version = "151109272" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\Assignment = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\ProductIcon = "C:\\Windows\\Installer\\{373FFE70-5FF7-492D-A2F4-0C6A15D8D503}\\icon.ico" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\ProductName = "Endpoint Manager Communication Client" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\Clients = 3a0000000000 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\Language = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DD4D523EF099D7E42B1DBDFD40CF9061\07EFF3737FF5D2942A4FC0A6518D5D30 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\SourceList\PackageName = "em_wh1U8LEO_installer_Win7-Win11_x86_x64.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\SourceList\Media msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\07EFF3737FF5D2942A4FC0A6518D5D30 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\SourceList\Media\1 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CDM\proxy = "false" ITSMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\07EFF3737FF5D2942A4FC0A6518D5D30\DefaultFeature msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\PackageCode = "D7076E96D3235814DB26ACC95D2BAD84" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\AdvertiseFlags = "388" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DD4D523EF099D7E42B1DBDFD40CF9061 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\InstanceType = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\DeploymentFlags = "3" msiexec.exe -
Suspicious behavior: AddClipboardFormatListener 3 IoCs
Processes:
ITSMAgent.exeITSMAgent.exeITSMAgent.exepid process 1348 ITSMAgent.exe 788 ITSMAgent.exe 2468 ITSMAgent.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
msiexec.exeITSMService.exepid process 2616 msiexec.exe 2616 msiexec.exe 1340 ITSMService.exe 1340 ITSMService.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exeDrvInst.exedescription pid process Token: SeShutdownPrivilege 2532 msiexec.exe Token: SeIncreaseQuotaPrivilege 2532 msiexec.exe Token: SeRestorePrivilege 2616 msiexec.exe Token: SeTakeOwnershipPrivilege 2616 msiexec.exe Token: SeSecurityPrivilege 2616 msiexec.exe Token: SeCreateTokenPrivilege 2532 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2532 msiexec.exe Token: SeLockMemoryPrivilege 2532 msiexec.exe Token: SeIncreaseQuotaPrivilege 2532 msiexec.exe Token: SeMachineAccountPrivilege 2532 msiexec.exe Token: SeTcbPrivilege 2532 msiexec.exe Token: SeSecurityPrivilege 2532 msiexec.exe Token: SeTakeOwnershipPrivilege 2532 msiexec.exe Token: SeLoadDriverPrivilege 2532 msiexec.exe Token: SeSystemProfilePrivilege 2532 msiexec.exe Token: SeSystemtimePrivilege 2532 msiexec.exe Token: SeProfSingleProcessPrivilege 2532 msiexec.exe Token: SeIncBasePriorityPrivilege 2532 msiexec.exe Token: SeCreatePagefilePrivilege 2532 msiexec.exe Token: SeCreatePermanentPrivilege 2532 msiexec.exe Token: SeBackupPrivilege 2532 msiexec.exe Token: SeRestorePrivilege 2532 msiexec.exe Token: SeShutdownPrivilege 2532 msiexec.exe Token: SeDebugPrivilege 2532 msiexec.exe Token: SeAuditPrivilege 2532 msiexec.exe Token: SeSystemEnvironmentPrivilege 2532 msiexec.exe Token: SeChangeNotifyPrivilege 2532 msiexec.exe Token: SeRemoteShutdownPrivilege 2532 msiexec.exe Token: SeUndockPrivilege 2532 msiexec.exe Token: SeSyncAgentPrivilege 2532 msiexec.exe Token: SeEnableDelegationPrivilege 2532 msiexec.exe Token: SeManageVolumePrivilege 2532 msiexec.exe Token: SeImpersonatePrivilege 2532 msiexec.exe Token: SeCreateGlobalPrivilege 2532 msiexec.exe Token: SeBackupPrivilege 864 vssvc.exe Token: SeRestorePrivilege 864 vssvc.exe Token: SeAuditPrivilege 864 vssvc.exe Token: SeBackupPrivilege 2616 msiexec.exe Token: SeRestorePrivilege 2616 msiexec.exe Token: SeRestorePrivilege 2652 DrvInst.exe Token: SeRestorePrivilege 2652 DrvInst.exe Token: SeRestorePrivilege 2652 DrvInst.exe Token: SeRestorePrivilege 2652 DrvInst.exe Token: SeRestorePrivilege 2652 DrvInst.exe Token: SeRestorePrivilege 2652 DrvInst.exe Token: SeRestorePrivilege 2652 DrvInst.exe Token: SeLoadDriverPrivilege 2652 DrvInst.exe Token: SeLoadDriverPrivilege 2652 DrvInst.exe Token: SeLoadDriverPrivilege 2652 DrvInst.exe Token: SeRestorePrivilege 2616 msiexec.exe Token: SeTakeOwnershipPrivilege 2616 msiexec.exe Token: SeRestorePrivilege 2616 msiexec.exe Token: SeTakeOwnershipPrivilege 2616 msiexec.exe Token: SeRestorePrivilege 2616 msiexec.exe Token: SeTakeOwnershipPrivilege 2616 msiexec.exe Token: SeRestorePrivilege 2616 msiexec.exe Token: SeTakeOwnershipPrivilege 2616 msiexec.exe Token: SeRestorePrivilege 2616 msiexec.exe Token: SeTakeOwnershipPrivilege 2616 msiexec.exe Token: SeRestorePrivilege 2616 msiexec.exe Token: SeTakeOwnershipPrivilege 2616 msiexec.exe Token: SeRestorePrivilege 2616 msiexec.exe Token: SeTakeOwnershipPrivilege 2616 msiexec.exe Token: SeRestorePrivilege 2616 msiexec.exe -
Suspicious use of FindShellTrayWindow 21 IoCs
Processes:
msiexec.exeITSMAgent.exepid process 2532 msiexec.exe 2532 msiexec.exe 1348 ITSMAgent.exe 1348 ITSMAgent.exe 1348 ITSMAgent.exe 1348 ITSMAgent.exe 1348 ITSMAgent.exe 1348 ITSMAgent.exe 1348 ITSMAgent.exe 1348 ITSMAgent.exe 1348 ITSMAgent.exe 1348 ITSMAgent.exe 1348 ITSMAgent.exe 1348 ITSMAgent.exe 1348 ITSMAgent.exe 1348 ITSMAgent.exe 1348 ITSMAgent.exe 1348 ITSMAgent.exe 1348 ITSMAgent.exe 1348 ITSMAgent.exe 1348 ITSMAgent.exe -
Suspicious use of SendNotifyMessage 19 IoCs
Processes:
ITSMAgent.exepid process 1348 ITSMAgent.exe 1348 ITSMAgent.exe 1348 ITSMAgent.exe 1348 ITSMAgent.exe 1348 ITSMAgent.exe 1348 ITSMAgent.exe 1348 ITSMAgent.exe 1348 ITSMAgent.exe 1348 ITSMAgent.exe 1348 ITSMAgent.exe 1348 ITSMAgent.exe 1348 ITSMAgent.exe 1348 ITSMAgent.exe 1348 ITSMAgent.exe 1348 ITSMAgent.exe 1348 ITSMAgent.exe 1348 ITSMAgent.exe 1348 ITSMAgent.exe 1348 ITSMAgent.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
Processes:
ITSMService.exeITSMAgent.exeITSMAgent.exeITSMAgent.exepid process 1340 ITSMService.exe 1340 ITSMService.exe 1340 ITSMService.exe 1340 ITSMService.exe 1340 ITSMService.exe 1340 ITSMService.exe 1340 ITSMService.exe 1340 ITSMService.exe 1340 ITSMService.exe 1340 ITSMService.exe 788 ITSMAgent.exe 1348 ITSMAgent.exe 2468 ITSMAgent.exe 1340 ITSMService.exe 1340 ITSMService.exe 1340 ITSMService.exe 1340 ITSMService.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msiexec.exeMsiExec.execmd.exepython_x86_Lib.exeITSMService.exeRmmService.exeRmmService.execmd.exeAutoIt3.exedescription pid process target process PID 2616 wrote to memory of 2460 2616 msiexec.exe MsiExec.exe PID 2616 wrote to memory of 2460 2616 msiexec.exe MsiExec.exe PID 2616 wrote to memory of 2460 2616 msiexec.exe MsiExec.exe PID 2616 wrote to memory of 2460 2616 msiexec.exe MsiExec.exe PID 2616 wrote to memory of 2460 2616 msiexec.exe MsiExec.exe PID 2616 wrote to memory of 2460 2616 msiexec.exe MsiExec.exe PID 2616 wrote to memory of 2460 2616 msiexec.exe MsiExec.exe PID 2616 wrote to memory of 1796 2616 msiexec.exe MsiExec.exe PID 2616 wrote to memory of 1796 2616 msiexec.exe MsiExec.exe PID 2616 wrote to memory of 1796 2616 msiexec.exe MsiExec.exe PID 2616 wrote to memory of 1796 2616 msiexec.exe MsiExec.exe PID 2616 wrote to memory of 1796 2616 msiexec.exe MsiExec.exe PID 2616 wrote to memory of 1796 2616 msiexec.exe MsiExec.exe PID 2616 wrote to memory of 1796 2616 msiexec.exe MsiExec.exe PID 1796 wrote to memory of 1716 1796 MsiExec.exe cmd.exe PID 1796 wrote to memory of 1716 1796 MsiExec.exe cmd.exe PID 1796 wrote to memory of 1716 1796 MsiExec.exe cmd.exe PID 1796 wrote to memory of 1716 1796 MsiExec.exe cmd.exe PID 1716 wrote to memory of 2412 1716 cmd.exe python_x86_Lib.exe PID 1716 wrote to memory of 2412 1716 cmd.exe python_x86_Lib.exe PID 1716 wrote to memory of 2412 1716 cmd.exe python_x86_Lib.exe PID 1716 wrote to memory of 2412 1716 cmd.exe python_x86_Lib.exe PID 1716 wrote to memory of 2412 1716 cmd.exe python_x86_Lib.exe PID 1716 wrote to memory of 2412 1716 cmd.exe python_x86_Lib.exe PID 1716 wrote to memory of 2412 1716 cmd.exe python_x86_Lib.exe PID 2412 wrote to memory of 2028 2412 python_x86_Lib.exe cmd.exe PID 2412 wrote to memory of 2028 2412 python_x86_Lib.exe cmd.exe PID 2412 wrote to memory of 2028 2412 python_x86_Lib.exe cmd.exe PID 2412 wrote to memory of 2028 2412 python_x86_Lib.exe cmd.exe PID 1340 wrote to memory of 1348 1340 ITSMService.exe ITSMAgent.exe PID 1340 wrote to memory of 1348 1340 ITSMService.exe ITSMAgent.exe PID 1340 wrote to memory of 1348 1340 ITSMService.exe ITSMAgent.exe PID 1340 wrote to memory of 1348 1340 ITSMService.exe ITSMAgent.exe PID 1340 wrote to memory of 788 1340 ITSMService.exe ITSMAgent.exe PID 1340 wrote to memory of 788 1340 ITSMService.exe ITSMAgent.exe PID 1340 wrote to memory of 788 1340 ITSMService.exe ITSMAgent.exe PID 1340 wrote to memory of 788 1340 ITSMService.exe ITSMAgent.exe PID 1340 wrote to memory of 2468 1340 ITSMService.exe ITSMAgent.exe PID 1340 wrote to memory of 2468 1340 ITSMService.exe ITSMAgent.exe PID 1340 wrote to memory of 2468 1340 ITSMService.exe ITSMAgent.exe PID 1340 wrote to memory of 2468 1340 ITSMService.exe ITSMAgent.exe PID 1340 wrote to memory of 992 1340 ITSMService.exe RmmService.exe PID 1340 wrote to memory of 992 1340 ITSMService.exe RmmService.exe PID 1340 wrote to memory of 992 1340 ITSMService.exe RmmService.exe PID 1340 wrote to memory of 992 1340 ITSMService.exe RmmService.exe PID 1596 wrote to memory of 1540 1596 RmmService.exe RmmService.exe PID 1596 wrote to memory of 1540 1596 RmmService.exe RmmService.exe PID 1596 wrote to memory of 1540 1596 RmmService.exe RmmService.exe PID 1596 wrote to memory of 1540 1596 RmmService.exe RmmService.exe PID 1540 wrote to memory of 2828 1540 RmmService.exe cmd.exe PID 1540 wrote to memory of 2828 1540 RmmService.exe cmd.exe PID 1540 wrote to memory of 2828 1540 RmmService.exe cmd.exe PID 1540 wrote to memory of 2828 1540 RmmService.exe cmd.exe PID 2828 wrote to memory of 2820 2828 cmd.exe AutoIt3.exe PID 2828 wrote to memory of 2820 2828 cmd.exe AutoIt3.exe PID 2828 wrote to memory of 2820 2828 cmd.exe AutoIt3.exe PID 2828 wrote to memory of 2820 2828 cmd.exe AutoIt3.exe PID 2820 wrote to memory of 2296 2820 AutoIt3.exe GoogleUpdateCore.exe PID 2820 wrote to memory of 2296 2820 AutoIt3.exe GoogleUpdateCore.exe PID 2820 wrote to memory of 2296 2820 AutoIt3.exe GoogleUpdateCore.exe PID 2820 wrote to memory of 2296 2820 AutoIt3.exe GoogleUpdateCore.exe PID 2820 wrote to memory of 2296 2820 AutoIt3.exe GoogleUpdateCore.exe PID 2820 wrote to memory of 2296 2820 AutoIt3.exe GoogleUpdateCore.exe PID 2820 wrote to memory of 2296 2820 AutoIt3.exe GoogleUpdateCore.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\em_wh1U8LEO_installer_Win7-Win11_x86_x64.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2532
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 33CF2474294946FC6E8659275E4D03DF2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2460 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding B14C21B2B285295289E9D00E20C7B2C9 M Global\MSI00002⤵
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe" /C "cd "C:\Program Files (x86)\COMODO\Endpoint Manager\" && "C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe"C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe"4⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "5⤵
- System Location Discovery: System Language Discovery
PID:2028
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:864
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005D4" "00000000000004C0"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2652
-
C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMService.exe"C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMService.exe"1⤵
- Checks for any installed AV software in registry
- Drops file in System32 directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe"C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1348 -
C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe"C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe" noui2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:788 -
C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe"C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2468 -
C:\Program Files (x86)\COMODO\Endpoint Manager\RmmService.exe"C:\Program Files (x86)\COMODO\Endpoint Manager\RmmService.exe" --start2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:992
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:2292
-
C:\Program Files (x86)\COMODO\Endpoint Manager\RmmService.exe"C:\Program Files (x86)\COMODO\Endpoint Manager\RmmService.exe"1⤵
- Drops file in Windows directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Program Files (x86)\COMODO\Endpoint Manager\RmmService.exe"C:\Program Files (x86)\COMODO\Endpoint Manager\RmmService.exe" --run_procedure --in Global\sharedInputMemory_1 --out Global\sharedOutputMemory_2 --err Global\sharedErrorMemory_32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "AutoIt3.exe script.a3x"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Users\Admin\AppData\Local\Temp\theistically\AutoIt3.exeAutoIt3.exe script.a3x4⤵
- Command and Scripting Interpreter: AutoIT
- Suspicious use of SetThreadContext
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"5⤵
- System Location Discovery: System Language Discovery
PID:2296
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:3068
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Installer Packages
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Installer Packages
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\f789002.rbsFilesize
711KB
MD54d323f4a9fbd056b54246c04aeb9e9b5
SHA161acb6a6da45a4b65d421a793f32cf99046fecbe
SHA25631655aa6f12d6ad8ea425e38a9ed48022fcbdab68514497738caa8d4d1767d66
SHA512952dae2ce15e8e3387c1b19501b76b3dad03b36994f67127090ed5d08956dcb0fde81bcb49a2daefd48c9c3422f5e2800f059ce9b099a0b000635baea34c0c95
-
C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exeFilesize
3.0MB
MD5a5b010d5b518932fd78fcfb0cb0c7aeb
SHA1957fd0c136c9405aa984231a1ab1b59c9b1e904f
SHA2565a137bfe1f0e6fc8a7b6957d5e9f10df997c485e0869586706b566015ff36763
SHA512e0ca4b29f01f644ef64669ed5595965b853ae9eaa7c6c7d86df7634437041ef15ceb3c2d1ab9dec4171c80511684a7d7b06fc87b658e5a646699eb9523bc4994
-
C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMService.exeFilesize
8.4MB
MD56b4752088a02d0016156d9e778bb5349
SHA1bd13b1f7b04e0fe23db6b3e4bd0aa91c810e1745
SHA256f64f13bf19726624a9cbaedda03a156597737581d6bc025c24e80517f5cab011
SHA5120fe982b0b551238fc881511cdd0656ee71f22aca3a5e83ef7ce41b3adf603f1be17ba3e2c10797ee3dfb5e15ff1ac3e8cf4e05c657e7c047f302f50baa42ba2d
-
C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\setuptools-18.2.dist-info\zip-safeFilesize
2B
MD581051bcc2cf1bedf378224b0a93e2877
SHA1ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA2567eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA5121b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d
-
C:\Program Files (x86)\COMODO\Endpoint Manager\api-ms-win-core-file-l1-2-0.dllFilesize
10KB
MD57d64aefb7e8b31292da55c6e12808cdb
SHA1568c2a19a33bb18a3c6e19c670945630b9687d50
SHA25662a4810420d997c7fdd9e86a42917a44b78fb367a9d3c0a204e44b3ff05de6d4
SHA51268479da21f3a2246d60db8afd2ae3383a430c61458089179c35df3e25ca1a15eba86a2a473e661c1364613baa93dcb38652443eb5c5d484b571ab30728598f9b
-
C:\Program Files (x86)\COMODO\Endpoint Manager\api-ms-win-core-file-l2-1-0.dllFilesize
10KB
MD5dcd09014f2b8041e89270fecd2c078b2
SHA1b9f08affdd9ff5622c16561e6a6e6120a786e315
SHA2566572965fd3909af60310db1e00c8820b2deef4864612e757d3babab896f59ed7
SHA512ef2ac73100184e6d80e03ce5aa089dbddb9e2a52adf878c34b7683274f879dcf2b066491cfc666f26453acbd44543d9741f36369015bd5d07e36b49d435751f6
-
C:\Program Files (x86)\COMODO\Endpoint Manager\api-ms-win-core-localization-l1-2-0.dllFilesize
13KB
MD53979437d6817cdf82da474c8a1eefb0d
SHA15e96fe40993acbc7c2e9a104d51a728950ad872e
SHA2563dd2e16b6f135cdd45bce4065f6493540ebbaf2f7f1553085a2442ea2cf80a10
SHA5124f64c6d232fdae3e7e583cb1aa39878abbfbbc9466108b97a5dce089c35eb30af502b5b212b043c27c1b12b23c165bd2b559060c43d9e2efcdda777b34f0066b
-
C:\Program Files (x86)\COMODO\Endpoint Manager\api-ms-win-core-processthreads-l1-1-1.dllFilesize
11KB
MD54da67feefeb86b58a20b3482b93285b3
SHA16cd7f344d7ca70cf983caddb88ff6baa40385ef1
SHA2563a5d176b1f2c97bca7d4e7a52590b84b726796191ae892d38ad757fd595f414d
SHA512b9f420d30143cf3f5c919fa454616765602f27c678787d34f502943567e3e5dfb068fec8190fea6fa8db70153ed620eb4fe5dc3092f9b35b7d46b00cc238e3ba
-
C:\Program Files (x86)\COMODO\Endpoint Manager\api-ms-win-core-timezone-l1-1-0.dllFilesize
11KB
MD53339350008a663975ba4953018c38673
SHA178614a1aad7fc83d6999dcc0f467b43693be3d47
SHA2564f77abb5c5014769f907a194fd2e43b3c977df1fb87f8c98dd15a7b950d1e092
SHA512a303fd57dd59f478a8d6c66785768886509625a2baf8bf2b357bb249fc93f193ac8c5c2c9193e53738805700e49b941bf741d6c4850a43f29a82424ccdda191b
-
C:\Program Files (x86)\COMODO\Endpoint Manager\api-ms-win-crt-convert-l1-1-0.dllFilesize
14KB
MD5392b572dc6275d079270ad8e751a2433
SHA18347bba17ed3e7d5c2491f2177af3f35881e4420
SHA256347ceeb26c97124fb49add1e773e24883e84bf9e23204291066855cd0baea173
SHA512dbdbd159b428d177c5f5b57620da18a509350707881fb5040ac10faf2228c2ccfd6126ea062c5dd4d13998624a4f5745ed947118e8a1220190fdb93b6a3c20b7
-
C:\Program Files (x86)\COMODO\Endpoint Manager\api-ms-win-crt-environment-l1-1-0.dllFilesize
11KB
MD59806f2f88ba292b8542a964c0b102876
SHA1c02e1541a264a04963add31d2043fa954b069b6b
SHA256cf601a7b883bb4fb87c28b4a1d9f823d2454b298cdbcb4da4f508db8bd1278ba
SHA512d68cb926de3caa498ad2aea60e2c5dbb72f30836a6ad9bb11a48f2ca706656981d9332dae44769ccf6f8de3b2ea1507983440afbe1322520f2fd1674cd8de823
-
C:\Program Files (x86)\COMODO\Endpoint Manager\api-ms-win-crt-filesystem-l1-1-0.dllFilesize
12KB
MD51747189e90f6d3677c27dc77382699d8
SHA117e07200fc40914e9aa5cbfc9987117b4dc8db02
SHA2566cc23b34f63ba8861742c207f0020f7b89530d6cdd8469c567246a5879d62b82
SHA512d2cc7223819b9109b7ce2475dfb2a58da78d0d3d606b05b6f24895d2f05fb1b83ee4c1d7a863f3c3488f5d1b014cd5b429070577bd53d00bb1e0a0a9b958f0b1
-
C:\Program Files (x86)\COMODO\Endpoint Manager\api-ms-win-crt-heap-l1-1-0.dllFilesize
11KB
MD51bcb55590ab80c2c78f8ce71eadeb3dc
SHA18625e6ed37c1a5678c3b4713801599f792dc1367
SHA256a3f13fa93131a17e05ad0c4253c34b4db30d15eae2b43c9d7ec56fdc6709d371
SHA512d80374ec9b17692b157031f771c6c86dc52247c3298594a936067473528bbb511be4e033203144bbf2ec2acfd7e3e935f898c945eb864dcf8b43ae48e3754439
-
C:\Program Files (x86)\COMODO\Endpoint Manager\api-ms-win-crt-runtime-l1-1-0.dllFilesize
15KB
MD5047c779f39ebb4f57020cd5b6fb2d083
SHA1440077fc83d1c756fe24f9fb5eae67c5e4abd709
SHA256078d2551f53ca55715f5c6a045de1260ce331b97fd6d047f8455e06d97ef88dc
SHA51295a57d79c47d11f43796aea8fd1183d3db9448dee60530144b64a2dd3cd863f5b413356076c26101d96dd007ebf8aff9e23cf721ba4e03d932c333b8e5536b73
-
C:\Program Files (x86)\COMODO\Endpoint Manager\api-ms-win-crt-stdio-l1-1-0.dllFilesize
16KB
MD510e9dfc88bf784847e7b9aab82e28d0c
SHA1cb750cf87d561ca32f5860854da374dae6c9f2ad
SHA256e6bab87156c9e7ae14ce36a754eb6891891a22ddfff584b706538152017fbb0f
SHA51229c2edb44cada75ee8ccae1b55a405c8282c937450913196d54b6da1a1e121451c6e14a92a200574984961fa8c649d8a40caf58ea50a33d42a7dfae4439091c2
-
C:\Program Files (x86)\COMODO\Endpoint Manager\api-ms-win-crt-time-l1-1-0.dllFilesize
13KB
MD5fa5327c2a3d284385d8dc3d65935604b
SHA1a878b7cdf4ad027422e0e2182dad694ed436e949
SHA256704ad27cab084be488b5757395ad5129e28f57a7c6680976af0f096b3d536e66
SHA512473ff715f73839b766b5f28555a861d03b009c6b26c225bc104f4aab4e4ea766803f38000b444d4d433ff9ea68a3f940e66792bae1826781342f475860973816
-
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.logFilesize
33KB
MD565a146f7dd5563d27a276c30561264dd
SHA12e36aaf5640721c59483008a313b74bf8f81e957
SHA256ad4986f5e2ab72ae8dd621eaba878ee4c06f471f98055f04cdb3b401aa3d9b25
SHA5129ed4475eb8ac3655ceb41b5980c88faa0b7d4ce96230e938ba694ef6cd619f670c1fa098e63e9e1e532726cd11665633917e6ff9d231ffdd8d60801fbca79489
-
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.2Filesize
33KB
MD5c309e2433be5f96acde254312684aee0
SHA151d1bf62dc09d747d8a684c582461c829e2864f3
SHA256bb25cd88c44850ff74e39a11da8ca05f6b620bb129c30fa258e96b70eeb457e1
SHA512c78b08f2b18db960eadcaf2d41b2ee5e8f10e623632b429052a31bcfbf568c2bfb5c739d88243f98cfdbc46a5be31519f2b3c0fca8274a73e2dae3728bede607
-
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.3Filesize
33KB
MD5612bf2cfba447c3875e141e513906ca1
SHA1663fa12be883e279e9409489237e5321ee95843f
SHA256b0a69cf675b84e398c8d0936e0bb83a3d341a7734be32642eeb43fb6a957c529
SHA5126567ac12a5a324db6c8b16e1072975554c31f8c0f07aae0abeacc5e974428abbdedcc2e1e773657e8e77c00af199b49f5d8eab7fffa8e17c6fe879b5a5dd44b5
-
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4Filesize
33KB
MD59a04cff65bfd51c076615c118935536a
SHA18c42aa23e6479c72054534b6ebdc29f7ef5d12f5
SHA25655a02ec11d991ec0a8f22668f7eca74d9fc6ee463d22946201c5eee7140493dd
SHA5120dfeb855ca3337a75c39a009ffac81e95151c1edef6882426cdbb5174671e20fe09277a431b74b495266fbe930bc93bcc70ec362e74ccc80c7a537495fadd2c0
-
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4Filesize
33KB
MD5266dffc9f0ec10752ea5abecd3ec6779
SHA1e2c3d033710497040761e7c806a02e0f01bc174a
SHA256613a42b7140752d65f99e76a0902c69d31c7368ad23328ef5c24cac62acca687
SHA5125be7e004e27b5a9e1482076515f86c016f1d9c9c9638f5ebbf78cddd57b0d9e4e2fd0c561a01d9db888f0f8990f5a1ad8b44cb246a5182bfafa88090662a9804
-
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4Filesize
33KB
MD50090618c8b916561a8c7cf7c67c8de29
SHA12faf09a3cb4d6ca801f8884f40e3d072fd4ac426
SHA2561bcf934566cc7087780769e12e70037fbf4b213267e137aacc41e25fc4c9f8e9
SHA512978950c5457a67fabe22dcf8ce85499e600919e33b8dddcf4f3d238f4b69b575e5dff6c7f2b27e21ed1c905024633ec15970fb4f2b414f6d507860737b222e79
-
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4Filesize
33KB
MD51d326a8359b6970132f0007b7aa1d643
SHA1ab424cd1ac2957741e70b0951f251f9343ce4457
SHA256383c39c7108b268170476953d881e9765a835c7ed4836f7ff581dd96cb9d5c19
SHA5121a9ca119b2db02da23f1e03767b960df01b7c85ac4662694cdcb975581db7e84dfb2adde166109ca5beae076a1b254b7a18bfcb847cbc99c102ecac1493385ff
-
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4Filesize
33KB
MD513004c24f20710ffbc1d6ca6e412d148
SHA1ae08cff43427c001ea91ff08396340540cf5dd54
SHA256205aa2349e946b0fd526c3fc2b115b074bb3186699354d0f6235ab82ea89538b
SHA5128cd701157d5c4a6edcf68fbb83ba32688b97c57e50e752a1449ebd09e62a89509da712106b30180ab9742292dcfa959b14bbbdfcce896d4118437f3f40cd809e
-
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4Filesize
33KB
MD50b1b51f44093eb20bf870d200e98f9a2
SHA1e217c8f05511fb87ec333027be220ce1259fdcfe
SHA256c34f944c4c07471f480c4d6be30d141d4dd0a9c4236412fa7bd7f46efbbec59e
SHA512fbdd41ad3492c8534ea0106fe87a13e50da724da500d59a5aa032e108c1818d3b713a4ff22178d708f1ea56b5667bd203184fadf8329dd5434347014d3692c5a
-
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4Filesize
33KB
MD5e8dc138c18fd4ea6f1ce3ac65c8c6c89
SHA1a096b9a9f3157a27c962496060008abe0d467b01
SHA256ce8bd7a610caf271239713a3412a9ad8b84f56707aa7ed7bd57c7f3c71443c47
SHA51284d5ad721cbbd560a3bccad9e565bb351f333cf268a6e40c06325f8d1dc94f077bcd3ba55780b69ac15ca5d7c8597a8b23b8c867ca0ac72659e60149dd38ff00
-
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4Filesize
33KB
MD58ab3abbb33742e8d2b4b7f155ff25482
SHA11c60a2e6485435e3976e1a0064097fa58e7f56b3
SHA256a58996f75160afdef2ceea0bdac2f81393530994e6a28223fd57f363799a306f
SHA512caf167cde342763e77fd31264d1adbfae57acdbb63768046d7faf4e737c83f650127585c9aa4c1f3a93e9b8f71fc101ea476e6ae7558777ae90ef590992dc3bc
-
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4Filesize
33KB
MD5c72d4425c5a868e04bd30524755a0658
SHA14e56a054dc5c92e7724ce0a7f3dd22dcdc8896da
SHA256d203417bfbcf901bb31a81ff15b902e5cc61422492933f408b116c9e77b2292a
SHA51210017edcc335a686d3b004e15c1ce07d58197219b2ead5c7f9b0ca4937b6f39b5f6de925f047a19e8009ece65b95a8e75d86dbc9550b8a3f26a10ad945f2186a
-
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4Filesize
32KB
MD58c0dbc925b04d4e4b4faec84ff785f62
SHA196dea61050b15f8bea7bcac52068b7e6c98581dc
SHA2567ec9d7deddb7adc8968ddc1a005f7c4b3ac7298938407e6ddb890408771c1d51
SHA512f847a390bf80ff58d24a2bbdc626edca13d6021f24f88a20238d90686391b32e8b04d5bfa17019ad06d93020931864ff3a4b8d50f946d4420a6b7e9a10ce3e73
-
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4Filesize
33KB
MD55964c19317dbccc04b5579244480bb14
SHA1d1bf80bc9f427894e887f8b972488cfcc8dd7bc4
SHA256cfc559fbe0fc757ec349073eacb49f49fe6087f59f31709c91de71b635be8acb
SHA512ec0368431146ed87cfc3285aca6665a366d6768b2cafada41bd99f8898a34308404c90618a072d8d8ac057f4d4b9b7639fde72f30eb95c9ea0e0ee1884688b28
-
C:\Program Files (x86)\COMODO\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4Filesize
33KB
MD58ecd999b13c0c91744e671cfeb80b1a4
SHA13f457202afaf8ad98b90b54e83d0f0f80366eed0
SHA25665c2611eacb89f78f7c3fdf304c7dc97fd01bf4eb22f028042340cfe88c6600e
SHA51298650221a1c7bc9a48f18999a5969d6a3f3014c0275f0993b1501351ea0b447b77080cd038532a25fa1ed609a2953be348ada0f40a5592e202bd7bd5b670d9d2
-
C:\Program Files (x86)\COMODO\Endpoint Manager\ucrtbase.DLLFilesize
1.1MB
MD5126fb99e7037b6a56a14d701fd27178b
SHA10969f27c4a0d8270c34edb342510de4f388752cd
SHA25610f8f24aa678db8e38e6917748c52bbcd219161b9a07286d6f8093ab1d0318fa
SHA512d787a9530bce036d405988770621b6f15162347a892506ce637839ac83ac6c23001dc5b2292afd652e0804bd327a7536d5f1b92412697c3be335a03133d5fe17
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18E6B4A57A6BC7EC9B861CDF2D6D0D02_EF52C1EC85F21F31CC0157A5C8803013Filesize
765B
MD5fff2cc217cec93b9b4e91ea34e23efaa
SHA1c6a7f0e18796e1c6b789ec9fb7e98fbc639bc1df
SHA2569bd2f914e637e30ba764c0af86102be829546122e443b30588e5e9723a15873b
SHA512f426e383b51806458533ddd15e4aec6cddde1acf497b8a84542818c4dffa3b5c21093a075a79a8e46ce5ddf6d16be9ed66c339724c63f76c6be7bd048cef5a3a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3AA0DCD5A74331FBD6F344550EC48B87_D7025277F003EE88ED342C67F3525784Filesize
637B
MD5f29448db915ce12024c00f8db2735a37
SHA18c42cc59bf9684c8913d77b6481d6f9a35291fe2
SHA2561220fbb03d07705373e10fff29e767a41a523ff3bbd1280f1e6c313421bd6930
SHA512932aa9847dc8630259827605dbf4cca4a778fda7ae164b814d6d552086812395441389179094c01c0225477aafdf9f3e2daa235e5884cf6eba01d32ee54b6b01
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225FFilesize
1KB
MD58991f83c49d2736793a0c917c3d8ae4d
SHA171752a06511633fcb9d2df14b507e555e4d1b17a
SHA256a94ee10e4836486a24b1020e70055b440e46b52913a6e9cd66d0cae467276990
SHA5126fedbb05506b87ca954be1e413a1ca2824ae3b060242e89a1002a06d6549838f2d9e09768a878211a1929ef9cd260415bb061a8a28d16ee6e647780fc7e8b3cd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18E6B4A57A6BC7EC9B861CDF2D6D0D02_EF52C1EC85F21F31CC0157A5C8803013Filesize
484B
MD5143277119f5b776602cb6e066a592ef9
SHA1d71bc83bb1887788dc9343ff1ca4e46c3d99302a
SHA2561f3a5dedfc14a1601a198a160c73f737c729b9ae24d663daa065da4b5cc58b5e
SHA512bcf6365797b2beb39665946591bcbaa46866226383ef1d56e83d1050c3db423775df1ca6ddde0880050675bfeae8f5e4ed2de71b70c5efd7235a0a4d4c7f12a2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3AA0DCD5A74331FBD6F344550EC48B87_D7025277F003EE88ED342C67F3525784Filesize
480B
MD59493968fd466bbe91a581c59bbabc7f3
SHA192ecf33c08abcc0c4f639b5e9ca1690844d055be
SHA25626bf160842112d4ad74ac220d88f467b1bf4c2b877dabef525803ddbb0dc167a
SHA512d24ec47225b91f95bf01d4e43b812d0408ac122c957bd36b05ed4f5c18231b8cbd0f94ed18de8743f909c5737b7cf069bf35c29139ea961323a90216466c621b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5bfdc1b8228c0011487de1f74135e365e
SHA1d577fa41126bee00d798c1bb1ee3614c51ae33c0
SHA256e45ca302e9048419044b4ca466611f0b2610c2a1173ff8fc1c31378f40633ac6
SHA512e0848fd1747112c8e8584a92a588a23c4f9b00fd84e144da6e9e98445daea019de653bc746020a51fe2214bb2c9b60d0852c9453740199d039e30fd5cd8601fb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225FFilesize
482B
MD520319835c12d04ca96bc49027d3d61f0
SHA1e4c2084e4b2ea1200e4cdfa82d7cde5f83e6b6d1
SHA256ef8f3c8c93799e69900d90fa63ccc19f614e7f808ce2e0876dd8a35987cf3dce
SHA51294b5da867413fca1a514937a948de4704b07a9e21461906d500ea195e81479738d34015d4e1ed754f84becc2ec6f85642f5eb973c795c3b4a63490f5389853ca
-
C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmdFilesize
226B
MD5feceaa82323f9de4d3578592d22f857d
SHA14c55c509e6d16466d1d4c31a0687ededf2eabc9a
SHA25661480b43136b02965f59e3256b8de1bf35caa7c084a7bcb3ed5f4236451d4484
SHA51282dac003d30eed4fc4e06ab4a426c9b7f355d777c243b710c5c0d3afc4c26d93874af2d0a542fca4a2038050b0d0fa8f63ed82e5f2771ae8a4de0f3b08d56d45
-
C:\Users\Admin\AppData\Local\Temp\Cab2906.tmpFilesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
C:\Users\Admin\AppData\Local\Temp\Tar2918.tmpFilesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
C:\Windows\Installer\MSI96D5.tmpFilesize
285KB
MD582d54afa53f6733d6529e4495700cdd8
SHA1b3e578b9edde7aaaacca66169db4f251ee1f06b3
SHA2568f4894b9d19bfe5d8e54b5e120cef6c69abea8958db066cdd4905cc78ecd58b6
SHA51222476e0f001b6cf37d26e15dfb91c826c4197603ea6e1fbb9143c81392e41f18fa10a2d2d1e25425baaf754bff7fd179ef1df34966c10985e16d9da12a445150
-
C:\Windows\Installer\MSI9BA6.tmpFilesize
203KB
MD5d53b2b818b8c6a2b2bae3a39e988af10
SHA1ee57ec919035cf8125ee0f72bd84a8dd9e879959
SHA2562a81878be73b5c1d7d02c6afc8a82336d11e5f8749eaacf54576638d81ded6e2
SHA5123aaf8b993c0e8f8a833ef22ed7b106218c0f573dcd513c3609ead4daf90d37b7892d901a6881e1121f1900be3c4bbe9c556a52c41d4a4a5ec25c85db7f084d5e
-
\Program Files (x86)\COMODO\Endpoint Manager\api-ms-win-core-synch-l1-2-0.dllFilesize
11KB
MD5c250b2e4ff04d22306bf8ce286afd158
SHA1e5c60b7892ff64cbff02d551f9dbf25218c8195b
SHA25642367b6b7285bddc185c0badefe49e883646f574b1d7d832c226f2d1ce489c5b
SHA512a78c4ddf98330698c9da8d1d2c7c3176f22dfabf0900008cff1f294f56a2a14b52becd09ba37a065d544f58617911b3f5850614b5aabd0ec7daf236f29c9b10b
-
\Program Files (x86)\COMODO\Endpoint Manager\api-ms-win-crt-locale-l1-1-0.dllFilesize
11KB
MD57481e20041cf8e366d737962d23ec9de
SHA1a13c9a2d6cf6c92050eaae5ecb090a401359d992
SHA2564615ec9effc0c27fc0cfd23ad9d87534cbe745998b7d318ae84ece5ea1338551
SHA512f7a8e381d1ac2704d61258728a9175834cf414f7f2ff79bd8853e8359d6468839585cb643f0871334b943b0f7b0d868e077f6bd3f61668e54785ee8b94bf7903
-
\Program Files (x86)\COMODO\Endpoint Manager\api-ms-win-crt-string-l1-1-0.dllFilesize
17KB
MD51f1d50aa4553e77f6b90ae13bd56a95c
SHA1cf421a298f485c2a000791e1840ededeea19bad0
SHA256d343529d2a49cbb89d644deafce573b873ab45e0bf57e2d906b2f2a964d7bd9a
SHA512a08bdcc2883066a8bdb9336eec5c7f8593202c367ce75a7d7390ed4c6e0e1dbe80b7afadeee78f12ac0386d70ac360af12bf0ff3285acda0425789038951f180
-
\Program Files (x86)\COMODO\Endpoint Manager\log4cplusU.dllFilesize
471KB
MD50b03f7123e8bc93a38d321a989448dcc
SHA1fc8bfdf092cdd6b9c1ec3b90389c035c37e50bd7
SHA256a7fbfdb3100c164f139e9d0ebcf47282308e5173ab610dcb20a05b6e0615b54b
SHA5126d00c65111c0f389ad189178705ed04712b2c6de8918f58de7c3747126a4b4e50b4a73525cc0993af02d35323b1430f34baf6f99712df822d6cdc63e24ed7ae5
-
\Program Files (x86)\COMODO\Endpoint Manager\msvcp140.dllFilesize
426KB
MD58ff1898897f3f4391803c7253366a87b
SHA19bdbeed8f75a892b6b630ef9e634667f4c620fa0
SHA25651398691feef7ae0a876b523aec47c4a06d9a1ee62f1a0aee27de6d6191c68ad
SHA512cb071ad55beaa541b5baf1f7d5e145f2c26fbee53e535e8c31b8f2b8df4bf7723f7bef214b670b2c3de57a4a75711dd204a940a2158939ad72f551e32da7ab03
-
\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exeFilesize
7.2MB
MD5dcebee7bb4e8b046b229edc10ded037f
SHA1f9bdf0b478e21389800542165f721e5018d8eb29
SHA2562eb0eefab534217953744c2cc36de2e1a1ced6ea882734e7b1f4b34a0b19689b
SHA5129827600a19da5a816f1b0d93aa2629cb48f13f6e5fc42cd44bb1031ecd2e942854b34e7da44335acb85e42c44b1e720e9da8bc1d9ad23a9b1de0190f026f4d30
-
\Program Files (x86)\COMODO\Endpoint Manager\vcruntime140.dllFilesize
74KB
MD51a84957b6e681fca057160cd04e26b27
SHA18d7e4c98d1ec858db26a3540baaaa9bbf96b5bfe
SHA2569faeaa45e8cc986af56f28350b38238b03c01c355e9564b849604b8d690919c5
SHA5125f54c9e87f2510c56f3cf2ceeb5b5ad7711abd9f85a1ff84e74dd82d15181505e7e5428eae6ff823f1190964eb0a82a569273a4562ec4131cecfa00a9d0d02aa
-
memory/1340-5180-0x00000000015F0000-0x000000000163C000-memory.dmpFilesize
304KB
-
memory/1348-5116-0x0000000000850000-0x000000000085A000-memory.dmpFilesize
40KB
-
memory/1348-5115-0x0000000000850000-0x000000000085A000-memory.dmpFilesize
40KB
-
memory/1348-5132-0x0000000000880000-0x000000000088A000-memory.dmpFilesize
40KB
-
memory/1348-5131-0x0000000000880000-0x000000000088A000-memory.dmpFilesize
40KB
-
memory/1348-5508-0x0000000000880000-0x000000000088A000-memory.dmpFilesize
40KB
-
memory/1348-5509-0x0000000000880000-0x000000000088A000-memory.dmpFilesize
40KB
-
memory/2296-5608-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/2296-5609-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/2468-5137-0x0000000000180000-0x000000000018A000-memory.dmpFilesize
40KB
-
memory/2468-5158-0x00000000002B0000-0x00000000002BA000-memory.dmpFilesize
40KB
-
memory/2468-5157-0x00000000002B0000-0x00000000002BA000-memory.dmpFilesize
40KB
-
memory/2468-5161-0x00000000002B0000-0x00000000002B6000-memory.dmpFilesize
24KB