Analysis
-
max time kernel
1199s -
max time network
1178s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
11-08-2024 15:36
Static task
static1
Behavioral task
behavioral1
Sample
em_wh1U8LEO_installer_Win7-Win11_x86_x64.msi
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
em_wh1U8LEO_installer_Win7-Win11_x86_x64.msi
Resource
win7-20240704-en
Behavioral task
behavioral3
Sample
em_wh1U8LEO_installer_Win7-Win11_x86_x64.msi
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
em_wh1U8LEO_installer_Win7-Win11_x86_x64.msi
Resource
win11-20240802-en
General
-
Target
em_wh1U8LEO_installer_Win7-Win11_x86_x64.msi
-
Size
94.2MB
-
MD5
f740670bd608f6a564366606e0bba8da
-
SHA1
c635e8453bf0f06c34d41d3319670e5dc966a5f4
-
SHA256
ba3cdc5190b44da96e5ecb5f39e2cbe3713984dc8062cdab679c759de51500b1
-
SHA512
88f1e800265e4e72f914e50240a6a7cca630ea4bcd6981be13237cc6f42b182741542b907737490a367453c179ace55fb64c3e0fb2cb6ecf1bace7a442458e0e
-
SSDEEP
1572864:SX+lBWb7cVOxi2CDRq/SUx6EIL2CjmFkm+pF7Vxo81MOL9vh12epl37cTLiAhRLh:nLYxsRq/76L2CjmCZpRXouxvD6LbhRHJ
Malware Config
Extracted
lumma
https://swinngydisaosp.shop/api
https://writerospzm.shop/api
https://deallerospfosu.shop/api
https://bassizcellskz.shop/api
https://mennyudosirso.shop/api
https://languagedscie.shop/api
https://complaintsipzzx.shop/api
https://quialitsuzoxm.shop/api
https://tenntysjuxmz.shop/api
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Endpoint Manager = "C:\\Program Files (x86)\\COMODO\\Endpoint Manager\\ITSMAgent.exe" msiexec.exe -
Blocklisted process makes network request 3 IoCs
flow pid Process 5 3292 msiexec.exe 14 3292 msiexec.exe 29 3292 msiexec.exe -
Checks for any installed AV software in registry 1 TTPs 8 IoCs
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\COMODO\CIS ITSMService.exe Key queried \REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Esm ITSMService.exe Key opened \REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Esm\ ITSMService.exe Delete value \REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Esm\RemovalSecurity ITSMService.exe Key opened \REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Esm\RemovalSecurity ITSMService.exe Key opened \REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Esm ITSMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Esm ITSMService.exe Key created \REGISTRY\MACHINE\SOFTWARE\COMODO\CIS ITSMService.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe -
Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs
Using AutoIT for possible automate script.
pid Process 6088 AutoIt3.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content ITSMService.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E455012CBF4BA8A2AC67618C00590908 ITSMService.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft ITSMService.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache ITSMService.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData ITSMService.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E455012CBF4BA8A2AC67618C00590908 ITSMService.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 6088 set thread context of 2680 6088 AutoIt3.exe 132 -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\msgs\uk.msg python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Pacific\Johnston python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\ApplicationManagement.dll msiexec.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\email\header.py python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\idlelib\README.txt python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\pip\_vendor\lockfile\__init__.py python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\bisect.py python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\hotshot\log.py python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\EST python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tix8.4.3\demos\samples\SText.tcl python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tix8.4.3\bitmaps\openfile.xbm python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\DLLs\_ctypes_test.pyd python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\encodings\koi8_r.py python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\encoding\cp1255.enc python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Pacific\Pitcairn python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\pip\_vendor\requests\models.py python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Europe\Tallinn python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\encodings\cp932.py python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\lib2to3\fixes\fix_imports.py python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\lib2to3\Grammar.txt python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\pip\_vendor\cachecontrol\filewrapper.py python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\msgs\nb.msg python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\America\Rankin_Inlet python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\distutils\versionpredicate.py python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\encodings\cp863.py python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\pip\_vendor\requests\packages\chardet\compat.py python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\pip\_vendor\requests\packages\chardet\jpcntx.py python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tix8.4.3\pref python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\pip\commands\freeze.py python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Asia\Saigon python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Pacific\Rarotonga python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\xml\dom\NodeFilter.py python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Canada\Atlantic python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tix8.4.3\demos\samples\FileDlg.tcl python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\lib2to3\fixes\fix_types.py python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\setuptools\dist.py python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\setuptools\__init__.py python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\America\Mendoza python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Africa\Porto-Novo python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tix8.4.3\demos\samples\SWindow.tcl python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tkstub85.lib python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\distutils\command python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\anydbm.py python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\idlelib\README.txt python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tix8.4.3\bitmaps\cbxarrow.xbm python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\pip\req\req_file.py python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\America\Anchorage python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\America\Creston python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Pacific\Guadalcanal python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\Europe\Copenhagen python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tix8.4.3\FloatEnt.tcl python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\distutils\cmd.py python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\pip\index.py python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\msgs\es_pr.msg python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\America\Moncton python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\site-packages\gyp-0.1-py2.7.egg\gyp\easy_xml.py python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tcl8.5\tzdata\America\Shiprock python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\distutils\extension.py python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\email\feedparser.py python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\opcode.py python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\quopri.py python_x86_Lib.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\tk8.5\demos\menu.tcl python_x86_Lib.exe File created C:\Program Files (x86)\COMODO\Endpoint Manager\lib\linecache.pyc RmmService.exe File opened for modification C:\Program Files (x86)\COMODO\Endpoint Manager\Lib\msilib\text.py python_x86_Lib.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification C:\Windows\Installer\{373FFE70-5FF7-492D-A2F4-0C6A15D8D503}\icon.ico msiexec.exe File opened for modification C:\Windows\Installer\MSIEEFB.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{373FFE70-5FF7-492D-A2F4-0C6A15D8D503} msiexec.exe File opened for modification C:\Windows\Installer\MSID891.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIE073.tmp msiexec.exe File created C:\Windows\Installer\{373FFE70-5FF7-492D-A2F4-0C6A15D8D503}\icon.ico msiexec.exe File created C:\Windows\Installer\e57d282.msi msiexec.exe File opened for modification C:\Windows\Installer\MSID5EE.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIDFE5.tmp msiexec.exe File created C:\Windows\Installer\wix{373FFE70-5FF7-492D-A2F4-0C6A15D8D503}.SchedServiceConfig.rmi MsiExec.exe File opened for modification C:\Windows\Installer\MSIF6CC.tmp msiexec.exe File opened for modification C:\Windows\Installer\e57d282.msi msiexec.exe File opened for modification C:\Windows\Installer\MSID513.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID7E3.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID852.tmp msiexec.exe File created C:\Windows\Installer\e57d284.msi msiexec.exe -
Executes dropped EXE 9 IoCs
pid Process 4748 python_x86_Lib.exe 1336 ITSMService.exe 4600 ITSMAgent.exe 4128 ITSMAgent.exe 1056 ITSMAgent.exe 1504 RmmService.exe 332 RmmService.exe 5696 RmmService.exe 6088 AutoIt3.exe -
Loads dropped DLL 64 IoCs
pid Process 4348 MsiExec.exe 4348 MsiExec.exe 4348 MsiExec.exe 4348 MsiExec.exe 4568 MsiExec.exe 4568 MsiExec.exe 4568 MsiExec.exe 1336 ITSMService.exe 1336 ITSMService.exe 1336 ITSMService.exe 1336 ITSMService.exe 1336 ITSMService.exe 1336 ITSMService.exe 1336 ITSMService.exe 1336 ITSMService.exe 1336 ITSMService.exe 1336 ITSMService.exe 1336 ITSMService.exe 1336 ITSMService.exe 1336 ITSMService.exe 1336 ITSMService.exe 4600 ITSMAgent.exe 4600 ITSMAgent.exe 4600 ITSMAgent.exe 4600 ITSMAgent.exe 4600 ITSMAgent.exe 4600 ITSMAgent.exe 4128 ITSMAgent.exe 4128 ITSMAgent.exe 4128 ITSMAgent.exe 4128 ITSMAgent.exe 4128 ITSMAgent.exe 4128 ITSMAgent.exe 4600 ITSMAgent.exe 4128 ITSMAgent.exe 1056 ITSMAgent.exe 1056 ITSMAgent.exe 1056 ITSMAgent.exe 1056 ITSMAgent.exe 1056 ITSMAgent.exe 1056 ITSMAgent.exe 1056 ITSMAgent.exe 1056 ITSMAgent.exe 4600 ITSMAgent.exe 1056 ITSMAgent.exe 4600 ITSMAgent.exe 1056 ITSMAgent.exe 1056 ITSMAgent.exe 1056 ITSMAgent.exe 1056 ITSMAgent.exe 1056 ITSMAgent.exe 1056 ITSMAgent.exe 1056 ITSMAgent.exe 1056 ITSMAgent.exe 1056 ITSMAgent.exe 4568 MsiExec.exe 1056 ITSMAgent.exe 1056 ITSMAgent.exe 1056 ITSMAgent.exe 1056 ITSMAgent.exe 1056 ITSMAgent.exe 1504 RmmService.exe 1504 RmmService.exe 1504 RmmService.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 3292 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language python_x86_Lib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ITSMAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ITSMAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AutoIt3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ITSMService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ITSMAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GoogleUpdateCore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RmmService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RmmService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RmmService.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000c9aa8484b1ca68e90000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000c9aa84840000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900c9aa8484000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dc9aa8484000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000c9aa848400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AutoIt3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString AutoIt3.exe -
Modifies data under HKEY_USERS 56 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\40CEF3046C916ED7AE557F60E76842828B51DE53\Blob = 03000000010000001400000040cef3046c916ed7ae557f60e76842828b51de5314000000010000001400000017d9d6252767f931c24943d93036448c6ca94feb040000000100000010000000886ea78b530e0fd5bda4e12527ab6a2c0f00000001000000300000005d2164164eb6f3820b9b8d7a5601b60ebf70d832d2029c6c3c966db107dfcb1ba12a25700f26ca3d5b36e4a6cb576cfa19000000010000001000000092a08f142bb795a2197a0d3c7af066f55c000000010000000400000000080000180000000100000010000000ea6089055218053dd01e37e1d806eedf20000000010000001d0600003082061930820401a0030201020210137d539caa7c31a9a433701968847a8d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3138313130323030303030305a170d3330313233313233353935395a308195310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f726431183016060355040a130f5365637469676f204c696d69746564313d303b060355040313345365637469676f20525341204f7267616e697a6174696f6e2056616c69646174696f6e205365637572652053657276657220434130820122300d06092a864886f70d01010105000382010f003082010a02820101009c930246454a524892fc578df92dea53beb32cd5d8a8a5ec5b6903c01d10f65933defe0748a8e88c7a674af1f58dc33766d03291f7c49d0460c4b54ae2838ba7ae26d45d3a5ef8d11671bb8abd71a27dc8cea26024b052a03a4551de78936c6260f1e4569cb73bf73c55d8dfd57a317c357f125170e12cbe04accbfa4fe17c656ac040a7d97ca5638419e1f7caefaab4e8585ad999e326df8e12b2b8dc33b236da141d965842406e0b22851c5122aec4c806456d92e667b71923e4d8366b85d07fc752e3cfb07501e089b4a8bf8a364ea3e06ceb8441cea52f482213975062451e09a5cc9f6c57704006db20e81bd6f3938ba7329eb7441509d7affd7c011cdb0203010001a382016e3082016a301f0603551d230418301680145379bf5aaa2b4acf5480e1d89bc09df2b20366cb301d0603551d0e0416041417d9d6252767f931c24943d93036448c6ca94feb300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff020100301d0603551d250416301406082b0601050507030106082b06010505070302301b0603551d200414301230060604551d20003008060667810c01020230500603551d1f044930473045a043a041863f687474703a2f2f63726c2e7573657274727573742e636f6d2f55534552547275737452534143657274696669636174696f6e417574686f726974792e63726c307606082b06010505070101046a3068303f06082b060105050730028633687474703a2f2f6372742e7573657274727573742e636f6d2f555345525472757374525341416464547275737443412e637274302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010c050003820201004e134096c9c3e66e5bc0e3baf417e1ae091fc9bfcb0c2516f27353b3761ab7ab4806d6cd007c204543456c165a1b1361d749baa402a4ace8cece2dc92a74a3dcdeaeabd06836f891af3c01f777d50bcf97abeb87e715a8fa305a617120b1c043c4b98f6d8a31eb153624fb62d50b9c8fe966bde661519793b61d87bdb0b56cfea6112906613431303d20277351d0de8583d37739204696daa7c65a162785b2cf4e0f4e8c5cbebe3800f84bf9727bd4f27ad7a22985d004bad3422c5188522ed13d246747ec55cc1bf4ca34ea26c1deddc42189f6ba7b321e8e965e844538cf80aa37698b6017741548919c6df04ea377ca1b1c48faf9cf49e85f4f850ae28f901bab704c9aebb7a63fb4ac5da45fcfe6d88a9690f74f268160765d0f247791b32a319f165ab25d8c1c29aa489c8e6fd3784070db77ecdde3d15705702de64998880584620570567686394ed3226f1dfe6df10eb362c43ccbc085b9611ebae1158059940cae05bb8c7f56be1cd25abf97f26a4cb0c67076b0908dc10b36b911d8d6285cea4ffe24b7180a9b0cd0c17c5cfb69bdcca24dc690bca64df2b1bad69a675b960252d082f9c40a5c0d28e03fc8fa959589d5a4be496c40b23ea86bb8d525b2c4fef1d3d7e7d6dc43017630fb3b8b5df74a897c9a35befccaf05701f08d3fa087327b475a974b82d266c2c42dea3f24f4a7f9a8b9e36ad91861a03b8c15 ITSMService.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" python_x86_Lib.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs ITSMService.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates ITSMService.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust ITSMService.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust ITSMService.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" python_x86_Lib.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ python_x86_Lib.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs ITSMService.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" python_x86_Lib.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs ITSMService.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" python_x86_Lib.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\40CEF3046C916ED7AE557F60E76842828B51DE53 ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates ITSMService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates ITSMService.exe -
Modifies registry class 25 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\ProductIcon = "C:\\Windows\\Installer\\{373FFE70-5FF7-492D-A2F4-0C6A15D8D503}\\icon.ico" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DD4D523EF099D7E42B1DBDFD40CF9061 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\07EFF3737FF5D2942A4FC0A6518D5D30 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\Assignment = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CDM ITSMService.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\Version = "151109272" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\SourceList\PackageName = "em_wh1U8LEO_installer_Win7-Win11_x86_x64.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\SourceList\Media\1 = ";" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\Clients = 3a0000000000 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\07EFF3737FF5D2942A4FC0A6518D5D30\DefaultFeature msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\PackageCode = "D7076E96D3235814DB26ACC95D2BAD84" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\Language = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DD4D523EF099D7E42B1DBDFD40CF9061\07EFF3737FF5D2942A4FC0A6518D5D30 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CDM\proxy = "false" ITSMService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\ProductName = "Endpoint Manager Communication Client" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\07EFF3737FF5D2942A4FC0A6518D5D30\SourceList\Media msiexec.exe -
Suspicious behavior: AddClipboardFormatListener 3 IoCs
pid Process 4600 ITSMAgent.exe 4128 ITSMAgent.exe 1056 ITSMAgent.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4624 msiexec.exe 4624 msiexec.exe 1336 ITSMService.exe 1336 ITSMService.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3292 msiexec.exe Token: SeIncreaseQuotaPrivilege 3292 msiexec.exe Token: SeSecurityPrivilege 4624 msiexec.exe Token: SeCreateTokenPrivilege 3292 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3292 msiexec.exe Token: SeLockMemoryPrivilege 3292 msiexec.exe Token: SeIncreaseQuotaPrivilege 3292 msiexec.exe Token: SeMachineAccountPrivilege 3292 msiexec.exe Token: SeTcbPrivilege 3292 msiexec.exe Token: SeSecurityPrivilege 3292 msiexec.exe Token: SeTakeOwnershipPrivilege 3292 msiexec.exe Token: SeLoadDriverPrivilege 3292 msiexec.exe Token: SeSystemProfilePrivilege 3292 msiexec.exe Token: SeSystemtimePrivilege 3292 msiexec.exe Token: SeProfSingleProcessPrivilege 3292 msiexec.exe Token: SeIncBasePriorityPrivilege 3292 msiexec.exe Token: SeCreatePagefilePrivilege 3292 msiexec.exe Token: SeCreatePermanentPrivilege 3292 msiexec.exe Token: SeBackupPrivilege 3292 msiexec.exe Token: SeRestorePrivilege 3292 msiexec.exe Token: SeShutdownPrivilege 3292 msiexec.exe Token: SeDebugPrivilege 3292 msiexec.exe Token: SeAuditPrivilege 3292 msiexec.exe Token: SeSystemEnvironmentPrivilege 3292 msiexec.exe Token: SeChangeNotifyPrivilege 3292 msiexec.exe Token: SeRemoteShutdownPrivilege 3292 msiexec.exe Token: SeUndockPrivilege 3292 msiexec.exe Token: SeSyncAgentPrivilege 3292 msiexec.exe Token: SeEnableDelegationPrivilege 3292 msiexec.exe Token: SeManageVolumePrivilege 3292 msiexec.exe Token: SeImpersonatePrivilege 3292 msiexec.exe Token: SeCreateGlobalPrivilege 3292 msiexec.exe Token: SeBackupPrivilege 3628 vssvc.exe Token: SeRestorePrivilege 3628 vssvc.exe Token: SeAuditPrivilege 3628 vssvc.exe Token: SeBackupPrivilege 4624 msiexec.exe Token: SeRestorePrivilege 4624 msiexec.exe Token: SeRestorePrivilege 4624 msiexec.exe Token: SeTakeOwnershipPrivilege 4624 msiexec.exe Token: SeRestorePrivilege 4624 msiexec.exe Token: SeTakeOwnershipPrivilege 4624 msiexec.exe Token: SeBackupPrivilege 3740 srtasks.exe Token: SeRestorePrivilege 3740 srtasks.exe Token: SeSecurityPrivilege 3740 srtasks.exe Token: SeTakeOwnershipPrivilege 3740 srtasks.exe Token: SeRestorePrivilege 4624 msiexec.exe Token: SeTakeOwnershipPrivilege 4624 msiexec.exe Token: SeRestorePrivilege 4624 msiexec.exe Token: SeTakeOwnershipPrivilege 4624 msiexec.exe Token: SeRestorePrivilege 4624 msiexec.exe Token: SeTakeOwnershipPrivilege 4624 msiexec.exe Token: SeRestorePrivilege 4624 msiexec.exe Token: SeTakeOwnershipPrivilege 4624 msiexec.exe Token: SeBackupPrivilege 3740 srtasks.exe Token: SeRestorePrivilege 3740 srtasks.exe Token: SeSecurityPrivilege 3740 srtasks.exe Token: SeTakeOwnershipPrivilege 3740 srtasks.exe Token: SeRestorePrivilege 4624 msiexec.exe Token: SeTakeOwnershipPrivilege 4624 msiexec.exe Token: SeRestorePrivilege 4624 msiexec.exe Token: SeTakeOwnershipPrivilege 4624 msiexec.exe Token: SeRestorePrivilege 4624 msiexec.exe Token: SeTakeOwnershipPrivilege 4624 msiexec.exe Token: SeShutdownPrivilege 4568 MsiExec.exe -
Suspicious use of FindShellTrayWindow 22 IoCs
pid Process 3292 msiexec.exe 1056 ITSMAgent.exe 3292 msiexec.exe 1056 ITSMAgent.exe 1056 ITSMAgent.exe 1056 ITSMAgent.exe 1056 ITSMAgent.exe 1056 ITSMAgent.exe 1056 ITSMAgent.exe 1056 ITSMAgent.exe 1056 ITSMAgent.exe 1056 ITSMAgent.exe 1056 ITSMAgent.exe 1056 ITSMAgent.exe 1056 ITSMAgent.exe 1056 ITSMAgent.exe 1056 ITSMAgent.exe 1056 ITSMAgent.exe 1056 ITSMAgent.exe 1056 ITSMAgent.exe 1056 ITSMAgent.exe 1056 ITSMAgent.exe -
Suspicious use of SendNotifyMessage 20 IoCs
pid Process 1056 ITSMAgent.exe 1056 ITSMAgent.exe 1056 ITSMAgent.exe 1056 ITSMAgent.exe 1056 ITSMAgent.exe 1056 ITSMAgent.exe 1056 ITSMAgent.exe 1056 ITSMAgent.exe 1056 ITSMAgent.exe 1056 ITSMAgent.exe 1056 ITSMAgent.exe 1056 ITSMAgent.exe 1056 ITSMAgent.exe 1056 ITSMAgent.exe 1056 ITSMAgent.exe 1056 ITSMAgent.exe 1056 ITSMAgent.exe 1056 ITSMAgent.exe 1056 ITSMAgent.exe 1056 ITSMAgent.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
pid Process 1336 ITSMService.exe 1336 ITSMService.exe 1336 ITSMService.exe 1336 ITSMService.exe 1336 ITSMService.exe 1336 ITSMService.exe 1336 ITSMService.exe 1336 ITSMService.exe 1336 ITSMService.exe 1336 ITSMService.exe 4600 ITSMAgent.exe 4128 ITSMAgent.exe 1056 ITSMAgent.exe 1336 ITSMService.exe 1336 ITSMService.exe 1336 ITSMService.exe 1336 ITSMService.exe -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 4624 wrote to memory of 3740 4624 msiexec.exe 101 PID 4624 wrote to memory of 3740 4624 msiexec.exe 101 PID 4624 wrote to memory of 4348 4624 msiexec.exe 104 PID 4624 wrote to memory of 4348 4624 msiexec.exe 104 PID 4624 wrote to memory of 4348 4624 msiexec.exe 104 PID 4624 wrote to memory of 4568 4624 msiexec.exe 105 PID 4624 wrote to memory of 4568 4624 msiexec.exe 105 PID 4624 wrote to memory of 4568 4624 msiexec.exe 105 PID 4568 wrote to memory of 4880 4568 MsiExec.exe 106 PID 4568 wrote to memory of 4880 4568 MsiExec.exe 106 PID 4568 wrote to memory of 4880 4568 MsiExec.exe 106 PID 4880 wrote to memory of 4748 4880 cmd.exe 108 PID 4880 wrote to memory of 4748 4880 cmd.exe 108 PID 4880 wrote to memory of 4748 4880 cmd.exe 108 PID 4748 wrote to memory of 4800 4748 python_x86_Lib.exe 109 PID 4748 wrote to memory of 4800 4748 python_x86_Lib.exe 109 PID 4748 wrote to memory of 4800 4748 python_x86_Lib.exe 109 PID 1336 wrote to memory of 4600 1336 ITSMService.exe 112 PID 1336 wrote to memory of 4600 1336 ITSMService.exe 112 PID 1336 wrote to memory of 4600 1336 ITSMService.exe 112 PID 1336 wrote to memory of 4128 1336 ITSMService.exe 113 PID 1336 wrote to memory of 4128 1336 ITSMService.exe 113 PID 1336 wrote to memory of 4128 1336 ITSMService.exe 113 PID 1336 wrote to memory of 1056 1336 ITSMService.exe 114 PID 1336 wrote to memory of 1056 1336 ITSMService.exe 114 PID 1336 wrote to memory of 1056 1336 ITSMService.exe 114 PID 1336 wrote to memory of 1504 1336 ITSMService.exe 124 PID 1336 wrote to memory of 1504 1336 ITSMService.exe 124 PID 1336 wrote to memory of 1504 1336 ITSMService.exe 124 PID 332 wrote to memory of 5696 332 RmmService.exe 127 PID 332 wrote to memory of 5696 332 RmmService.exe 127 PID 332 wrote to memory of 5696 332 RmmService.exe 127 PID 5696 wrote to memory of 6072 5696 RmmService.exe 129 PID 5696 wrote to memory of 6072 5696 RmmService.exe 129 PID 5696 wrote to memory of 6072 5696 RmmService.exe 129 PID 6072 wrote to memory of 6088 6072 cmd.exe 130 PID 6072 wrote to memory of 6088 6072 cmd.exe 130 PID 6072 wrote to memory of 6088 6072 cmd.exe 130 PID 6088 wrote to memory of 2680 6088 AutoIt3.exe 132 PID 6088 wrote to memory of 2680 6088 AutoIt3.exe 132 PID 6088 wrote to memory of 2680 6088 AutoIt3.exe 132 PID 6088 wrote to memory of 2680 6088 AutoIt3.exe 132 PID 6088 wrote to memory of 2680 6088 AutoIt3.exe 132 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\em_wh1U8LEO_installer_Win7-Win11_x86_x64.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3292
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:3740
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A043701A43DFA897CAA2003C1E8EF4CE2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4348
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding E09E5486124D2154E2AB80CDF7684626 E Global\MSI00002⤵
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe" /C "cd "C:\Program Files (x86)\COMODO\Endpoint Manager\" && "C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe"C:\Program Files (x86)\COMODO\Endpoint Manager\python_x86_Lib.exe"4⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "5⤵
- System Location Discovery: System Language Discovery
PID:4800
-
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3628
-
C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMService.exe"C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMService.exe"1⤵
- Checks for any installed AV software in registry
- Drops file in System32 directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe"C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4600
-
-
C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe"C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe" noui2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4128
-
-
C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe"C:\Program Files (x86)\COMODO\Endpoint Manager\ITSMAgent.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1056
-
-
C:\Program Files (x86)\COMODO\Endpoint Manager\RmmService.exe"C:\Program Files (x86)\COMODO\Endpoint Manager\RmmService.exe" --start2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1504
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:116
-
C:\Program Files (x86)\COMODO\Endpoint Manager\RmmService.exe"C:\Program Files (x86)\COMODO\Endpoint Manager\RmmService.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:332 -
C:\Program Files (x86)\COMODO\Endpoint Manager\RmmService.exe"C:\Program Files (x86)\COMODO\Endpoint Manager\RmmService.exe" --run_procedure --in Global\sharedInputMemory_1 --out Global\sharedOutputMemory_2 --err Global\sharedErrorMemory_32⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5696 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "AutoIt3.exe script.a3x"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:6072 -
C:\Users\Admin\AppData\Local\Temp\theistically\AutoIt3.exeAutoIt3.exe script.a3x4⤵
- Command and Scripting Interpreter: AutoIT
- Suspicious use of SetThreadContext
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:6088 -
C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe"C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe"5⤵
- System Location Discovery: System Language Discovery
PID:2680
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Installer Packages
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Installer Packages
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
710KB
MD54eacbbfbee2e5056a007b08c4ddca2c4
SHA18e5b2228bb9518876923ea4c1b6ab1a009f4adb6
SHA2563cab07cf85cf9b0a993db64174ed99a03345655407e5f636bdb7fc627d214a83
SHA5126b511aa7e4cbc92fecad4c197ad4028fc09269cbcfe62726333048cefa9106b75a66242838fe3bec35d8240ee35c489cbca9cbf96721801f6811b45c62e09450
-
Filesize
87KB
MD525c603e78d833ff781442886c4a01fe6
SHA16808adc90eb5db03163103ec91f7bc58ee8aa6d0
SHA25694afd301c1baa84b18e3b72d017b6a009145c16c6592891c92f50c127e55169e
SHA51284e33be97d97ae341d74fc8273d191df519616f12bec8ac2f89454897c30a5f7bf9115f208c8dae78da83f0ca7bf9e5f07544d37d87b07f63408fbc91e449d54
-
Filesize
3.0MB
MD5a5b010d5b518932fd78fcfb0cb0c7aeb
SHA1957fd0c136c9405aa984231a1ab1b59c9b1e904f
SHA2565a137bfe1f0e6fc8a7b6957d5e9f10df997c485e0869586706b566015ff36763
SHA512e0ca4b29f01f644ef64669ed5595965b853ae9eaa7c6c7d86df7634437041ef15ceb3c2d1ab9dec4171c80511684a7d7b06fc87b658e5a646699eb9523bc4994
-
Filesize
8.4MB
MD56b4752088a02d0016156d9e778bb5349
SHA1bd13b1f7b04e0fe23db6b3e4bd0aa91c810e1745
SHA256f64f13bf19726624a9cbaedda03a156597737581d6bc025c24e80517f5cab011
SHA5120fe982b0b551238fc881511cdd0656ee71f22aca3a5e83ef7ce41b3adf603f1be17ba3e2c10797ee3dfb5e15ff1ac3e8cf4e05c657e7c047f302f50baa42ba2d
-
Filesize
2B
MD581051bcc2cf1bedf378224b0a93e2877
SHA1ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA2567eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA5121b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d
-
Filesize
5.1MB
MD59356330cdf731eea1e628b215e599ce5
SHA188645c60b3c931314354d763231137a9ec650f1b
SHA256ad045d1d084a88fe3f48c12aee48746b22cb3a579f9140840c54ae61f7af3478
SHA5123d9ab9b1cdecad6809be96d82df2d1b9b8c9e1a7cf0ac79a820a92b11c8fa079f5a2c3875ba0b733503742c6977d6239ce22acec023a22038b2e7ee1ebd62d90
-
Filesize
5.2MB
MD5d29d11da9f344f6d679a0de7b3174890
SHA1b4cac4aa9c6b82e8d2d0c43991e8073261c13089
SHA256079e3a248d169143a3d5da48d24dbcc0ce5fb8aaccbc02a6fce61c5fe2461b9f
SHA512b43f2ef86d6fe4beb28a10e19834a4f76dbaddd071d16353b2641b72f2faa552a3bdba33a606da71a34ebb932f57dd142758b4a0a240231022c8bed8ee97cad6
-
Filesize
1015KB
MD5de150de21f1a2b72534eaa4aa4f03202
SHA139ed224cced1266d4adc5e68f6516979b8f52b33
SHA25603871db7d626d14e84d8ebf007139aa2c08038cd3403ac6259f1a2eb01ae1477
SHA51230eff193620724cda86e6de31c430f9d4426e677a553c7918f9b85dbfc67687acdecc2a29e45473666c01ce311b73833d9f79db8a93e80570c7ace8837ca531a
-
Filesize
174KB
MD588aeafdcc3f3fa04b9b20022906745b0
SHA19dc03428234000d19bbc3cb437d370b8e1863329
SHA256cd84c9c486c3e967ddd061718893ef5ee48eca24f77e3366b8fd3d2dd21f477f
SHA5125ea87730f26b16215eb2b892a6da689524546ef6cfaf4e6c1f4e0afa083ceec3e8f00c9259d316d84ef4cb05b01023a1362b4a676d10b55e06ee365557ab7986
-
Filesize
4.4MB
MD513f078d5c63cb192f68b45f5767a9e6f
SHA16149189a1553c2e0e6d715d3177c16c11af7d33a
SHA256b0abf95a23e1616f3542a8cb794aac5b7463dff3db8621e3cd719ab1dd7f6226
SHA512f3293fcdccb4901d4eb405706ad20da361140842a335e6f6a7ce54222fe028a1da2179be14ec40dbb5a1784ed5d33bd467174091606e6fcac12039dc0f48e52a
-
Filesize
163KB
MD54bac5e44b4b2f138f6608c661330dad0
SHA1b08ff311b24d9bbc48d4014d7a0cd0de129a19e7
SHA25659ba9deba38b1e652a046fd6b58847a58883f2d8c5c1e81acfa78d2daad98a1c
SHA51274871aaaf8dc3fc006f7a1fdc42eabf5a86e34674d34362b2b00bdebe023d78fa0e6a5ef4676dc038178a6eeb01a0ba1676f68a1cc6828ac8d4ece550106ee0a
-
Filesize
2.2MB
MD5e2749ff4266d5a933feb7685dfe375b2
SHA1f09a432c67f45fc2ed27c762db4176b7dd47e908
SHA256e4ee537b6a585ec7656afd9fc6fd3f655ff44bec6ff8ec291fc3e868caade27c
SHA5124efc6b0b8d39b47d9c415fc3bc7460e4f738e3694fac691bf94569549569a8d65270a54488af3ae49de9fabdbe518250ceee83f6633e1da407636e6e02bac8bb
-
Filesize
2.5MB
MD58f4ccd26ddd75c67e79ac60afa0c711f
SHA16a8b00598ac4690c194737a8ce27d1d90482bd8b
SHA256ab7af6f3f78cf4d5ed4a2b498ef542a7efe168059b4a1077230a925b1c076a27
SHA5129a52ac91876eea1d8d243c309dadb00dfae7f16705bde51aa22e3c16d99ccf7cc5d10b262a96cfbb3312981ac632b63a3787e8f1de27c9bb961b5be6ff2ba9f4
-
Filesize
533KB
MD5bf2cae7a6256b95e1ba1782e6a6c5015
SHA13fbdc3afa52673c7bdfab16b500bbe56f1db096b
SHA256352d2fd16675855e20cc525b6376734933539b76bc4b40d679d3069008fe4cfc
SHA51290755eb718ba404b0e48a6713d4680db252f8156328a58fc347e74d84b8bd53a7a6276755c672240c0e5d78200130e3ddf86990779ddd86c6d10cebf2bc02c9e
-
Filesize
471KB
MD50b03f7123e8bc93a38d321a989448dcc
SHA1fc8bfdf092cdd6b9c1ec3b90389c035c37e50bd7
SHA256a7fbfdb3100c164f139e9d0ebcf47282308e5173ab610dcb20a05b6e0615b54b
SHA5126d00c65111c0f389ad189178705ed04712b2c6de8918f58de7c3747126a4b4e50b4a73525cc0993af02d35323b1430f34baf6f99712df822d6cdc63e24ed7ae5
-
Filesize
426KB
MD58ff1898897f3f4391803c7253366a87b
SHA19bdbeed8f75a892b6b630ef9e634667f4c620fa0
SHA25651398691feef7ae0a876b523aec47c4a06d9a1ee62f1a0aee27de6d6191c68ad
SHA512cb071ad55beaa541b5baf1f7d5e145f2c26fbee53e535e8c31b8f2b8df4bf7723f7bef214b670b2c3de57a4a75711dd204a940a2158939ad72f551e32da7ab03
-
Filesize
101B
MD5273ec42863e3d9f999381f09c13d313b
SHA1008d1954b2a7d1c692a697c891f9692f41f10481
SHA2564dd2c699bbb8c398788067be6fc82edc68c8246b8f6765169776bb24ebd0c487
SHA512940df3f73592ccabc27bf2cc77de98eade7eb8988d30144060c817eda614085e36eadb699b02123c63774416e827194c269acd1267fad1d560b7df86a79ed89b
-
Filesize
7.2MB
MD5dcebee7bb4e8b046b229edc10ded037f
SHA1f9bdf0b478e21389800542165f721e5018d8eb29
SHA2562eb0eefab534217953744c2cc36de2e1a1ced6ea882734e7b1f4b34a0b19689b
SHA5129827600a19da5a816f1b0d93aa2629cb48f13f6e5fc42cd44bb1031ecd2e942854b34e7da44335acb85e42c44b1e720e9da8bc1d9ad23a9b1de0190f026f4d30
-
Filesize
132KB
MD5342249e8c50e8849b62c4c7f83c81821
SHA1618aa180b34c50e243aefbf36bb6f69e36587feb
SHA25607bc6eb017005500d39e2c346824eef79b3e06f60c46fb11572f98d4fe4083c5
SHA51232a44252926881edf916ac517cb55d53b0b1b5adcc5952a674d1707d2c1431a68b27e593b4c4fcab0648e3cbeddf3d4e8024ff2a3385af9dbd2b2244e518340a
-
Filesize
32KB
MD5edbe57d2f72587f35e6828111cb48690
SHA111f936c6fb935c8944ff76d51b875315d57edcaf
SHA2569511d055a4d2fcb847bbccdcba950b602c2b73396833de744cf89372921be2a3
SHA512e1704d89da69cf7b13b4fd648bf4573bab8db0236eeb083dad31edb39aaf9e3b4d86f7963cc0e7d3b626e6a0571ef4332f60ad7bff6c6c96f2209e7b2a0f24b9
-
Filesize
33KB
MD5b0e17ef8f7867c823603008253025e41
SHA1f334a138527fbbc64f141ef6b4bf7f402f1223ea
SHA2562c46b46c6bbda98cccfc181c3122b0aaabbdb4057651c1f3ee62851af711975d
SHA51260b1734231dee57d6dd944e825d16faf60ec5b0c7cf99fc029b72fea730cf96deaf4480e223f74897a460c0af16b555f2b755a39cc42917b0ce647fa9ff649fe
-
Filesize
33KB
MD5e7a081ff17a10e7826c523974c92920a
SHA18dfe5ddf13308dde919c6eb6d05c7059c84985e0
SHA25637b95fb8f24497edbaf12099f36f00db1a9552e00fbe06099f32299a07607192
SHA51261bf8603ee499245753e219208c5247421f697ad14bfc1b1d47fd3d227671710d601d17f11ebfca4b3efc1ddc3bcc07bda62fdb154d0254a4d56a4a7d0550e3e
-
Filesize
33KB
MD54e0a43a8d24eb7fb94439b42aec74734
SHA1338acfa6e628d54af38c1de163b87b8e332a8891
SHA2560193811c03d487027f1513e780da16b52d4bee4b59bfbaac168d79b46f3f8159
SHA512ca91331eb167a66b65cff259dfdac1889bde939ce4a933454e426a6c31dad3519e8541f9d877e13794c3eeb02f924c62fe623e87cdf5b2290397bd6bf7925d50
-
Filesize
33KB
MD5ec78ed76c69a90cd0fdc4fd00d138c21
SHA109127d1774aa3f1fb02916786ea8c9107d690f9e
SHA256244ff4c49bf6bf3fb5c861f9864eaea10d7672f072d4b595d2750b910948e2e9
SHA5125f0be9be20d1eaddc1f587385b65f554379a1b513ae9efffee00a6b36d12178a2eb16a917eaa9c5b9739ba7640d2d182581b881cca1e834700628b772a936656
-
Filesize
33KB
MD508f05ae90e255b1b97ec937e6bb55dc5
SHA1ae2bb062dc25cf0984f6bf3f2d1cefd4db991afb
SHA256d734951b675f1f994f366acc56edb720a787423e7b04bc70d8f33dc31a785351
SHA51206caf124edeacd52820cc5d9ffb33906cd42b80333a9215589c15a461557ef07f737703a5662c1b523ca59afd82bd8db774fe7ca152c54ce81a8bc5eb8fb863e
-
Filesize
33KB
MD54b673858449db95996ead42f2c12527b
SHA18aa8ba08d4624418f7a548817e47dcb8eb4c580c
SHA256c01dffd54f9173fdcf753f40dd5a4487bc4c7b4b76fdb0040b543d8c8ba10629
SHA5121262d525fb05f0e2e746a8b63fb31400d1d589df5da955323da941665667c8773a321bce44a2f20ec1aa92975b473e2bc93c3693940d88c91c627e7bb085c4f2
-
Filesize
33KB
MD5642d4fb825cd03b6fc55c6af1e8aca02
SHA188d2584a8c10816ca06377e7dec98e8303972287
SHA256008ab09eb5105dff856d74ca55e85754d78b7d021b65ecd3d4d6115fef6dd366
SHA5123e027987d94a84042cb0e68b30e777b02610d10db46a09a20e05d83528fb500aeffb3db3e279fdd2c83ef8085901070a6395082c2254a09d9552c3d8dc3a5e86
-
Filesize
33KB
MD5290dcfa83c043db7a80fed4da73b49c7
SHA1d01f517e4c32ce9c2a3685ce1035415e4855ebe8
SHA25620a841fdec3d1ed13c5cb50b4c8ef7b1cde00ea582b66c29003b97479e391cba
SHA512b8a395a7d708208c20895f463930ea4a77802693fc0a6e6cf0c8b8f1d27c7c1e09e2c4708890590b74556367e1d4ad65badb2f8ab5caca0a52b7e67d174a815e
-
Filesize
33KB
MD596ba02590ece31e7e6f56e76c37306c1
SHA1040f2b5a76607a75fe9b0338ee4b13a0871fbe84
SHA256193105082534f7a6eee680e66b7ff86eb28587d7b5cd09be6671e91956d9a52e
SHA5124f9c027b8d28e924201fe03a43ddabf542dd56b09684b5e98199233a14c3eaf56b2ea26a08167deec7ae3015d95c0e4dc1d0829ab39fa396d17c63f0b4efad74
-
Filesize
33KB
MD593e01ed5c9fd723dfb7ab14f65c03544
SHA12ccdeb418641074e2d0609784bc233c7bbb54638
SHA256c1378394ccbe9b6bc19be176aabb26160c7db874acc009ed5a4a22b0f7456341
SHA51265dce8dfd2143c7d2edbb2a440a11b157e16d24ea4a442a8792f6b99cf0f4a7af25fd0f448ffad1ea5e912f0d6bc42625180ae7e060f4c3060de516fd4f26ba4
-
Filesize
33KB
MD5078748451a8be0ab1fc9cd62bc55333b
SHA11c228773849cac0d58f081ad483f2c4a5172656f
SHA2562b574ee0a1bb2034090d4fb62d1148429a859b6c4c2ec1474c820b835bce172c
SHA512dc8928bd4ccf1882a20458c676bff03040049b04e5dcf2f9da319033044fa9b7ed8fc87ee1c1a9696baadede505268d881a5f21ba8910c0fda7c1a4f4ac44106
-
Filesize
33KB
MD534b49b5ccb53aed091544254929719c2
SHA173413dcedde35580a173b361b37144c869a52aca
SHA256c9ddf1567a7929bd094157a8487811d555e6a2faf24b00fe66cf1c71bcc581bc
SHA512dd888f7314b73897ba3d7fb3b0bc146d07002b095f05d4823e303d9a85645c958107968a052c8cf27954455a432459d27ceeeba707f695c82f29a8af6bae203c
-
Filesize
33KB
MD5ef45ca2f95d83fe5765e3458e68cb8f8
SHA112995b0c5e1f2572f5931bb03eaa811798256612
SHA256aebb8ee97e006197fefc3a5b4098f916343bdbfeb6e9f8ca61ac4cba4cfaaf4e
SHA512ff6a656fcb995a62cda6acf28bce95c00bb3b8e3e1cf2d0791b64f2f01c82081c9a647b269d2dd1ff8513023a061b200e6f64c72f1a3669a7a292836f8fba8fd
-
Filesize
33KB
MD5e26c172308993d1e14dc115b3f3e2016
SHA1445710225e350228f709c0e40ac32e48a80dbf57
SHA256445ebdc4c647131866f6a3bb563f3182deee843f48ad1d9b97e73fa9601e96eb
SHA512b462957a89355de15556b00740265ce5559a4ed9d06114d8dcf59d220b887204c28eb737ea021e9a7e92d43b5bcc9bfec3bc9fa4e6a5cf02249266ad9a56af2b
-
Filesize
33KB
MD5200b27fd2fffb40d0dc101bd536497bc
SHA1668d3d14fced8f101552a0a10cafbf4eac336b03
SHA256a901b8ca114daa3750973ada828183c51b8d485471d9417d46f9ac958156d09c
SHA512ba1cd2ce415ce26d4d7e706f4224c5b16b9c38757782e712e915f58429f09895a024d04f8c3bb136068222f5298bbba6d1133822225f3acd15d370f0f330f22b
-
Filesize
33KB
MD54ffa52c67aa08499a1dad0203a615a94
SHA10d0f2c867240267cb93999fd870fddbcbb859c2a
SHA2565d5acd7458cecea9978f5c5b604f786f555e8ea7454f447b1a1ab264910d4144
SHA5123953dcbb1af858840a497a04a665c4bc02ec12a8d767d1ef62c45f5c41e5e03a2d5770e40cc9485ff81779c0075afe8dbc0ef98753bb02bf59ac969045d961f1
-
Filesize
33KB
MD536d1843bf46f3bf6652ff0d405124afe
SHA1e7d18447a78a9cca7773f85c46e5614b386ec043
SHA2566f3991b2d8e3cf94bbe84bbd032a9b09ef7a8c116bef401f435a355911c512bd
SHA51250f721804db557eb20bbf9eea247206acfe8a17da8c1308beb3efa259f3932146ef07a716a31509899243bdddd9f5a6c2b014f0ee62a406c296ea2e26338c262
-
Filesize
33KB
MD5240062690428fa3ae236aac0e86feb72
SHA121bf9bc2c0738b1a042278d9e062ab9a57949c2d
SHA25692e9a84e10e9fe8a9b5751f12d1de62b17cbd95d9aa108f8902757327b776d8a
SHA5127fb6c3389b3b833291d6f8344a12039e4d15e23fce5b99895233248888a9576bc75a41babacc90026c2d452d75a7edd3059426c5698c1ac7a390b7dfdaf585db
-
Filesize
33KB
MD5953f6c2832570170d99d391010893a68
SHA107e8b1a1ccb3aa655ea2356d56967cdbfa558407
SHA256b7a0a380748dc3015946fd0dc3a65075578ef27ee8b2ce73058c013415b71c42
SHA51200f1536fadce23bfe3dc2781f9f1b9847c586d5ca8a9f0b60410b0aa787c79053ae7c54aad3420f9710b0510e56d077c6ddddfc43ec4b70095d8911067433aa0
-
Filesize
154KB
MD584c848ca734892ea2e8ab90d84317ee3
SHA1a1b38d4f1b466061481bdfde7628139c908f7ee5
SHA25601c53abd5585992f9d62de40f4750899829b9e7e4a026b8d9f5d1cb1748a3fa9
SHA512cec124435d6d4c76497e7886ca317a0c12a9d8e77200ba94cf6a699b318b91cb4db886eba5a5161941a7dd349f827cd3694abb864d6e37a9084a208276bee7df
-
Filesize
1.1MB
MD5d9d7b0d7386cd57e4301d57cb7294b4b
SHA1dcf385b8d3f9f99a07e1b7757508e5e4080f336c
SHA256a4ee1bc55369a13b3e721aa48e44de31c6f00439838e923ab7a66438fbab4002
SHA512e1568ce01edd46aabc795dd4eacab565ffc8dc0271129b5aa770f3763fba756a5de59aa4329510e65282bb19537874c6f307712a7fa2b6971f50dbee7b2664d7
-
Filesize
8B
MD516674a4fdd74f7a049320075c9665d93
SHA1574c925e2d534034b08dff253071fcc1c2309e3a
SHA256c7df218540f5780d54f5591c888acdee8ee5fbc3337bf6b8d8bad66709895446
SHA51244b7ac04e901b7e5876f5fe8c44a91258836dffa73b7eadf8b8daec78f3dc124eb140f1cc0bc2442ec75742c429aa4b8f878582c52b77d65c8d562099082e371
-
Filesize
74KB
MD51a84957b6e681fca057160cd04e26b27
SHA18d7e4c98d1ec858db26a3540baaaa9bbf96b5bfe
SHA2569faeaa45e8cc986af56f28350b38238b03c01c355e9564b849604b8d690919c5
SHA5125f54c9e87f2510c56f3cf2ceeb5b5ad7711abd9f85a1ff84e74dd82d15181505e7e5428eae6ff823f1190964eb0a82a569273a4562ec4131cecfa00a9d0d02aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18E6B4A57A6BC7EC9B861CDF2D6D0D02_EF52C1EC85F21F31CC0157A5C8803013
Filesize765B
MD5fff2cc217cec93b9b4e91ea34e23efaa
SHA1c6a7f0e18796e1c6b789ec9fb7e98fbc639bc1df
SHA2569bd2f914e637e30ba764c0af86102be829546122e443b30588e5e9723a15873b
SHA512f426e383b51806458533ddd15e4aec6cddde1acf497b8a84542818c4dffa3b5c21093a075a79a8e46ce5ddf6d16be9ed66c339724c63f76c6be7bd048cef5a3a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3AA0DCD5A74331FBD6F344550EC48B87_D7025277F003EE88ED342C67F3525784
Filesize637B
MD5f29448db915ce12024c00f8db2735a37
SHA18c42cc59bf9684c8913d77b6481d6f9a35291fe2
SHA2561220fbb03d07705373e10fff29e767a41a523ff3bbd1280f1e6c313421bd6930
SHA512932aa9847dc8630259827605dbf4cca4a778fda7ae164b814d6d552086812395441389179094c01c0225477aafdf9f3e2daa235e5884cf6eba01d32ee54b6b01
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F
Filesize1KB
MD58991f83c49d2736793a0c917c3d8ae4d
SHA171752a06511633fcb9d2df14b507e555e4d1b17a
SHA256a94ee10e4836486a24b1020e70055b440e46b52913a6e9cd66d0cae467276990
SHA5126fedbb05506b87ca954be1e413a1ca2824ae3b060242e89a1002a06d6549838f2d9e09768a878211a1929ef9cd260415bb061a8a28d16ee6e647780fc7e8b3cd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18E6B4A57A6BC7EC9B861CDF2D6D0D02_EF52C1EC85F21F31CC0157A5C8803013
Filesize484B
MD5c20b1497381cc25ad69ec93651dfb133
SHA1870e122c6606ede3700348dd041c6af50249c0bc
SHA2561c292e25e493015a36d2a036587a521e34827ac48c658eaa26a81b5a1f843a55
SHA512ec10ba644afcf5f23c5dcbb33b078852240e9b1ab426a5568463ad71576e0d658177c7955e07a35a37ab94a05e094a26a81193e3ccd14f22982b824f86a4cd56
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3AA0DCD5A74331FBD6F344550EC48B87_D7025277F003EE88ED342C67F3525784
Filesize480B
MD5fe03a17f9f1ad8c78e9ad339378b9b48
SHA19abdfeaea1fb042afefa90fbcdbfa5f61b1fff29
SHA2560ab57880a97c3c8e3e40c748fa9d63b4a7e4fc8b77d222cb6b2f12179f032871
SHA512abc4cf0979c709db3e49eb151bac01bdd00943560ce8bb9b608fa8ebc7bcc6b7fe22f37d2b7a9b5ae1b2c880bcfb88d4385f224c92031f2b132df4d7316ae46c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F
Filesize482B
MD5dc9193fbc5c79976d117b862cfc6661b
SHA170faf925bc3f2caeaf16f4a21fddb20fa67d9dd9
SHA2563db5c9029aebfa0a222db099e02dabb675967ee1ec89c5895a29b2b55a5fbe1e
SHA512dd3f8fe11b1ee82d990ff1c02b1ca39b462631a9c7324f9700ca24c56e810c496c86fd50e4bce075878be6ae1f899ae048078a0e157379eda9a9b78ed4037e22
-
Filesize
226B
MD5feceaa82323f9de4d3578592d22f857d
SHA14c55c509e6d16466d1d4c31a0687ededf2eabc9a
SHA25661480b43136b02965f59e3256b8de1bf35caa7c084a7bcb3ed5f4236451d4484
SHA51282dac003d30eed4fc4e06ab4a426c9b7f355d777c243b710c5c0d3afc4c26d93874af2d0a542fca4a2038050b0d0fa8f63ed82e5f2771ae8a4de0f3b08d56d45
-
Filesize
285KB
MD582d54afa53f6733d6529e4495700cdd8
SHA1b3e578b9edde7aaaacca66169db4f251ee1f06b3
SHA2568f4894b9d19bfe5d8e54b5e120cef6c69abea8958db066cdd4905cc78ecd58b6
SHA51222476e0f001b6cf37d26e15dfb91c826c4197603ea6e1fbb9143c81392e41f18fa10a2d2d1e25425baaf754bff7fd179ef1df34966c10985e16d9da12a445150
-
Filesize
203KB
MD5d53b2b818b8c6a2b2bae3a39e988af10
SHA1ee57ec919035cf8125ee0f72bd84a8dd9e879959
SHA2562a81878be73b5c1d7d02c6afc8a82336d11e5f8749eaacf54576638d81ded6e2
SHA5123aaf8b993c0e8f8a833ef22ed7b106218c0f573dcd513c3609ead4daf90d37b7892d901a6881e1121f1900be3c4bbe9c556a52c41d4a4a5ec25c85db7f084d5e
-
Filesize
23.7MB
MD5d2de509d9ec89cccfcdd5a55609faecc
SHA16fdba0ecc3dd81d3aac4c0dfe283049ea41d94a4
SHA256a0674f8eecffb378022f52aab45f30168bb33e8954403fd0a5b9e1d152e5d760
SHA512857da10b4cd537c35a4f79b11cbd261db597be3e361e4c714a35b2086d31081406e03620abde4e39d836bb3e89fc769ec8d41d02a0dabb2599b36b13a25a581a
-
\??\Volume{8484aac9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{cb647830-5384-4389-9344-d462233ef1ec}_OnDiskSnapshotProp
Filesize6KB
MD5303c1c6ec827e59b0cb2d6ff204fa27a
SHA14b10862bf7270684fdd8bbd152d4254e60b623f6
SHA256ca9ba319fec79c361b84335cc48a5566074683be7a135f13932527a67b39cc87
SHA512840a7dc4a62ed9383eeb7ea5ecb0c715ffad15c53edf6153dd166f32eb89353ba45556177c6a146efee9a682477984ad869fa683e0f443e79cb7b9045d6482df