eeee232ef628352d43833b909892d2ed0807a43850baaf8d828b769c7840eb92

Analysis

max time kernel
149s
max time network
145s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
20/08/2024, 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

em_FReBA03x_installer_Win7-Win11_x86_x64/em_FReBA03x_installer_Win7-Win11_x86_x64.msi
Size

93.9MB
MD5

a2b4081e6ac9d7ff9e892494c58d6be1
SHA1

8b1858f5b6f9de98da0da23835ffb7197341b401
SHA256

d2479f32549799d766941ca412912a3c58b06fc1bcef55eb4db4c0d90bdd7dfb
SHA512

8a9ec3b404c7a0df38d08e96c8484d18b9d78a53ecd6de0f2632a84767df7b2f7fb387fa5295cb9f1cf3f6af55b2150c5d7dff7593385fe44afc8ecfce011d74
SSDEEP

1572864:OC2l1WbND0AFuMNQQyf7CfhU+43Seba3aQ6BZmOEbQSRsvuv+Tg9yS3i0PWmZyGT:qPoDn9NJ143Xba3Z6zN3c9X3ZzkL2kq1

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Endpoint Manager = "C:\\Program Files (x86)\\ITarian\\Endpoint Manager\\ITSMAgent.exe"	msiexec.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
2	3516	msiexec.exe
4	3516	msiexec.exe
8	3516	msiexec.exe

Checks for any installed AV software in registry 1 TTPs 8 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Esm	ITSMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS	ITSMService.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS	ITSMService.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Esm	ITSMService.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Esm\	ITSMService.exe
Delete value	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Esm\RemovalSecurity	ITSMService.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Esm\RemovalSecurity	ITSMService.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS\Esm	ITSMService.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\tzdata\Europe\Isle_of_Man	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\tzdata\Kwajalein	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tk8.5\demos\combo.tcl	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\encodings\iso2022_jp_ext.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\lib2to3\fixes\fix_dict.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\site-packages\pip\_vendor\requests\__init__.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tix8.4.3\FileCbx.tcl	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tix8.4.3\HList.tcl	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tk8.5\images\pwrdLogo100.gif	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\cgi.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\htmllib.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\site-packages\pip\utils\deprecation.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\tzdata\Asia\Novosibirsk	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tix8.4.3\demos\samples\PopMenu.tcl	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\hotshot\__init__.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\shelve.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\idlelib\HyperParser.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\encoding\macRoman.enc	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\msgs\te_in.msg	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\tzdata\Africa\Douala	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\tzdata\America\Marigot	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\tzdata\Pacific\Fakaofo	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\dumbdbm.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\idlelib\config-highlight.def	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tix8.4.3\VTree.tcl	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tk8.5\demos\paned2.tcl	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\tzdata\Asia\Harbin	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tk8.5\demos\arrow.tcl	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\distutils\filelist.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\encoding\cp850.enc	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\tzdata\Etc\Zulu	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\tzdata\Europe\San_Marino	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\tzdata\Pacific\Easter	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tk8.5\demos\image1.tcl	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\tzdata\Africa	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\tzdata\America\Indiana\Vevay	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\tzdata\Asia\Khandyga	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\tzdata\America\St_Johns	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tix8.4.3\ListNBk.tcl	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tk8.5\msgs\de.msg	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\site-packages\pip\operations\__init__.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\idlelib\EditorWindow.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\site-packages\pip\vcs\git.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\SimpleXMLRPCServer.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\site-packages\pip\_vendor\re-vendor.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\tzdata\Brazil\East	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tk8.5\demos\images\gray25.xbm	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log	ITSMService.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\BaseHTTPServer.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\compiler\ast.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\msgs\te.msg	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tix8.4.3\demos\samples\Control.tcl	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\tzdata\Europe\Lisbon	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tix8.4.3\TList.tcl	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tk8.5\demos\entry2.tcl	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tk8.5\demos\ttkscale.tcl	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tk8.5\pkgIndex.tcl	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\site-packages\pip\_vendor\progress\__init__.py	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\tzdata\America\Cuiaba	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\shlex.py	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\tzdata\Africa\Asmara	python_x86_Lib.exe
File opened for modification	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tcl8.5\tzdata\America\Monterrey	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\tk8.5\demos\menu.tcl	python_x86_Lib.exe
File created	C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\encodings\iso8859_14.py	python_x86_Lib.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e57a289.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA72F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C82FE567-C842-487F-B719-C9FDC94F7221}\icon.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBB78.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAD9C.tmp	msiexec.exe
File created	C:\Windows\Installer\wix{C82FE567-C842-487F-B719-C9FDC94F7221}.SchedServiceConfig.rmi	MsiExec.exe
File opened for modification	C:\Windows\Installer\MSIA48D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA53A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA879.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAD2E.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\{C82FE567-C842-487F-B719-C9FDC94F7221}\icon.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA7BC.tmp	msiexec.exe
File created	C:\Windows\Installer\e57a28b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICAAC.tmp	msiexec.exe
File created	C:\Windows\Installer\e57a289.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C82FE567-C842-487F-B719-C9FDC94F7221}	msiexec.exe

Executes dropped EXE 7 IoCs

pid	Process
1980	python_x86_Lib.exe
4144	ITSMService.exe
3564	ITSMAgent.exe
524	ITSMAgent.exe
3772	ITSMAgent.exe
4728	RmmService.exe
2216	RmmService.exe

Loads dropped DLL 64 IoCs

pid	Process
1872	MsiExec.exe
1872	MsiExec.exe
1872	MsiExec.exe
1872	MsiExec.exe
868	MsiExec.exe
868	MsiExec.exe
868	MsiExec.exe
4144	ITSMService.exe
4144	ITSMService.exe
4144	ITSMService.exe
4144	ITSMService.exe
4144	ITSMService.exe
4144	ITSMService.exe
4144	ITSMService.exe
4144	ITSMService.exe
4144	ITSMService.exe
4144	ITSMService.exe
4144	ITSMService.exe
4144	ITSMService.exe
4144	ITSMService.exe
4144	ITSMService.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
524	ITSMAgent.exe
524	ITSMAgent.exe
524	ITSMAgent.exe
524	ITSMAgent.exe
524	ITSMAgent.exe
524	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
524	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
868	MsiExec.exe
3772	ITSMAgent.exe
3772	ITSMAgent.exe
3772	ITSMAgent.exe
3772	ITSMAgent.exe
3772	ITSMAgent.exe
3772	ITSMAgent.exe
3772	ITSMAgent.exe
3772	ITSMAgent.exe
3772	ITSMAgent.exe
4728	RmmService.exe
4728	RmmService.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
3516	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ITSMAgent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ITSMAgent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python_x86_Lib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ITSMService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ITSMAgent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RmmService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RmmService.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Mfg	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1A\52C64B7E	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	python_x86_Lib.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	ITSMService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	python_x86_Lib.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	python_x86_Lib.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	ITSMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	python_x86_Lib.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	python_x86_Lib.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	ITSMService.exe

Modifies registry class 25 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\765EF28C248CF7847B919CDF9CF42712\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\em_FReBA03x_installer_Win7-Win11_x86_x64\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\765EF28C248CF7847B919CDF9CF42712\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\765EF28C248CF7847B919CDF9CF42712\Language = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DD4D523EF099D7E42B1DBDFD40CF9061\765EF28C248CF7847B919CDF9CF42712	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\765EF28C248CF7847B919CDF9CF42712\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\765EF28C248CF7847B919CDF9CF42712\DefaultFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CDM	ITSMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\765EF28C248CF7847B919CDF9CF42712\ProductName = "Endpoint Manager Communication Client"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\765EF28C248CF7847B919CDF9CF42712\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\765EF28C248CF7847B919CDF9CF42712\SourceList\PackageName = "em_FReBA03x_installer_Win7-Win11_x86_x64.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\765EF28C248CF7847B919CDF9CF42712\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CDM\proxy = "false"	ITSMService.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\765EF28C248CF7847B919CDF9CF42712\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\765EF28C248CF7847B919CDF9CF42712\ProductIcon = "C:\\Windows\\Installer\\{C82FE567-C842-487F-B719-C9FDC94F7221}\\icon.ico"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\765EF28C248CF7847B919CDF9CF42712\SourceList\Net	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\765EF28C248CF7847B919CDF9CF42712\Version = "151109282"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\765EF28C248CF7847B919CDF9CF42712\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\765EF28C248CF7847B919CDF9CF42712\SourceList\Media\1 = ";"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\765EF28C248CF7847B919CDF9CF42712\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DD4D523EF099D7E42B1DBDFD40CF9061	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\765EF28C248CF7847B919CDF9CF42712\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\765EF28C248CF7847B919CDF9CF42712\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\em_FReBA03x_installer_Win7-Win11_x86_x64\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\765EF28C248CF7847B919CDF9CF42712	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\765EF28C248CF7847B919CDF9CF42712	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\765EF28C248CF7847B919CDF9CF42712\PackageCode = "B1460A196BBBB7C44ADB0144887655EA"	msiexec.exe

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
3564	ITSMAgent.exe
524	ITSMAgent.exe
3772	ITSMAgent.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3076	msiexec.exe
3076	msiexec.exe
4144	ITSMService.exe
4144	ITSMService.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3516	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3516	msiexec.exe
Token: SeSecurityPrivilege	3076	msiexec.exe
Token: SeCreateTokenPrivilege	3516	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3516	msiexec.exe
Token: SeLockMemoryPrivilege	3516	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3516	msiexec.exe
Token: SeMachineAccountPrivilege	3516	msiexec.exe
Token: SeTcbPrivilege	3516	msiexec.exe
Token: SeSecurityPrivilege	3516	msiexec.exe
Token: SeTakeOwnershipPrivilege	3516	msiexec.exe
Token: SeLoadDriverPrivilege	3516	msiexec.exe
Token: SeSystemProfilePrivilege	3516	msiexec.exe
Token: SeSystemtimePrivilege	3516	msiexec.exe
Token: SeProfSingleProcessPrivilege	3516	msiexec.exe
Token: SeIncBasePriorityPrivilege	3516	msiexec.exe
Token: SeCreatePagefilePrivilege	3516	msiexec.exe
Token: SeCreatePermanentPrivilege	3516	msiexec.exe
Token: SeBackupPrivilege	3516	msiexec.exe
Token: SeRestorePrivilege	3516	msiexec.exe
Token: SeShutdownPrivilege	3516	msiexec.exe
Token: SeDebugPrivilege	3516	msiexec.exe
Token: SeAuditPrivilege	3516	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3516	msiexec.exe
Token: SeChangeNotifyPrivilege	3516	msiexec.exe
Token: SeRemoteShutdownPrivilege	3516	msiexec.exe
Token: SeUndockPrivilege	3516	msiexec.exe
Token: SeSyncAgentPrivilege	3516	msiexec.exe
Token: SeEnableDelegationPrivilege	3516	msiexec.exe
Token: SeManageVolumePrivilege	3516	msiexec.exe
Token: SeImpersonatePrivilege	3516	msiexec.exe
Token: SeCreateGlobalPrivilege	3516	msiexec.exe
Token: SeBackupPrivilege	4800	vssvc.exe
Token: SeRestorePrivilege	4800	vssvc.exe
Token: SeAuditPrivilege	4800	vssvc.exe
Token: SeBackupPrivilege	3076	msiexec.exe
Token: SeRestorePrivilege	3076	msiexec.exe
Token: SeRestorePrivilege	3076	msiexec.exe
Token: SeTakeOwnershipPrivilege	3076	msiexec.exe
Token: SeRestorePrivilege	3076	msiexec.exe
Token: SeTakeOwnershipPrivilege	3076	msiexec.exe
Token: SeBackupPrivilege	1460	srtasks.exe
Token: SeRestorePrivilege	1460	srtasks.exe
Token: SeSecurityPrivilege	1460	srtasks.exe
Token: SeTakeOwnershipPrivilege	1460	srtasks.exe
Token: SeRestorePrivilege	3076	msiexec.exe
Token: SeTakeOwnershipPrivilege	3076	msiexec.exe
Token: SeRestorePrivilege	3076	msiexec.exe
Token: SeTakeOwnershipPrivilege	3076	msiexec.exe
Token: SeRestorePrivilege	3076	msiexec.exe
Token: SeTakeOwnershipPrivilege	3076	msiexec.exe
Token: SeRestorePrivilege	3076	msiexec.exe
Token: SeTakeOwnershipPrivilege	3076	msiexec.exe
Token: SeRestorePrivilege	3076	msiexec.exe
Token: SeTakeOwnershipPrivilege	3076	msiexec.exe
Token: SeBackupPrivilege	1460	srtasks.exe
Token: SeRestorePrivilege	1460	srtasks.exe
Token: SeSecurityPrivilege	1460	srtasks.exe
Token: SeTakeOwnershipPrivilege	1460	srtasks.exe
Token: SeRestorePrivilege	3076	msiexec.exe
Token: SeTakeOwnershipPrivilege	3076	msiexec.exe
Token: SeRestorePrivilege	3076	msiexec.exe
Token: SeTakeOwnershipPrivilege	3076	msiexec.exe
Token: SeRestorePrivilege	3076	msiexec.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
3516	msiexec.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3516	msiexec.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe
3564	ITSMAgent.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
4144	ITSMService.exe
4144	ITSMService.exe
4144	ITSMService.exe
4144	ITSMService.exe
4144	ITSMService.exe
4144	ITSMService.exe
4144	ITSMService.exe
4144	ITSMService.exe
4144	ITSMService.exe
3564	ITSMAgent.exe
4144	ITSMService.exe
524	ITSMAgent.exe
3772	ITSMAgent.exe
4144	ITSMService.exe
4144	ITSMService.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3076 wrote to memory of 1460	3076	msiexec.exe	78
PID 3076 wrote to memory of 1460	3076	msiexec.exe	78
PID 3076 wrote to memory of 1872	3076	msiexec.exe	80
PID 3076 wrote to memory of 1872	3076	msiexec.exe	80
PID 3076 wrote to memory of 1872	3076	msiexec.exe	80
PID 3076 wrote to memory of 868	3076	msiexec.exe	81
PID 3076 wrote to memory of 868	3076	msiexec.exe	81
PID 3076 wrote to memory of 868	3076	msiexec.exe	81
PID 868 wrote to memory of 4736	868	MsiExec.exe	82
PID 868 wrote to memory of 4736	868	MsiExec.exe	82
PID 868 wrote to memory of 4736	868	MsiExec.exe	82
PID 4736 wrote to memory of 1980	4736	cmd.exe	84
PID 4736 wrote to memory of 1980	4736	cmd.exe	84
PID 4736 wrote to memory of 1980	4736	cmd.exe	84
PID 1980 wrote to memory of 4984	1980	python_x86_Lib.exe	85
PID 1980 wrote to memory of 4984	1980	python_x86_Lib.exe	85
PID 1980 wrote to memory of 4984	1980	python_x86_Lib.exe	85
PID 4144 wrote to memory of 3564	4144	ITSMService.exe	89
PID 4144 wrote to memory of 3564	4144	ITSMService.exe	89
PID 4144 wrote to memory of 3564	4144	ITSMService.exe	89
PID 4144 wrote to memory of 524	4144	ITSMService.exe	90
PID 4144 wrote to memory of 524	4144	ITSMService.exe	90
PID 4144 wrote to memory of 524	4144	ITSMService.exe	90
PID 4144 wrote to memory of 3772	4144	ITSMService.exe	92
PID 4144 wrote to memory of 3772	4144	ITSMService.exe	92
PID 4144 wrote to memory of 3772	4144	ITSMService.exe	92
PID 4144 wrote to memory of 4728	4144	ITSMService.exe	97
PID 4144 wrote to memory of 4728	4144	ITSMService.exe	97
PID 4144 wrote to memory of 4728	4144	ITSMService.exe	97

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\em_FReBA03x_installer_Win7-Win11_x86_x64\em_FReBA03x_installer_Win7-Win11_x86_x64.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3516

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3076
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1460
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D2D72B6E540EC29E6F94E31B5D0B5E4D
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1872
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 83257D6820D2DE67F1BFAE93D1E87694 E Global\MSI0000
  2⤵
  - Drops file in Windows directory
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:868
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\SysWOW64\cmd.exe" /C "cd "C:\Program Files (x86)\ITarian\Endpoint Manager\" && "C:\Program Files (x86)\ITarian\Endpoint Manager\python_x86_Lib.exe" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4736
  - - C:\Program Files (x86)\ITarian\Endpoint Manager\python_x86_Lib.exe
      "C:\Program Files (x86)\ITarian\Endpoint Manager\python_x86_Lib.exe"
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious use of WriteProcessMemory
      PID:1980
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4984

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4172

C:\Program Files (x86)\ITarian\Endpoint Manager\ITSMService.exe
"C:\Program Files (x86)\ITarian\Endpoint Manager\ITSMService.exe"
1⤵
- Checks for any installed AV software in registry
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4144
- C:\Program Files (x86)\ITarian\Endpoint Manager\ITSMAgent.exe
  "C:\Program Files (x86)\ITarian\Endpoint Manager\ITSMAgent.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3564
- C:\Program Files (x86)\ITarian\Endpoint Manager\ITSMAgent.exe
  "C:\Program Files (x86)\ITarian\Endpoint Manager\ITSMAgent.exe" noui
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:524
- C:\Program Files (x86)\ITarian\Endpoint Manager\ITSMAgent.exe
  "C:\Program Files (x86)\ITarian\Endpoint Manager\ITSMAgent.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:3772
- C:\Program Files (x86)\ITarian\Endpoint Manager\RmmService.exe
  "C:\Program Files (x86)\ITarian\Endpoint Manager\RmmService.exe" --start
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4728

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3260

C:\Program Files (x86)\ITarian\Endpoint Manager\RmmService.exe
"C:\Program Files (x86)\ITarian\Endpoint Manager\RmmService.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2216

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2072

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:5040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57a28a.rbs

Filesize
709KB

MD5
751fe454dfff5ff5c4c7dfca78860fb7

SHA1
0623b22e2eeea88ccbdffc83851986642dcb01d0

SHA256
d6371b107523bad43f061c818e1f03e80de613eec2d4ee2b5841c978e414cbc8

SHA512
364f038cb0de584817a841a8b0ca98737e528045a4653da5e7ae24ab7bbaa82deaf25ec65924765e96ecfbb9882b325b41cc6cf7c60dba4c69d2ad8decef0ec3

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\ITSMAgent.exe

Filesize
3.0MB

MD5
e6215cb872859527bd919caece57800b

SHA1
e0cb7579997eadd2131fa1e44ccd3d13a566b59c

SHA256
33417ec81b6742fbf550f7423198cc6bcce6274bb819934c898d6eb1ef4004a6

SHA512
93c4c4b33ef4c3b7829d853518ce9990b138ce96ac0c779d4c0bf725422600e236f948c2ebc253b5ec6394f407a9ef621c9410bb85db7f9a7ff7a08028f2cca7

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\ITSMService.exe

Filesize
8.4MB

MD5
f70538a01b88689852037389b49826d2

SHA1
0eba13501285260c628450b7d57bfadc2b670faf

SHA256
0f9a70684ee7cecca6c01d8d65ed51a15b60f1d1664cc353f391f7a3d426f3a3

SHA512
a4d0952da18e0e60d36739e2d8bcb09175afdbc6ee6a8839da56c55e7b0af4cced57a99e540b1f60b83a7e18411c9e62244a4a5229bc684f300ddd72b1522af6

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\Lib\site-packages\setuptools-18.2.dist-info\zip-safe

Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\Qt5Gui.dll

Filesize
5.2MB

MD5
90cde96a3df7c3192998891700889431

SHA1
4b0ba9caa4f4bac0a4e88801a2f5bd4e2cccc784

SHA256
23b9d9d02ab4fc11b8934dbdd2d3f0119ec95c5f6a1ded8adad24ddaad8d7196

SHA512
7d1e7e5b1291dd2b829b1178d4359a9493efaefb37fe5889e1a9991f8d6d99ebcbb71ddfeb15f4087663f177a324c0b7b53648a33368c077c4aa3f7ec1b8aee2

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\libssl-1_1.dll

Filesize
533KB

MD5
93672b91b1180409098adf715ce7f3d2

SHA1
55d462a97f88118eae1a48e35eb0800e4bb89133

SHA256
f7421298d4d02dfa2592cffa95a8df04cb9630c531aa0a8b0b74f701a2cc4fb4

SHA512
36693e2c45ff968b257e3aa13750fda0225ca628b4209e2d0bcb8a899ffec132fa2a83e2d152c69f477d1eeef59f58eb80b1158e34cf27d15565495fe32574b8

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\proxy_settings.ini

Filesize
101B

MD5
273ec42863e3d9f999381f09c13d313b

SHA1
008d1954b2a7d1c692a697c891f9692f41f10481

SHA256
4dd2c699bbb8c398788067be6fc82edc68c8246b8f6765169776bb24ebd0c487

SHA512
940df3f73592ccabc27bf2cc77de98eade7eb8988d30144060c817eda614085e36eadb699b02123c63774416e827194c269acd1267fad1d560b7df86a79ed89b

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\python_x86_Lib.exe

Filesize
7.2MB

MD5
7b7174e51f9cd2e2bf5c0877f3b7f4ce

SHA1
4373bdeff7ddb686a2d4dc24f4ff64656add61a8

SHA256
87157acde3d71be94feb4b5eeac0c6a908b7d36de1af66ce4fa682617de6aee4

SHA512
4e55c80ab85b1a960cb699b62513dd400252cd3519ecbf4db2ee33728fb9cda89ee3be6d3a7cfa308fe791a993af4284c09a2e6400fe137606b145388eb5664f

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.1

Filesize
33KB

MD5
d5effd97773da230f87d213f2913b4b5

SHA1
ed84a69b6a7b268f1b51e7ff3d4ff436f2ebbf11

SHA256
374d53d661cb2da74f7b383c8c7c61cac16442f7dd6591ab7f74dfd7b9111ba3

SHA512
a9eef3713505c79fcc9e730c77796b2eab944f5e2565ef84ce69291dd1115f91856e2e4a1d9766e916cc99126024de7a3ccf6b3aacb1f14e8000e4d1a36c5286

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4

Filesize
32KB

MD5
9291587892d77647a1df9efadb464d8e

SHA1
870597f74eb6b5d5d4ba8e398fc9b13f8b200d5d

SHA256
34c3d04d09e890a8b736cb142b39b539e4a88ab646bef8634074754915c25086

SHA512
f93765cc14d841d78dfc7e64924c586fb313f9c737e1f36270e97d3e7da361e4eb8eee09faa25b2d1e6f5c281a043775c3ace116d1042a328fbc25ad3fc6fcdd

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs\Rmm_Proxy_dll.log.4

Filesize
33KB

MD5
de3c0419bf023b26c69d7b246d2466dd

SHA1
088342a831b2f6af4212a662f60cf91ccfa56798

SHA256
b3915d4199b94916fa5e355f1aeb0d00e2258188863b7c531a2d1a4943786f47

SHA512
fb62d73cc7103187d943c8fbc2f54e35a7c99ebfa8d7285a923b2b85814436f808554452ae3943ecb8b7564d8047e7e35e280beb21fa5d6d10ccdb9a701293e2

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\rmmproxy.dll

Filesize
154KB

MD5
40b0a10d3eafa102a2121f585bfe9d39

SHA1
34ff0b9c903c60c3860ac911b59ac6babfbab649

SHA256
ddc523f553b1bc86cc3fc922fc76c597947028121f7e95f597c297a5f219f2b7

SHA512
d1e76134e2f4d461e679e4463c5f9bb52d9d3e6b146f32b0e98b3384d08e69c21aa963eaa2c1a3308474389b01d6165e53cdea4386e94781720deccc42c9b764

Download Submit
C:\Program Files (x86)\ITarian\Endpoint Manager\token.ini

Filesize
8B

MD5
925751de48783b64a108b54c043d4c24

SHA1
fdfacabe143159a7d2952601b26c5095503c23eb

SHA256
7f02a0f42552061f2e8c78d559c2c573745c44154a96525797b2efc6c2ae3027

SHA512
e71a599ce609a4a0bb41907a2584f6da43457cac4d30b7570454ebe7b8ab24b30efb9a1d67ce78a05a7529ae6b0b400e947dff70068fcb80cabd55584ad03539

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18E6B4A57A6BC7EC9B861CDF2D6D0D02_EF52C1EC85F21F31CC0157A5C8803013

Filesize
765B

MD5
3a4e147a2de6fd9d42312ccd8e2b3240

SHA1
633def9461927ca583646e25060f33edaea4ebad

SHA256
d0432db5cc17fbdd3136c90e386ab1441bf45cc890eaadc337acf683f0aea744

SHA512
2f4a38de4c880b87cdfc5ae5e21d32e56bed615eaff3cc2f24a18b53dd1ea7462e901bba2587a3ad1539d7a19c6e3991d5ca847f89248d86a9a6780bc159b12e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3AA0DCD5A74331FBD6F344550EC48B87_D7025277F003EE88ED342C67F3525784

Filesize
637B

MD5
7c3f5ee48927243f66de32d91dd70aa9

SHA1
82efd681abfd00121e51daa09e002f6fb878bfba

SHA256
a4e49f7e1c5cbb992dcd9cfb9257635d69393b31b134c96ddc260f075e187b1b

SHA512
95402858de0b147ce85f6ed6999f13f929d6e58c2fa5b09ba76f2294a74d7410601e69a38b7b71893710c6e1870f4b0fe8e20a973bc70696fa27aeb27ff3b7b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F

Filesize
1KB

MD5
e850e063c3d21e596f614a0fac173298

SHA1
192a158c4739e3162640934084a925fe2e4588cc

SHA256
3f4268d58f84a28da29ce3532ced8eb4389ce461a94465da3f6413ebd15a9c03

SHA512
c972136f400092a5800497aef304375859c1e1d3df4792d40ffb8fbf128a9af8d4ab6972efe2c366b3ac9eeb8a188a86aa07811daac489f4438a9c8fcd86f17d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18E6B4A57A6BC7EC9B861CDF2D6D0D02_EF52C1EC85F21F31CC0157A5C8803013

Filesize
484B

MD5
3c032abeb58f747700bed7e632f0bbc9

SHA1
9a60138e6fe8aced2aee5297ffd1cf8de477b0f9

SHA256
7756fd07a353dcbdc13069e86d57f79033f8399fbf82197cd38035e04cb34c3b

SHA512
f6f65bf10ed53a57d20a3a032a524deb9778cd9a38b5e293f7cd329f5201845f861b0c228e89a4fc4078624bde20eab4450e71b71a291032a30e249e09117556

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3AA0DCD5A74331FBD6F344550EC48B87_D7025277F003EE88ED342C67F3525784

Filesize
480B

MD5
1955040ba6d0208d112eba61dca82fb4

SHA1
4e1972e0f1e9c47d44c58db7cdb5187bc2999ca1

SHA256
f7cebaefda0a02b5ed59eb7a059f295ed8e916545c6f07f36ef2b56f21020f7e

SHA512
e89ae5a302f3043dd70bf694b755d86d38f66ddaf2d144a6cf7d5dc74b64a5a9d362ddbd9f44fec28db4e0dbfba60a8318a62558de18bbd56461f52aff240348

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F

Filesize
482B

MD5
a3b9bc5c33fa137b82621590e2942b89

SHA1
5930893c310ef9c9cbd77e81f95e0b576f99c015

SHA256
010cbbb340f053c59d02106acb01b9c3a9543ec0bceb9626ae631ee55db5c667

SHA512
e18cef4bed8f33e70f85f903f7acc1542659d69bd2ab873af89e9cfec679b80f2de23bc3a48338df1db26991fb4844505812114541220b8528e4fe006ffa2baf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

Filesize
228B

MD5
8f45e0ea664b30edd40e277c6eb8fc89

SHA1
9742d05a0eabe8c4960d80bcb24e51514e77a803

SHA256
e2cdd1993e117f75ecd7833a86becccc3ecee73d8afd7197971acac88408c4d3

SHA512
6dec7f7a59cff0533eee2f50c44eefff880f1486d8cc0c3fa2884bb222d837dde26d7a21f4879b3ed2e4081dee6580529bbd3f23b93efd2e80609bb37b85f00d

Download Submit
C:\Windows\Installer\MSIA48D.tmp

Filesize
285KB

MD5
a036727c2de2b87f22572d1a990d18eb

SHA1
029a583923ef9e017a2dc6334591c40468f7f55b

SHA256
f39b9cfe82861e5206011c96f9683210b4ac8abd0c0b7291c58e2f1094cf663f

SHA512
a0c7008343b4cae633263c8c6c989c76b3558b977a78360a024f4d719a00a7eccf50d170ec22a5fa8756730168b3aba487268ef9a517c3bd73cc46de4425845a

Download Submit
C:\Windows\Installer\MSIA53A.tmp

Filesize
203KB

MD5
d53b2b818b8c6a2b2bae3a39e988af10

SHA1
ee57ec919035cf8125ee0f72bd84a8dd9e879959

SHA256
2a81878be73b5c1d7d02c6afc8a82336d11e5f8749eaacf54576638d81ded6e2

SHA512
3aaf8b993c0e8f8a833ef22ed7b106218c0f573dcd513c3609ead4daf90d37b7892d901a6881e1121f1900be3c4bbe9c556a52c41d4a4a5ec25c85db7f084d5e

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
26.0MB

MD5
e761a4c51e454f18c61951863ec6b625

SHA1
7414a7eaea3e1b329c6954b0effde714cb66b4c8

SHA256
4b228028f99d86d60410aba71fc13ed6830f72a82e59d5fb046d48f34674b9c2

SHA512
7c3b0802483fe249039396d95746350767f67dc1e939e6c840955fcbcdfd0fa0ee3d724c80b85df87eb841a0e87af3226c74c3231658c0af678d1e950de52a34

Download Submit
\??\Volume{38fc5f00-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{444a32de-9d76-479c-96d4-3e99ac03d3c9}_OnDiskSnapshotProp

Filesize
5KB

MD5
bc72e124c7c3c2c6dac943a0902416c8

SHA1
3bf29c23dfb468cfdefff8db5357bdd4b7273c4a

SHA256
8789933afa066e729c1f29d8fa46dcd296f830ffb13ea4becb7d6a5da7468563

SHA512
e5363d28ec28e2d84bf978211b642a529ccff0bbfba09ea5f33417763b8930659b3629ff6b3172dc2caa3e0cf6dad3101bccdb9ecd9a2e50b4c183f06e7e6daa

Download Submit
\Program Files (x86)\ITarian\Endpoint Manager\ApplicationManagement.dll

Filesize
87KB

MD5
3ee9fa14a1a572a684ce35ca04641ac6

SHA1
ae04a8cf0cf0d04adc076a9724ca9c9ec61c3387

SHA256
4ce15a660e3167f3d66e3241d4ae204437e32c0149d385489999fbd6e2cdc031

SHA512
a6f379b9ef6a9a98360d22ab104b68dad9ad5f04e8c6fbe0be658994e44f9501beb3f20639475fbd7f8ae37b337f4cf7a3fb5d3b449fdf843d632e0e48443739

Download Submit
\Program Files (x86)\ITarian\Endpoint Manager\Qt5Core.dll

Filesize
5.1MB

MD5
de8cbc4ca3be4595864305f387d61e18

SHA1
aeb5c93d429fe9f75f944c6c1cb89b73adbaecd2

SHA256
9794dfdd69deac852f4695b1cc3349d7a6c2c3b73d1227e8f5a08de83bad053d

SHA512
9c8afe027b67604e996fa767d0b3a7bac6f34b4f1bd68085765b7ee1193dbaedecf85698309c792c104c6bbc62e74edfb78d90e36a6844b392ee4e959aa11e28

Download Submit
\Program Files (x86)\ITarian\Endpoint Manager\Qt5Network.dll

Filesize
1015KB

MD5
fdd60a6d835d294abd0f15551eae82c5

SHA1
921fe9f548901212f273000ba9c6f9c573f4dbec

SHA256
e430daed9d03d1d3d419ba2ddf45710c6b5268b31264637343444a946838ec51

SHA512
74efca078f5721dd9fef7ca64d68f8f50b5c47a3cac4c66c80729ddef3b5cd2ec955ab0dcc9f6c564d3daf6d02654899644ddace50888a44410d174319a10ccd

Download Submit
\Program Files (x86)\ITarian\Endpoint Manager\Qt5Sql.dll

Filesize
174KB

MD5
dff5a079ad88ef376589b4ba9aacf183

SHA1
7d25fb0b4a19bc7c0133c546e6d17912dead18e0

SHA256
60624c8e6edfb2fd2f930e74d7791e189e7df5445da3a228994861fab6ed1c80

SHA512
17fd90c552023b671c815e7dcfa453510428f43db4516631230627c1fe5905f7e49b5a5f167976030197cc380f2951be22ef34aee7d3a7e8110cff8927965614

Download Submit
\Program Files (x86)\ITarian\Endpoint Manager\Qt5Widgets.dll

Filesize
4.4MB

MD5
7969a5f8485f76e7da470e966b4b677f

SHA1
a1da9489c84d6309438855ee56bf113bbca651f4

SHA256
996fd8ef02b76adc0a327465491fff334d22e667ccf4a2e2adf82ab948038c83

SHA512
f70eb7da4a1cb9d84ada16400cbd4a3cf62243dd7fbf46eb16e5818c1a7db223b0cf47e1fdbaf9888a4e037af8529c3e1d31461089dbbf2c6f63007935c52bcc

Download Submit
\Program Files (x86)\ITarian\Endpoint Manager\Qt5Xml.dll

Filesize
163KB

MD5
d39f397e23f7532768069e87465bc80a

SHA1
fc7e6aa0402c3ebe724f4907553f3f5c6152addf

SHA256
ed553a7d2a75131e20095e16a9bc28ae6ddde902b2bf2df925fe04b4b427aac7

SHA512
7187dc6e4f631b00a61ba679af9a1d3efe8ef9dfb0f471afdba3ba4b53f8dcd040a5ab34a8fbbaef942f18825ca0903c913853bfb6307733c7996ed50b0210c9

Download Submit
\Program Files (x86)\ITarian\Endpoint Manager\Qt5XmlPatterns.dll

Filesize
2.2MB

MD5
862ae60ac641c121572e484aa9be6407

SHA1
d1a866200227c3b26f2ba29b212f7fb6db276a5a

SHA256
1d27c8e75ecb9b0fe0f0f5fdb38ad21370cfad5073c633a8299dbaca4b295f15

SHA512
841256c1b61ef4f9b9637c1f427c0601c3f1a484c1c0a3083a2a831e46127870fde78af37a6b7b23814c541b0f0deab8ad3ba513a7a25444a396396f97e81d02

Download Submit
\Program Files (x86)\ITarian\Endpoint Manager\libcrypto-1_1.dll

Filesize
2.5MB

MD5
a443165cde68e6bf7fba18bfdb10f358

SHA1
e670e6d3357ff0acc85be626f6feb44ef4bc0b43

SHA256
9fe3393b71cf667264a2f7c4ae1afbf9c8110df9a0b197732215392acf4b11f8

SHA512
dc3670d2020b8725f3a966b69eefb5d08c9424f4c3950d19a99b49e9862ee8ed7ab7d0c937c4ce94c237092cf2190c8eea2204be1b7770d5be0728090c570739

Download Submit
\Program Files (x86)\ITarian\Endpoint Manager\log4cplusU.dll

Filesize
471KB

MD5
c1a301526e947b2a99017fdd0f6117f0

SHA1
c4919aa0d5a9af5b588f3b5edef372c1426737f1

SHA256
b63f3111b880ad987b647d2c7ea5abe860794b4369289ef5688aa50de0407722

SHA512
3cd9210314f9217d4afe2f9c757cd985ee4c17bdd566cc4bdf4872cb8075fb3101c6fac6412b90b5dd7bbfef48f7e57ec8fca85699035b9b6817f175c6aff21a

Download Submit
\Program Files (x86)\ITarian\Endpoint Manager\msvcp140.dll

Filesize
426KB

MD5
8ff1898897f3f4391803c7253366a87b

SHA1
9bdbeed8f75a892b6b630ef9e634667f4c620fa0

SHA256
51398691feef7ae0a876b523aec47c4a06d9a1ee62f1a0aee27de6d6191c68ad

SHA512
cb071ad55beaa541b5baf1f7d5e145f2c26fbee53e535e8c31b8f2b8df4bf7723f7bef214b670b2c3de57a4a75711dd204a940a2158939ad72f551e32da7ab03

Download Submit
\Program Files (x86)\ITarian\Endpoint Manager\qdjango-db0.dll

Filesize
132KB

MD5
e922d91ecbf5ec68e2af5c4d918fd1ab

SHA1
f265bfaf489976418fe9e9c955187276c602f5d8

SHA256
70936caa3584b6f49400cdded767b8f1083872d4fe9e9a43bca2b0304434006f

SHA512
947deba25cdccea870724604aeeb63ad97ffa2a3d029c2e766a70055151ab78afea33f6746b0c3a28b252daed35576bb99d68742bba7db1ac41c2147ea659a19

Download Submit
\Program Files (x86)\ITarian\Endpoint Manager\sqldrivers\qsqlite.dll

Filesize
1.1MB

MD5
d67a1b1ed6ae58d5409232c160ea89af

SHA1
adfc30018ad670a385dab157b4fc37f97e66bae0

SHA256
6b4f0c8f5fc503f0bb1f3a8fe876bc73a75799975049b1f24d892e51575581e3

SHA512
307aa972c18aeeed19dfedaf4403b3f506466e8ca35993c0e555a08a00a2e8f50de745849956de6fd3d2c0daee6bd40b3ec6451e0a093e986bc7e89399481076

Download Submit
\Program Files (x86)\ITarian\Endpoint Manager\vcruntime140.dll

Filesize
74KB

MD5
1a84957b6e681fca057160cd04e26b27

SHA1
8d7e4c98d1ec858db26a3540baaaa9bbf96b5bfe

SHA256
9faeaa45e8cc986af56f28350b38238b03c01c355e9564b849604b8d690919c5

SHA512
5f54c9e87f2510c56f3cf2ceeb5b5ad7711abd9f85a1ff84e74dd82d15181505e7e5428eae6ff823f1190964eb0a82a569273a4562ec4131cecfa00a9d0d02aa

Download Submit