Malware Analysis Report

2024-11-30 19:25

Sample ID 240922-yp19bavfnr
Target Checkm8.info_Software_5.2.1_win.zip
SHA256 57e3dd38216d55e7f71e20580ec8cf806501bf13ebef7043c11596719f4666c5
Tags
agilenet defense_evasion discovery evasion privilege_escalation themida trojan
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

57e3dd38216d55e7f71e20580ec8cf806501bf13ebef7043c11596719f4666c5

Threat Level: Likely malicious

The file Checkm8.info_Software_5.2.1_win.zip was found to be: Likely malicious.

Malicious Activity Summary

agilenet defense_evasion discovery evasion privilege_escalation themida trojan

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Manipulates Digital Signatures

Checks BIOS information in registry

Obfuscated with Agile.Net obfuscator

Loads dropped DLL

Themida packer

Executes dropped EXE

Checks whether UAC is enabled

Enumerates connected drives

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Access Token Manipulation: Create Process with Token

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Uses Volume Shadow Copy service COM API

Views/modifies file attributes

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-22 19:59

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-22 19:58

Reported

2024-09-22 20:11

Platform

win11-20240802-en

Max time kernel

51s

Max time network

50s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe N/A

Manipulates Digital Signatures

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION" C:\Windows\SysWOW64\certutil.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION" C:\Windows\SysWOW64\certutil.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL" C:\Windows\SysWOW64\certutil.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Installer\MSIDE92.tmp N/A
N/A N/A C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe N/A
N/A N/A C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe N/A
N/A N/A C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe N/A
N/A N/A C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe N/A
N/A N/A C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe N/A
N/A N/A C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe N/A
N/A N/A C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe N/A
N/A N/A C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe N/A
N/A N/A C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe N/A
N/A N/A C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe N/A
N/A N/A C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe N/A
N/A N/A C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe N/A
N/A N/A C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe N/A
N/A N/A C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe N/A
N/A N/A C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe N/A
N/A N/A C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe N/A
N/A N/A C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe N/A
N/A N/A C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe N/A
N/A N/A C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe N/A
N/A N/A C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe N/A
N/A N/A C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe N/A
N/A N/A C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe N/A
N/A N/A C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe N/A
N/A N/A C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\DriverStore\Temp\{46a53143-f453-834b-858b-095b1805987c}\usbaaplrc.dll C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\usbaapl64.inf_amd64_c0e4d8c2aef471b7\usbaaplrc.dll C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\usbaapl64.inf_amd64_c0e4d8c2aef471b7\usbaapl64.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{46a53143-f453-834b-858b-095b1805987c}\SET44D4.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{46a53143-f453-834b-858b-095b1805987c}\SET44E5.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{46a53143-f453-834b-858b-095b1805987c}\SET44E7.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{46a53143-f453-834b-858b-095b1805987c}\usbaapl64.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{46a53143-f453-834b-858b-095b1805987c}\SET44E7.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\usbaapl64.inf_amd64_c0e4d8c2aef471b7\USBAAPL64.CAT C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{46a53143-f453-834b-858b-095b1805987c}\SET44E6.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{46a53143-f453-834b-858b-095b1805987c}\usbaapl64.sys C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\drvstore.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\usbaapl64.inf_amd64_c0e4d8c2aef471b7\usbaapl64.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{46a53143-f453-834b-858b-095b1805987c} C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{46a53143-f453-834b-858b-095b1805987c}\SET44D4.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{46a53143-f453-834b-858b-095b1805987c}\USBAAPL64.CAT C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{46a53143-f453-834b-858b-095b1805987c}\SET44E5.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{46a53143-f453-834b-858b-095b1805987c}\SET44E6.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Windows\system32\DrvInst.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\idevicenotificationproxy.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\usbmuxd.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\drivers\usbaapl\x86\usbaapl.PNF C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\curl-ca-bundle.crt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\idevicediagnostics.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\ideviceprovision.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\AgileDotNet.VMRuntime.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\QuartzCore.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\icudt62.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\libcache.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\MobileDevice.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\plist_cmp.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\drivers\libusbk\amd64\libusbK_x86.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\drivers\libusbk\x86\libusb0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\idevicedate.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\libcurl.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\libxml2.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\iMobileDevice-net.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\libusb0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\boot\boot.raw C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\drivers\usbaapl\x86\usbaapl.sys C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\AirTrafficHost.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\idevicename.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\idevice_id.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\libusb-1.0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\lskd.rl C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\drivers\dpinst64.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\drivers\libusbk\x86\libusbK.sys C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libcrypto-1_1-x64.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\ios_webkit_debug_proxy.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\iTunesMobileDevice.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\CoreVideo.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\libcrypto-1_1-x64.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\ApplePushService.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\drivers\usbaapl\x64\USBAAPL64.CAT C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libssl-1_1-x64.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\libcharset.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\lzma.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\drivers\usbaapl\x64\usbaapl64.sys C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\libxslt.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\plist.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\zlib1.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\vcruntime140d.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\libtidy.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\readline.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\jose-jwt.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libusb-1.0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\getopt.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\ideviceactivation.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\idevicepair.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\libeay32.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\pthreadsVC2.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\AppleMobileDeviceService_main.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\idevicesyslog.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\imobiledevice.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\irecovery.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\libicuuc.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\plistutil.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\drivers\libusbk\x86\WdfCoInstaller01011.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Renci.SshNet.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\drivers\libusbk\amd64\libusb0.sys C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\drivers\usbaapl\x86\usbaaplrc.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\iproxy.exe C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSIDDD4.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{6116AF06-AA7D-4A03-937D-D5C038608AAB}\Checkm8.infoSoftware.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57d65d.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\inf\oem3.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\MSID9CB.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57d65b.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e57d65b.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID716.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID8BE.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DFCB761B2836824028.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID9BA.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DFDFF23CF59BC7C893.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIDD56.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE8D6.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DFFB571F56113236C2.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{6116AF06-AA7D-4A03-937D-D5C038608AAB} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF22E500A86FED1D58.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE1B0.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\inf\oem3.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\MSID87F.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID8CF.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{6116AF06-AA7D-4A03-937D-D5C038608AAB}\Checkm8.infoSoftware.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIEB09.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIDE52.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIDE92.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIDFCB.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe N/A

Access Token Manipulation: Create Process with Token

defense_evasion privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\Installer\MSIDE92.tmp N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\certutil.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Installer\MSIDE92.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000000b4c6b626f29820b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800000b4c6b620000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809000b4c6b62000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d0b4c6b62000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000b4c6b6200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave" C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption" C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)" C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update" C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption" C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent" C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60FA6116D7AA30A439D75D0C8306A8BA\SourceList\Media\1 = "Disk1;Disk1" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60FA6116D7AA30A439D75D0C8306A8BA\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\60FA6116D7AA30A439D75D0C8306A8BA\A918597FE054CCCB65ABDBA0AD8F63C C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60FA6116D7AA30A439D75D0C8306A8BA\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4FBD7DFEF531EE246A95B5DD8F9D05D9\60FA6116D7AA30A439D75D0C8306A8BA C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60FA6116D7AA30A439D75D0C8306A8BA\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\60FA6116D7AA30A439D75D0C8306A8BA\C4FE6FD5B7C4D07B3A313E754A9A6A8 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60FA6116D7AA30A439D75D0C8306A8BA\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60FA6116D7AA30A439D75D0C8306A8BA\SourceList\PackageName = "Checkm8.info Software.msi" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60FA6116D7AA30A439D75D0C8306A8BA\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\Checkm8.info\\Checkm8.info Software 5.2.1\\install\\" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60FA6116D7AA30A439D75D0C8306A8BA\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60FA6116D7AA30A439D75D0C8306A8BA\Version = "84017153" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60FA6116D7AA30A439D75D0C8306A8BA\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\Checkm8.info\\Checkm8.info Software 5.2.1\\install\\" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60FA6116D7AA30A439D75D0C8306A8BA\AuthorizedLUAApp = "1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4FBD7DFEF531EE246A95B5DD8F9D05D9 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\60FA6116D7AA30A439D75D0C8306A8BA C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60FA6116D7AA30A439D75D0C8306A8BA\PackageCode = "7F3D6F9BF65EBF042B652FB1B36DACA4" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60FA6116D7AA30A439D75D0C8306A8BA\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60FA6116D7AA30A439D75D0C8306A8BA\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60FA6116D7AA30A439D75D0C8306A8BA C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60FA6116D7AA30A439D75D0C8306A8BA\ProductIcon = "C:\\Windows\\Installer\\{6116AF06-AA7D-4A03-937D-D5C038608AAB}\\Checkm8.infoSoftware.exe" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60FA6116D7AA30A439D75D0C8306A8BA\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60FA6116D7AA30A439D75D0C8306A8BA\ProductName = "Checkm8.info Software" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60FA6116D7AA30A439D75D0C8306A8BA\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\60FA6116D7AA30A439D75D0C8306A8BA\MainFeature C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60FA6116D7AA30A439D75D0C8306A8BA\SourceList\Media\DiskPrompt = "[1]" C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4780 wrote to memory of 5100 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4780 wrote to memory of 5100 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4780 wrote to memory of 5100 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1296 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe
PID 1296 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe
PID 1296 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe
PID 4780 wrote to memory of 888 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 4780 wrote to memory of 888 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 4780 wrote to memory of 3148 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4780 wrote to memory of 3148 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4780 wrote to memory of 3148 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4780 wrote to memory of 3528 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSIDE92.tmp
PID 4780 wrote to memory of 3528 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSIDE92.tmp
PID 4780 wrote to memory of 3528 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSIDE92.tmp
PID 3528 wrote to memory of 4692 N/A C:\Windows\Installer\MSIDE92.tmp C:\Windows\SysWOW64\certutil.exe
PID 3528 wrote to memory of 4692 N/A C:\Windows\Installer\MSIDE92.tmp C:\Windows\SysWOW64\certutil.exe
PID 3528 wrote to memory of 4692 N/A C:\Windows\Installer\MSIDE92.tmp C:\Windows\SysWOW64\certutil.exe
PID 4780 wrote to memory of 3428 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4780 wrote to memory of 3428 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4780 wrote to memory of 3428 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 5100 wrote to memory of 1896 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe
PID 5100 wrote to memory of 1896 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe
PID 1296 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe C:\Windows\SysWOW64\cmd.exe
PID 1296 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe C:\Windows\SysWOW64\cmd.exe
PID 1296 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe C:\Windows\SysWOW64\cmd.exe
PID 1296 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe C:\Windows\SysWOW64\cmd.exe
PID 1296 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe C:\Windows\SysWOW64\cmd.exe
PID 1296 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1980 wrote to memory of 888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1980 wrote to memory of 888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1980 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1980 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1980 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2508 wrote to memory of 3256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2508 wrote to memory of 3256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2508 wrote to memory of 3256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1980 wrote to memory of 4924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 4924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 4924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2508 wrote to memory of 4444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2508 wrote to memory of 4444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2508 wrote to memory of 4444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2508 wrote to memory of 4928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2508 wrote to memory of 4928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2508 wrote to memory of 4928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2508 wrote to memory of 4108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2508 wrote to memory of 4108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2508 wrote to memory of 4108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4840 wrote to memory of 1796 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 4840 wrote to memory of 1796 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe

Uses Volume Shadow Copy service COM API

ransomware

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe

"C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 8715339564D41E0613C0BB6F911DC61B C

C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe

"C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe" /i "C:\Users\Admin\AppData\Roaming\Checkm8.info\Checkm8.info Software 5.2.1\install\Checkm8.info Software.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\Checkm8.info\Checkm8.info Software" SHORTCUTDIR="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Checkm8.info Software" SECONDSEQUENCE="1" CLIENTPROCESSID="1296" AI_MORE_CMD_LINE=1

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 040E3D71F225109659D995A83E3C7B5F

C:\Windows\Installer\MSIDE92.tmp

"C:\Windows\Installer\MSIDE92.tmp" /EnforcedRunAsAdmin /RunAsAdmin /HideWindow "C:\Windows\SysWOW64\certutil.exe" -addstore "Root" C:\Users\Admin\AppData\Local\Temp\5.0\simple.cer

C:\Windows\SysWOW64\certutil.exe

"C:\Windows\SysWOW64\certutil.exe" -addstore "Root" C:\Users\Admin\AppData\Local\Temp\5.0\simple.cer

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 62099BE6F8918962A47A3991558B6841 E Global\MSI0000

C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe

"C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXE4238.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXE4277.bat" "

C:\Windows\SysWOW64\attrib.exe

C:\Windows\System32\attrib.exe -r "\\?\C:\Users\Admin\AppData\Roaming\CHECKM~1.INF\CHECKM~1.1\install\CHECKM~1.MSI"

C:\Windows\SysWOW64\attrib.exe

C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Local\Temp\EXE4238.bat"

C:\Windows\SysWOW64\attrib.exe

C:\Windows\System32\attrib.exe -r "\\?\C:\Users\Admin\AppData\Roaming\CHECKM~1.INF\CHECKM~1.1\install\CHECKM~1.MSI"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXE4238.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" cls"

C:\Windows\SysWOW64\attrib.exe

C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Local\Temp\EXE4277.bat"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXE4277.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" cls"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{db1f14fd-63bf-8a46-8f3c-d6c8b23720e4}\usbaapl64.inf" "9" "44b456927" "000000000000014C" "WinSta0\Default" "000000000000015C" "208" "C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\drivers\usbaapl\x64"

Network

Country Destination Domain Proto
US 8.8.8.8:53 42.56.20.217.in-addr.arpa udp
US 67.205.145.220:443 p01md.com tcp
N/A 127.0.0.1:50151 tcp
N/A 127.0.0.1:50153 tcp
N/A 127.0.0.1:27015 tcp

Files

C:\Users\Admin\AppData\Roaming\Checkm8.info\Checkm8.info Software 5.2.1\install\Checkm8.info Software.msi

MD5 06cf1fbada8b04c4ab6afea2e1b47573
SHA1 7c39a84f5a6fc7e79c4e958c3674f3a6b516b888
SHA256 3eb3642c4d049dc1849c578164253c38d91a6a18e9b93dc9b3f097e413dabaa3
SHA512 d2ba19352cf5fef0cf2959ad550eafa45ddb2e08ed6a0a30b0f76ba010d5f965ba9aee74032d6b72d3a7d6ce41a274c97e34309c2475470aa4ad5c0009a54980

C:\Users\Admin\AppData\Local\Temp\MSIA837.tmp

MD5 c39daeba173815516c180ca4361f7895
SHA1 db3ae54329834baa954569a35be5b947c86dc25e
SHA256 a34bd87a23349bd52b8b0f25154235b90b698986c8849e101b7e40d11d48e4dc
SHA512 e13cd98647059657355a69917898cdecdfc0b8da91036de1c030d20a4c5c1aacc06cd4d54fac65ecf1c8c44527dbba3c545f588260af1a0104b445e3f21ca929

C:\Users\Admin\AppData\Local\Temp\MSIA8A6.tmp

MD5 b0b2090c4200fb19e335598969a40f26
SHA1 e31d5533f85ef03dd8eb21723df14ff71586bb60
SHA256 e16ce1f8a1b24d03353502af35fa159ab9962b4ecce8f3bb9dd4b075552505cd
SHA512 177dad69d6773dab432a39a91f113949573caa3f3513e1e79361e9d74efe813746bd25a9101ec6436be7476cd77b663102d7ee138a01afbc902738e3ad75fce2

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1296\banner

MD5 495a895d0a2feeba59737c745aa3f8ce
SHA1 48d5ea108fe612904ad80dc9e4296107d566131b
SHA256 26fb568a4bf976c45eae8d0c948a6ec2361bd0c027d1c325eb2d4319febaafb6
SHA512 7c11b9b9e14691b074ac507b1f37ba1ea107ef6fa617fc309dc29cc93b896486dc2bf575bc91334435457ac7fe4fa214c902c6c3d615093674c1828f9db2ba17

C:\Users\Admin\AppData\Local\Temp\MSIAAA0.tmp

MD5 1c62521f4ade74fe465aaf61049c3634
SHA1 758bd079f98c5f1153213a4c78ee25f89eb64fa6
SHA256 ae5544ebfa8d92072562dcc4f3a6b48e77ab1a1e263e8e8dabebf6a627286f9e
SHA512 4b58f0216f2dcfff69f3e668d09e21c0c85a7087a01621f43a787344afcf31d05644b9374b2ee4719b2ede0019d88083104f7a8122409c1ea961a9c5016262fd

C:\Users\Admin\AppData\Local\Temp\MSIAAF0.tmp

MD5 b724950669ff45ab1d06969390d30ef3
SHA1 17e04af8ca9733805482465d3974622dd537ec7b
SHA256 2a0a8446a3d8270545aaae21901f21008b8059fc8e1e4c160d16d5b68b2c2aa9
SHA512 ff10d9f58215d50e5cace4578e040c64b078027f58872b574587f0a4089d95188700e1ad6f6729288404fcaf408c5daf7ccb83db117ca5451118c11943b6367d

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1296\dialog

MD5 d1880a8297f8f1ff8cb4ee2dc1058a17
SHA1 9fedea64be231c77c8c10b0bc6e4224632fd8dc3
SHA256 893454cc12eb3b298cf50e5915f890c86a314fce41ca3062c524ebb83349161f
SHA512 cb1f50427d04628f102eafc239ada43d72bc7371cbf86d4311f4a47e9223b511a375c92b22748d54a88586b4f0436cb328c992f424c6873c9a1a5b88fdfad699

C:\Users\Admin\AppData\Local\Temp\shiBA95.tmp

MD5 b40e4304f279119d9345be970babce41
SHA1 f76f5b30e7c333efcba1d4e19215ef1fd21d6943
SHA256 06285446d57089fe85b3b6127bbc92508773af458ad5cf20abf4570d41c0fee7
SHA512 ad7e6b30b3ba32d641737f499874f23ccda7c4539def0465d1723d579c79c5e3e981df8526d31f2eb79dc0fe572eb4b71a780eb63df11170d4b6a0786f588299

\??\Volume{626b4c0b-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{d1581c13-56d6-4821-810e-8312a84efa43}_OnDiskSnapshotProp

MD5 b3c53d96a56e5e6b15306f8c10ea060f
SHA1 72bbac3c3e9f3dc63f6bc45cda150c495a424972
SHA256 375b87589ab703fbaae0d90acaf81f967228f29ae9a6e2e9a95b9e13640981ff
SHA512 2b11b1e53fe839a47009e2ee98a475da6a9df1014b1871e1a073bd6456f81c8944c8b2c5371e999042dec38c0e44e82eb70f8a8a98fb813fe0e8908aee137393

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 9570f8965d59eadb5a03d8a9dabbf5f9
SHA1 56f4358d0fbfdf27f63e9c7cbcc1df6606f05d0e
SHA256 28d6cf49a307b27d91dbd5ac7a0d213db945ba33e0d950f30d25434b1d9a0929
SHA512 6685ce0b88e3b40476650ac3c36ddef55e4873f25e597fedcad077748f520f4d742fe20a00ec029e831d3e973c21e41ee66635fd216d085e401426c1299cd84a

C:\Users\Admin\AppData\Local\Temp\shiD939.tmp

MD5 fdce43712079c189e993ff27df2911bc
SHA1 6f0465aeedb699de995e1c3b25f8f902bc05545f
SHA256 47267b3ddec6deeb0b018afbde2b99d17350329a52f0ae49f66b5edc5fcc4366
SHA512 c09215b7d0f567ed20e08c8b16a6738f07c7631e25f4bcf68f4d072016f509378eb1e9b4d519afa1e19c0aa11d104051d8c47732e39bc48d78be8f5d5696fc71

C:\Windows\Installer\MSIDE52.tmp

MD5 985678fab5e6d4f2845e7d1a59967714
SHA1 8cff8754cfddc39188eca5efe3d3dbd5621fed68
SHA256 9fd93e954c5933b0dd6721bcf4142376c9bbcb5c8bf597f53b1580951f5b3f3d
SHA512 cf4ab89884554d067eedb845aaedb8876caf88263f6201eed4abe5c58586e513f9cd64e48c675f4fdefffdf8f7fa3a04d72fc80d55da4398bf36be64195824a4

C:\Windows\Installer\MSIDE92.tmp

MD5 867b627b008d149f15e8df90d2648d41
SHA1 543fc2763f98378c5777f0dc1f11f54ee3a71733
SHA256 51d309734f25d009714a0e4d428ffee3f42bfaa3eaf21da68369405f3a0a8233
SHA512 9c3beb4c8c5319f1f584c49fa66b1ee704b6ecb56184af0024a4e363979466c2933a99fa0662532b0ac8ca22536b1717de8214cd828094bbc38f9d8bb3d2da44

C:\Users\Admin\AppData\Local\Temp\5.0\simple.cer

MD5 4ca7890d020b12b0d4817602f1a12ab8
SHA1 383cd7e8a57189826cc4143ca5c127514876ff93
SHA256 5722ff5c6b0889ad9680fc3a5eaeff6c87ea7fb45c5ebbba43eb798efccd7b10
SHA512 680f43ed02c502abf00905e7bd2f1806971637f760237be03dd128b61f046f14a6005c0a88cb6835d17794a6a534072ad87c06ebc9599d63ad4797845a28d1a4

C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe

MD5 7bc26a63eb2dd8906a2df5c85741dc38
SHA1 6466d6ec5b570110e9453efd4575b19f12281f7f
SHA256 72454a3bac6db506fbf3136f12379611c9f0d649c1903b533bc09c8f2c606e2b
SHA512 e2dcd69e46bf4f182a6abc20724f45c4d0bd0acf9e86bafc653011c8ee7e660b4d939980771cb1c050b560807970507b3396e045333edf7360cbefb90971e939

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Checkm8.info Software\Checkm8.info Software.lnk

MD5 9bcfde64992f3061f49b4c864de06b2f
SHA1 cc1ee84210a1ad717332da86c78247a860c7c378
SHA256 7b83ab10c60c9851d2daa69ad30887f31ef2204aea9df07040adee63eae09e55
SHA512 48e73d9adde0d7bbda5b7d521ceb77af51bdcb94e2a334914cf40f9dd9e82297d1b788c919202f3dc22ab8070fdb7ed5427cd541a3498c112e4ac64b60ee5e14

C:\Users\Public\Desktop\Checkm8.info Software.lnk

MD5 51a8878c1a12e7d626d1c9dd06de44c8
SHA1 6a2b69a067f305375176dac59f7fdb1c5e91a350
SHA256 25f8c8ee46856bc64e72587574b3079ebfccb3e7360442e05f7ca60dbbb51cb5
SHA512 a1bc9d081ba1e089f6ff5da4158ecc74089b5cd0f030858d791c2c6a09606e54d97923f8276a9ed20b363ca39d4b9496bf23bec4a355bda09194915b3c940e55

C:\Config.Msi\e57d65c.rbs

MD5 5616c9d3f1098e33c6ee7fe74c3d783a
SHA1 7914469d839bbe4fb86572ccebefc52b22a92838
SHA256 9bf0419aa5fd9b4062a5062b75c47330ebadd3b0fbb40324472c8405988aee45
SHA512 8362d6308e569783a59b1c9d6adca3625a8dfdb89d4ca97be7709184c3e96a0672bdda4327cc043a1362d71766d4670427afe1609bcfc65d4cd3a957c765d328

memory/1896-369-0x000001939B310000-0x000001939C21E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\83254659-1a8f-41e5-9077-333f33c0e706\AgileDotNetRT64.dll

MD5 5c1f504b4d399e02f48c20dda0419727
SHA1 a04fcddaf95121d21c3e85959faaad2165941398
SHA256 a4c4df55fa2e4d9ec9e1da89581801d492dab1dcc260bf579e411dff1083edd3
SHA512 0d95f9021a221b9914d1836aaff54e6dbae1a8d4940b07985a19135ce5960484c7758a1243ef6a5f38a74d8fcd5f23f09b79f239576bbde6cb4c0b480a916a4e

memory/1896-375-0x00007FFAEB1C0000-0x00007FFAEBA74000-memory.dmp

memory/1896-377-0x00007FFAEB1C0000-0x00007FFAEBA74000-memory.dmp

memory/1896-378-0x00007FFAFF410000-0x00007FFAFF55F000-memory.dmp

memory/1896-379-0x00000193B7850000-0x00000193B7ECA000-memory.dmp

memory/1896-380-0x00000193B6950000-0x00000193B6A1A000-memory.dmp

memory/1896-382-0x00000193B7300000-0x00000193B7430000-memory.dmp

memory/1896-381-0x000001939C670000-0x000001939C682000-memory.dmp

memory/1896-383-0x00000193B6920000-0x00000193B6936000-memory.dmp

memory/1896-384-0x00000193BADE0000-0x00000193BB10E000-memory.dmp

memory/1896-385-0x00000193BAC80000-0x00000193BAC98000-memory.dmp

memory/1896-386-0x00000193BB4E0000-0x00000193BB6A2000-memory.dmp

memory/1896-387-0x00000193BBBE0000-0x00000193BC108000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{db1f14fd-63bf-8a46-8f3c-d6c8b23720e4}\usbaaplrc.dll

MD5 1428a8b3dbf4f73b257c4a461df9b996
SHA1 0fe85ab508bd44dfb2fa9830f98de4714dfce4fa
SHA256 5ed0d8f2066dd19d5aec42c5498fdd1db9cefab4d024a1015c707dfd0cfd5b20
SHA512 916a61feb9a36872a7c1adece8933599e55b46f7d113966ec4ad2af0e2568f1a339629ec48eca10bd1e071c88171fe88292dab27ce509ceea42afbd049599cc7

C:\Windows\System32\DriverStore\Temp\{46a53143-f453-834b-858b-095b1805987c}\SET44E5.tmp

MD5 2da3a91b71919d035d8fd17b6b90bbc2
SHA1 c2c6a29f3abc80fd992777a92df30699124d37c5
SHA256 edea577e694efceec5b26d745fff8125e9fc8a78cacd7365e77ef35031ebc49b
SHA512 71b98c884c338902110c83f6c858b906bd8d63e09e5f92d3e019f586d82961fdc71a459e6456a3e9a56b9b109838b4556aee91e0befb68c2ae505c93a41fe56b

C:\Windows\System32\DriverStore\Temp\{46a53143-f453-834b-858b-095b1805987c}\SET44D4.tmp

MD5 26eee7af8aa1ef8c1bd7c9327c602844
SHA1 990a56215aac7000eac9371f489a0fc57d560078
SHA256 946b0a8150213d6a4dd3aef6248ebb923f8167c84c7ff1b10137e5030ec8bf30
SHA512 1cce53edb09f449720005ee9ca013fabb0be498991adf38ce738330a02b336790cb835e235e097c57a7cf983b4bf18664bc113b074cd94f9118901565d83e24d

C:\Windows\System32\DriverStore\Temp\{46a53143-f453-834b-858b-095b1805987c}\SET44E6.tmp

MD5 f957092c63cd71d85903ca0d8370f473
SHA1 9d76d3df84ca8b3b384577cb87b7aba0ee33f08d
SHA256 4dec2fc20329f248135da24cb6694fd972dcce8b1bbea8d872fde41939e96aaf
SHA512 a43ca7f24281f67c63c54037fa9c02220cd0fa34a10b1658bae7e544236b939f26a1972513f392a5555dd97077bba91bbe920d41b19737f9960ef427599622bc

memory/1896-484-0x00000193B8ED0000-0x00000193B8F02000-memory.dmp

memory/1896-487-0x00007FFAEB1C0000-0x00007FFAEBA74000-memory.dmp

memory/1896-490-0x00007FFAFC4D0000-0x00007FFAFC558000-memory.dmp

memory/1896-489-0x00007FFAE8810000-0x00007FFAE8ABA000-memory.dmp

memory/1896-488-0x00007FFAE8AC0000-0x00007FFAE8BD3000-memory.dmp

memory/1896-495-0x00007FFAFC4D0000-0x00007FFAFC558000-memory.dmp

memory/1896-493-0x00007FFAE8AC0000-0x00007FFAE8BD3000-memory.dmp

memory/1896-494-0x00007FFAE8810000-0x00007FFAE8ABA000-memory.dmp

memory/1896-492-0x00007FFAEB1C0000-0x00007FFAEBA74000-memory.dmp