Analysis Overview
SHA256
57e3dd38216d55e7f71e20580ec8cf806501bf13ebef7043c11596719f4666c5
Threat Level: Likely malicious
The file Checkm8.info_Software_5.2.1_win.zip was found to be: Likely malicious.
Malicious Activity Summary
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Manipulates Digital Signatures
Checks BIOS information in registry
Obfuscated with Agile.Net obfuscator
Loads dropped DLL
Themida packer
Executes dropped EXE
Checks whether UAC is enabled
Enumerates connected drives
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Access Token Manipulation: Create Process with Token
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Uses Volume Shadow Copy service COM API
Views/modifies file attributes
Suspicious use of FindShellTrayWindow
Modifies registry class
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-22 19:59
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-22 19:58
Reported
2024-09-22 20:11
Platform
win11-20240802-en
Max time kernel
51s
Max time network
50s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe | N/A |
Manipulates Digital Signatures
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION" | C:\Windows\SysWOW64\certutil.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION" | C:\Windows\SysWOW64\certutil.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL" | C:\Windows\SysWOW64\certutil.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Installer\MSIDE92.tmp | N/A |
| N/A | N/A | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe | N/A |
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe | N/A |
Enumerates connected drives
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{46a53143-f453-834b-858b-095b1805987c}\usbaaplrc.dll | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\usbaapl64.inf_amd64_c0e4d8c2aef471b7\usbaaplrc.dll | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\usbaapl64.inf_amd64_c0e4d8c2aef471b7\usbaapl64.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{46a53143-f453-834b-858b-095b1805987c}\SET44D4.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{46a53143-f453-834b-858b-095b1805987c}\SET44E5.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{46a53143-f453-834b-858b-095b1805987c}\SET44E7.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{46a53143-f453-834b-858b-095b1805987c}\usbaapl64.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{46a53143-f453-834b-858b-095b1805987c}\SET44E7.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\usbaapl64.inf_amd64_c0e4d8c2aef471b7\USBAAPL64.CAT | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{46a53143-f453-834b-858b-095b1805987c}\SET44E6.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{46a53143-f453-834b-858b-095b1805987c}\usbaapl64.sys | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\drvstore.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\usbaapl64.inf_amd64_c0e4d8c2aef471b7\usbaapl64.sys | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{46a53143-f453-834b-858b-095b1805987c} | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{46a53143-f453-834b-858b-095b1805987c}\SET44D4.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{46a53143-f453-834b-858b-095b1805987c}\USBAAPL64.CAT | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{46a53143-f453-834b-858b-095b1805987c}\SET44E5.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{46a53143-f453-834b-858b-095b1805987c}\SET44E6.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\CatRoot2\dberr.txt | C:\Windows\system32\DrvInst.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\idevicenotificationproxy.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\usbmuxd.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\drivers\usbaapl\x86\usbaapl.PNF | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\curl-ca-bundle.crt | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\idevicediagnostics.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\ideviceprovision.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\AgileDotNet.VMRuntime.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\QuartzCore.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\icudt62.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\libcache.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\MobileDevice.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\plist_cmp.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\drivers\libusbk\amd64\libusbK_x86.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\drivers\libusbk\x86\libusb0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\idevicedate.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\libcurl.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\libxml2.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\iMobileDevice-net.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\libusb0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\boot\boot.raw | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\drivers\usbaapl\x86\usbaapl.sys | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\AirTrafficHost.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\idevicename.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\idevice_id.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\libusb-1.0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\lskd.rl | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\drivers\dpinst64.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\drivers\libusbk\x86\libusbK.sys | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libcrypto-1_1-x64.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\ios_webkit_debug_proxy.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\iTunesMobileDevice.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\CoreVideo.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\libcrypto-1_1-x64.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\ApplePushService.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\drivers\usbaapl\x64\USBAAPL64.CAT | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libssl-1_1-x64.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\libcharset.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\lzma.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\drivers\usbaapl\x64\usbaapl64.sys | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\libxslt.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\plist.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\zlib1.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\vcruntime140d.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\libtidy.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\readline.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\jose-jwt.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libusb-1.0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\getopt.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\ideviceactivation.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\idevicepair.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\libeay32.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\pthreadsVC2.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\AppleMobileDeviceService_main.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\idevicesyslog.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\imobiledevice.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\irecovery.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\libicuuc.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\plistutil.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\drivers\libusbk\x86\WdfCoInstaller01011.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Renci.SshNet.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\drivers\libusbk\amd64\libusb0.sys | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\drivers\usbaapl\x86\usbaaplrc.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\iproxy.exe | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSIDDD4.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{6116AF06-AA7D-4A03-937D-D5C038608AAB}\Checkm8.infoSoftware.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e57d65d.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\inf\oem3.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID9CB.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e57d65b.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e57d65b.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID716.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID8BE.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SystemTemp\~DFCB761B2836824028.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID9BA.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SystemTemp\~DFDFF23CF59BC7C893.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIDD56.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIE8D6.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SystemTemp\~DFFB571F56113236C2.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{6116AF06-AA7D-4A03-937D-D5C038608AAB} | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SystemTemp\~DF22E500A86FED1D58.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIE1B0.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\inf\oem3.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID87F.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID8CF.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{6116AF06-AA7D-4A03-937D-D5C038608AAB}\Checkm8.infoSoftware.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIEB09.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIDE52.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIDE92.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIDFCB.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe | N/A |
Access Token Manipulation: Create Process with Token
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Installer\MSIDE92.tmp | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\certutil.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Installer\MSIDE92.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000000b4c6b626f29820b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800000b4c6b620000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809000b4c6b62000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d0b4c6b62000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000b4c6b6200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs | C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave" | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption" | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)" | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update" | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption" | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent" | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60FA6116D7AA30A439D75D0C8306A8BA\SourceList\Media\1 = "Disk1;Disk1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60FA6116D7AA30A439D75D0C8306A8BA\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\60FA6116D7AA30A439D75D0C8306A8BA\A918597FE054CCCB65ABDBA0AD8F63C | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60FA6116D7AA30A439D75D0C8306A8BA\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4FBD7DFEF531EE246A95B5DD8F9D05D9\60FA6116D7AA30A439D75D0C8306A8BA | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60FA6116D7AA30A439D75D0C8306A8BA\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\60FA6116D7AA30A439D75D0C8306A8BA\C4FE6FD5B7C4D07B3A313E754A9A6A8 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60FA6116D7AA30A439D75D0C8306A8BA\AdvertiseFlags = "388" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60FA6116D7AA30A439D75D0C8306A8BA\SourceList\PackageName = "Checkm8.info Software.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60FA6116D7AA30A439D75D0C8306A8BA\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\Checkm8.info\\Checkm8.info Software 5.2.1\\install\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60FA6116D7AA30A439D75D0C8306A8BA\Language = "1033" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60FA6116D7AA30A439D75D0C8306A8BA\Version = "84017153" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60FA6116D7AA30A439D75D0C8306A8BA\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\Checkm8.info\\Checkm8.info Software 5.2.1\\install\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60FA6116D7AA30A439D75D0C8306A8BA\AuthorizedLUAApp = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4FBD7DFEF531EE246A95B5DD8F9D05D9 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\60FA6116D7AA30A439D75D0C8306A8BA | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60FA6116D7AA30A439D75D0C8306A8BA\PackageCode = "7F3D6F9BF65EBF042B652FB1B36DACA4" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60FA6116D7AA30A439D75D0C8306A8BA\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60FA6116D7AA30A439D75D0C8306A8BA\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60FA6116D7AA30A439D75D0C8306A8BA | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60FA6116D7AA30A439D75D0C8306A8BA\ProductIcon = "C:\\Windows\\Installer\\{6116AF06-AA7D-4A03-937D-D5C038608AAB}\\Checkm8.infoSoftware.exe" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60FA6116D7AA30A439D75D0C8306A8BA\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60FA6116D7AA30A439D75D0C8306A8BA\ProductName = "Checkm8.info Software" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60FA6116D7AA30A439D75D0C8306A8BA\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\60FA6116D7AA30A439D75D0C8306A8BA\MainFeature | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60FA6116D7AA30A439D75D0C8306A8BA\SourceList\Media\DiskPrompt = "[1]" | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe
"C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 8715339564D41E0613C0BB6F911DC61B C
C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe
"C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe" /i "C:\Users\Admin\AppData\Roaming\Checkm8.info\Checkm8.info Software 5.2.1\install\Checkm8.info Software.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\Checkm8.info\Checkm8.info Software" SHORTCUTDIR="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Checkm8.info Software" SECONDSEQUENCE="1" CLIENTPROCESSID="1296" AI_MORE_CMD_LINE=1
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 040E3D71F225109659D995A83E3C7B5F
C:\Windows\Installer\MSIDE92.tmp
"C:\Windows\Installer\MSIDE92.tmp" /EnforcedRunAsAdmin /RunAsAdmin /HideWindow "C:\Windows\SysWOW64\certutil.exe" -addstore "Root" C:\Users\Admin\AppData\Local\Temp\5.0\simple.cer
C:\Windows\SysWOW64\certutil.exe
"C:\Windows\SysWOW64\certutil.exe" -addstore "Root" C:\Users\Admin\AppData\Local\Temp\5.0\simple.cer
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 62099BE6F8918962A47A3991558B6841 E Global\MSI0000
C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe
"C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXE4238.bat" "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXE4277.bat" "
C:\Windows\SysWOW64\attrib.exe
C:\Windows\System32\attrib.exe -r "\\?\C:\Users\Admin\AppData\Roaming\CHECKM~1.INF\CHECKM~1.1\install\CHECKM~1.MSI"
C:\Windows\SysWOW64\attrib.exe
C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Local\Temp\EXE4238.bat"
C:\Windows\SysWOW64\attrib.exe
C:\Windows\System32\attrib.exe -r "\\?\C:\Users\Admin\AppData\Roaming\CHECKM~1.INF\CHECKM~1.1\install\CHECKM~1.MSI"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXE4238.bat" "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" cls"
C:\Windows\SysWOW64\attrib.exe
C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Local\Temp\EXE4277.bat"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXE4277.bat" "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" cls"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{db1f14fd-63bf-8a46-8f3c-d6c8b23720e4}\usbaapl64.inf" "9" "44b456927" "000000000000014C" "WinSta0\Default" "000000000000015C" "208" "C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\drivers\usbaapl\x64"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 42.56.20.217.in-addr.arpa | udp |
| US | 67.205.145.220:443 | p01md.com | tcp |
| N/A | 127.0.0.1:50151 | tcp | |
| N/A | 127.0.0.1:50153 | tcp | |
| N/A | 127.0.0.1:27015 | tcp |
Files
C:\Users\Admin\AppData\Roaming\Checkm8.info\Checkm8.info Software 5.2.1\install\Checkm8.info Software.msi
| MD5 | 06cf1fbada8b04c4ab6afea2e1b47573 |
| SHA1 | 7c39a84f5a6fc7e79c4e958c3674f3a6b516b888 |
| SHA256 | 3eb3642c4d049dc1849c578164253c38d91a6a18e9b93dc9b3f097e413dabaa3 |
| SHA512 | d2ba19352cf5fef0cf2959ad550eafa45ddb2e08ed6a0a30b0f76ba010d5f965ba9aee74032d6b72d3a7d6ce41a274c97e34309c2475470aa4ad5c0009a54980 |
C:\Users\Admin\AppData\Local\Temp\MSIA837.tmp
| MD5 | c39daeba173815516c180ca4361f7895 |
| SHA1 | db3ae54329834baa954569a35be5b947c86dc25e |
| SHA256 | a34bd87a23349bd52b8b0f25154235b90b698986c8849e101b7e40d11d48e4dc |
| SHA512 | e13cd98647059657355a69917898cdecdfc0b8da91036de1c030d20a4c5c1aacc06cd4d54fac65ecf1c8c44527dbba3c545f588260af1a0104b445e3f21ca929 |
C:\Users\Admin\AppData\Local\Temp\MSIA8A6.tmp
| MD5 | b0b2090c4200fb19e335598969a40f26 |
| SHA1 | e31d5533f85ef03dd8eb21723df14ff71586bb60 |
| SHA256 | e16ce1f8a1b24d03353502af35fa159ab9962b4ecce8f3bb9dd4b075552505cd |
| SHA512 | 177dad69d6773dab432a39a91f113949573caa3f3513e1e79361e9d74efe813746bd25a9101ec6436be7476cd77b663102d7ee138a01afbc902738e3ad75fce2 |
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1296\banner
| MD5 | 495a895d0a2feeba59737c745aa3f8ce |
| SHA1 | 48d5ea108fe612904ad80dc9e4296107d566131b |
| SHA256 | 26fb568a4bf976c45eae8d0c948a6ec2361bd0c027d1c325eb2d4319febaafb6 |
| SHA512 | 7c11b9b9e14691b074ac507b1f37ba1ea107ef6fa617fc309dc29cc93b896486dc2bf575bc91334435457ac7fe4fa214c902c6c3d615093674c1828f9db2ba17 |
C:\Users\Admin\AppData\Local\Temp\MSIAAA0.tmp
| MD5 | 1c62521f4ade74fe465aaf61049c3634 |
| SHA1 | 758bd079f98c5f1153213a4c78ee25f89eb64fa6 |
| SHA256 | ae5544ebfa8d92072562dcc4f3a6b48e77ab1a1e263e8e8dabebf6a627286f9e |
| SHA512 | 4b58f0216f2dcfff69f3e668d09e21c0c85a7087a01621f43a787344afcf31d05644b9374b2ee4719b2ede0019d88083104f7a8122409c1ea961a9c5016262fd |
C:\Users\Admin\AppData\Local\Temp\MSIAAF0.tmp
| MD5 | b724950669ff45ab1d06969390d30ef3 |
| SHA1 | 17e04af8ca9733805482465d3974622dd537ec7b |
| SHA256 | 2a0a8446a3d8270545aaae21901f21008b8059fc8e1e4c160d16d5b68b2c2aa9 |
| SHA512 | ff10d9f58215d50e5cace4578e040c64b078027f58872b574587f0a4089d95188700e1ad6f6729288404fcaf408c5daf7ccb83db117ca5451118c11943b6367d |
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1296\dialog
| MD5 | d1880a8297f8f1ff8cb4ee2dc1058a17 |
| SHA1 | 9fedea64be231c77c8c10b0bc6e4224632fd8dc3 |
| SHA256 | 893454cc12eb3b298cf50e5915f890c86a314fce41ca3062c524ebb83349161f |
| SHA512 | cb1f50427d04628f102eafc239ada43d72bc7371cbf86d4311f4a47e9223b511a375c92b22748d54a88586b4f0436cb328c992f424c6873c9a1a5b88fdfad699 |
C:\Users\Admin\AppData\Local\Temp\shiBA95.tmp
| MD5 | b40e4304f279119d9345be970babce41 |
| SHA1 | f76f5b30e7c333efcba1d4e19215ef1fd21d6943 |
| SHA256 | 06285446d57089fe85b3b6127bbc92508773af458ad5cf20abf4570d41c0fee7 |
| SHA512 | ad7e6b30b3ba32d641737f499874f23ccda7c4539def0465d1723d579c79c5e3e981df8526d31f2eb79dc0fe572eb4b71a780eb63df11170d4b6a0786f588299 |
\??\Volume{626b4c0b-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{d1581c13-56d6-4821-810e-8312a84efa43}_OnDiskSnapshotProp
| MD5 | b3c53d96a56e5e6b15306f8c10ea060f |
| SHA1 | 72bbac3c3e9f3dc63f6bc45cda150c495a424972 |
| SHA256 | 375b87589ab703fbaae0d90acaf81f967228f29ae9a6e2e9a95b9e13640981ff |
| SHA512 | 2b11b1e53fe839a47009e2ee98a475da6a9df1014b1871e1a073bd6456f81c8944c8b2c5371e999042dec38c0e44e82eb70f8a8a98fb813fe0e8908aee137393 |
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
| MD5 | 9570f8965d59eadb5a03d8a9dabbf5f9 |
| SHA1 | 56f4358d0fbfdf27f63e9c7cbcc1df6606f05d0e |
| SHA256 | 28d6cf49a307b27d91dbd5ac7a0d213db945ba33e0d950f30d25434b1d9a0929 |
| SHA512 | 6685ce0b88e3b40476650ac3c36ddef55e4873f25e597fedcad077748f520f4d742fe20a00ec029e831d3e973c21e41ee66635fd216d085e401426c1299cd84a |
C:\Users\Admin\AppData\Local\Temp\shiD939.tmp
| MD5 | fdce43712079c189e993ff27df2911bc |
| SHA1 | 6f0465aeedb699de995e1c3b25f8f902bc05545f |
| SHA256 | 47267b3ddec6deeb0b018afbde2b99d17350329a52f0ae49f66b5edc5fcc4366 |
| SHA512 | c09215b7d0f567ed20e08c8b16a6738f07c7631e25f4bcf68f4d072016f509378eb1e9b4d519afa1e19c0aa11d104051d8c47732e39bc48d78be8f5d5696fc71 |
C:\Windows\Installer\MSIDE52.tmp
| MD5 | 985678fab5e6d4f2845e7d1a59967714 |
| SHA1 | 8cff8754cfddc39188eca5efe3d3dbd5621fed68 |
| SHA256 | 9fd93e954c5933b0dd6721bcf4142376c9bbcb5c8bf597f53b1580951f5b3f3d |
| SHA512 | cf4ab89884554d067eedb845aaedb8876caf88263f6201eed4abe5c58586e513f9cd64e48c675f4fdefffdf8f7fa3a04d72fc80d55da4398bf36be64195824a4 |
C:\Windows\Installer\MSIDE92.tmp
| MD5 | 867b627b008d149f15e8df90d2648d41 |
| SHA1 | 543fc2763f98378c5777f0dc1f11f54ee3a71733 |
| SHA256 | 51d309734f25d009714a0e4d428ffee3f42bfaa3eaf21da68369405f3a0a8233 |
| SHA512 | 9c3beb4c8c5319f1f584c49fa66b1ee704b6ecb56184af0024a4e363979466c2933a99fa0662532b0ac8ca22536b1717de8214cd828094bbc38f9d8bb3d2da44 |
C:\Users\Admin\AppData\Local\Temp\5.0\simple.cer
| MD5 | 4ca7890d020b12b0d4817602f1a12ab8 |
| SHA1 | 383cd7e8a57189826cc4143ca5c127514876ff93 |
| SHA256 | 5722ff5c6b0889ad9680fc3a5eaeff6c87ea7fb45c5ebbba43eb798efccd7b10 |
| SHA512 | 680f43ed02c502abf00905e7bd2f1806971637f760237be03dd128b61f046f14a6005c0a88cb6835d17794a6a534072ad87c06ebc9599d63ad4797845a28d1a4 |
C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe
| MD5 | 7bc26a63eb2dd8906a2df5c85741dc38 |
| SHA1 | 6466d6ec5b570110e9453efd4575b19f12281f7f |
| SHA256 | 72454a3bac6db506fbf3136f12379611c9f0d649c1903b533bc09c8f2c606e2b |
| SHA512 | e2dcd69e46bf4f182a6abc20724f45c4d0bd0acf9e86bafc653011c8ee7e660b4d939980771cb1c050b560807970507b3396e045333edf7360cbefb90971e939 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Checkm8.info Software\Checkm8.info Software.lnk
| MD5 | 9bcfde64992f3061f49b4c864de06b2f |
| SHA1 | cc1ee84210a1ad717332da86c78247a860c7c378 |
| SHA256 | 7b83ab10c60c9851d2daa69ad30887f31ef2204aea9df07040adee63eae09e55 |
| SHA512 | 48e73d9adde0d7bbda5b7d521ceb77af51bdcb94e2a334914cf40f9dd9e82297d1b788c919202f3dc22ab8070fdb7ed5427cd541a3498c112e4ac64b60ee5e14 |
C:\Users\Public\Desktop\Checkm8.info Software.lnk
| MD5 | 51a8878c1a12e7d626d1c9dd06de44c8 |
| SHA1 | 6a2b69a067f305375176dac59f7fdb1c5e91a350 |
| SHA256 | 25f8c8ee46856bc64e72587574b3079ebfccb3e7360442e05f7ca60dbbb51cb5 |
| SHA512 | a1bc9d081ba1e089f6ff5da4158ecc74089b5cd0f030858d791c2c6a09606e54d97923f8276a9ed20b363ca39d4b9496bf23bec4a355bda09194915b3c940e55 |
C:\Config.Msi\e57d65c.rbs
| MD5 | 5616c9d3f1098e33c6ee7fe74c3d783a |
| SHA1 | 7914469d839bbe4fb86572ccebefc52b22a92838 |
| SHA256 | 9bf0419aa5fd9b4062a5062b75c47330ebadd3b0fbb40324472c8405988aee45 |
| SHA512 | 8362d6308e569783a59b1c9d6adca3625a8dfdb89d4ca97be7709184c3e96a0672bdda4327cc043a1362d71766d4670427afe1609bcfc65d4cd3a957c765d328 |
memory/1896-369-0x000001939B310000-0x000001939C21E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\83254659-1a8f-41e5-9077-333f33c0e706\AgileDotNetRT64.dll
| MD5 | 5c1f504b4d399e02f48c20dda0419727 |
| SHA1 | a04fcddaf95121d21c3e85959faaad2165941398 |
| SHA256 | a4c4df55fa2e4d9ec9e1da89581801d492dab1dcc260bf579e411dff1083edd3 |
| SHA512 | 0d95f9021a221b9914d1836aaff54e6dbae1a8d4940b07985a19135ce5960484c7758a1243ef6a5f38a74d8fcd5f23f09b79f239576bbde6cb4c0b480a916a4e |
memory/1896-375-0x00007FFAEB1C0000-0x00007FFAEBA74000-memory.dmp
memory/1896-377-0x00007FFAEB1C0000-0x00007FFAEBA74000-memory.dmp
memory/1896-378-0x00007FFAFF410000-0x00007FFAFF55F000-memory.dmp
memory/1896-379-0x00000193B7850000-0x00000193B7ECA000-memory.dmp
memory/1896-380-0x00000193B6950000-0x00000193B6A1A000-memory.dmp
memory/1896-382-0x00000193B7300000-0x00000193B7430000-memory.dmp
memory/1896-381-0x000001939C670000-0x000001939C682000-memory.dmp
memory/1896-383-0x00000193B6920000-0x00000193B6936000-memory.dmp
memory/1896-384-0x00000193BADE0000-0x00000193BB10E000-memory.dmp
memory/1896-385-0x00000193BAC80000-0x00000193BAC98000-memory.dmp
memory/1896-386-0x00000193BB4E0000-0x00000193BB6A2000-memory.dmp
memory/1896-387-0x00000193BBBE0000-0x00000193BC108000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{db1f14fd-63bf-8a46-8f3c-d6c8b23720e4}\usbaaplrc.dll
| MD5 | 1428a8b3dbf4f73b257c4a461df9b996 |
| SHA1 | 0fe85ab508bd44dfb2fa9830f98de4714dfce4fa |
| SHA256 | 5ed0d8f2066dd19d5aec42c5498fdd1db9cefab4d024a1015c707dfd0cfd5b20 |
| SHA512 | 916a61feb9a36872a7c1adece8933599e55b46f7d113966ec4ad2af0e2568f1a339629ec48eca10bd1e071c88171fe88292dab27ce509ceea42afbd049599cc7 |
C:\Windows\System32\DriverStore\Temp\{46a53143-f453-834b-858b-095b1805987c}\SET44E5.tmp
| MD5 | 2da3a91b71919d035d8fd17b6b90bbc2 |
| SHA1 | c2c6a29f3abc80fd992777a92df30699124d37c5 |
| SHA256 | edea577e694efceec5b26d745fff8125e9fc8a78cacd7365e77ef35031ebc49b |
| SHA512 | 71b98c884c338902110c83f6c858b906bd8d63e09e5f92d3e019f586d82961fdc71a459e6456a3e9a56b9b109838b4556aee91e0befb68c2ae505c93a41fe56b |
C:\Windows\System32\DriverStore\Temp\{46a53143-f453-834b-858b-095b1805987c}\SET44D4.tmp
| MD5 | 26eee7af8aa1ef8c1bd7c9327c602844 |
| SHA1 | 990a56215aac7000eac9371f489a0fc57d560078 |
| SHA256 | 946b0a8150213d6a4dd3aef6248ebb923f8167c84c7ff1b10137e5030ec8bf30 |
| SHA512 | 1cce53edb09f449720005ee9ca013fabb0be498991adf38ce738330a02b336790cb835e235e097c57a7cf983b4bf18664bc113b074cd94f9118901565d83e24d |
C:\Windows\System32\DriverStore\Temp\{46a53143-f453-834b-858b-095b1805987c}\SET44E6.tmp
| MD5 | f957092c63cd71d85903ca0d8370f473 |
| SHA1 | 9d76d3df84ca8b3b384577cb87b7aba0ee33f08d |
| SHA256 | 4dec2fc20329f248135da24cb6694fd972dcce8b1bbea8d872fde41939e96aaf |
| SHA512 | a43ca7f24281f67c63c54037fa9c02220cd0fa34a10b1658bae7e544236b939f26a1972513f392a5555dd97077bba91bbe920d41b19737f9960ef427599622bc |
memory/1896-484-0x00000193B8ED0000-0x00000193B8F02000-memory.dmp
memory/1896-487-0x00007FFAEB1C0000-0x00007FFAEBA74000-memory.dmp
memory/1896-490-0x00007FFAFC4D0000-0x00007FFAFC558000-memory.dmp
memory/1896-489-0x00007FFAE8810000-0x00007FFAE8ABA000-memory.dmp
memory/1896-488-0x00007FFAE8AC0000-0x00007FFAE8BD3000-memory.dmp
memory/1896-495-0x00007FFAFC4D0000-0x00007FFAFC558000-memory.dmp
memory/1896-493-0x00007FFAE8AC0000-0x00007FFAE8BD3000-memory.dmp
memory/1896-494-0x00007FFAE8810000-0x00007FFAE8ABA000-memory.dmp
memory/1896-492-0x00007FFAEB1C0000-0x00007FFAEBA74000-memory.dmp