Malware Analysis Report

2025-08-10 21:13

Sample ID 221011-c6g14sbdb9
Target 81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006
SHA256 81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006
Tags
darkcomet installs persistence rat trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006

Threat Level: Known bad

The file 81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006 was found to be: Known bad.

Malicious Activity Summary

darkcomet installs persistence rat trojan upx

Darkcomet

UPX packed file

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-11 02:41

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-11 02:41

Reported

2022-10-11 03:52

Platform

win10v2004-20220812-en

Max time kernel

154s

Max time network

181s

Command Line

"C:\Users\Admin\AppData\Local\Temp\81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe

"C:\Users\Admin\AppData\Local\Temp\81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 392 -ip 392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 476

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
IE 13.69.239.72:443 tcp
US 8.8.8.8:53 226.101.242.52.in-addr.arpa udp
US 8.8.8.8:53 9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-11 02:41

Reported

2022-10-11 03:51

Platform

win7-20220812-en

Max time kernel

151s

Max time network

175s

Command Line

"C:\Users\Admin\AppData\Local\Temp\81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe"

Signatures

Darkcomet

trojan rat darkcomet

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox udate.exe = "C:\\Users\\Admin\\AppData\\Roaming\\temp\\firefox udate.exe" C:\Windows\SysWOW64\reg.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1884 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe C:\Users\Admin\AppData\Local\Temp\81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe
PID 1884 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe C:\Users\Admin\AppData\Local\Temp\81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe
PID 1884 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe C:\Users\Admin\AppData\Local\Temp\81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe
PID 1884 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe C:\Users\Admin\AppData\Local\Temp\81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe
PID 1884 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe C:\Users\Admin\AppData\Local\Temp\81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe
PID 1884 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe C:\Users\Admin\AppData\Local\Temp\81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe
PID 1884 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe C:\Users\Admin\AppData\Local\Temp\81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe
PID 1884 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe C:\Users\Admin\AppData\Local\Temp\81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe
PID 1076 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe C:\Windows\SysWOW64\cmd.exe
PID 1076 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe C:\Windows\SysWOW64\cmd.exe
PID 1076 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe C:\Windows\SysWOW64\cmd.exe
PID 1076 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe C:\Windows\SysWOW64\cmd.exe
PID 1720 wrote to memory of 340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1720 wrote to memory of 340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1720 wrote to memory of 340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1720 wrote to memory of 340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1076 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe
PID 1076 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe
PID 1076 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe
PID 1076 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe
PID 908 wrote to memory of 612 N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe
PID 908 wrote to memory of 612 N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe
PID 908 wrote to memory of 612 N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe
PID 908 wrote to memory of 612 N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe
PID 908 wrote to memory of 612 N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe
PID 908 wrote to memory of 612 N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe
PID 908 wrote to memory of 612 N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe
PID 908 wrote to memory of 612 N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe
PID 908 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe C:\Windows\SysWOW64\svchost.exe
PID 908 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe C:\Windows\SysWOW64\svchost.exe
PID 908 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe C:\Windows\SysWOW64\svchost.exe
PID 908 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe C:\Windows\SysWOW64\svchost.exe
PID 908 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe C:\Windows\SysWOW64\svchost.exe
PID 908 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe C:\Windows\SysWOW64\svchost.exe
PID 908 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe C:\Windows\SysWOW64\svchost.exe
PID 908 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe C:\Windows\SysWOW64\svchost.exe
PID 908 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe C:\Windows\SysWOW64\svchost.exe
PID 908 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe C:\Windows\SysWOW64\svchost.exe
PID 908 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe C:\Windows\SysWOW64\svchost.exe
PID 908 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe C:\Windows\SysWOW64\svchost.exe
PID 908 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe

"C:\Users\Admin\AppData\Local\Temp\81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe"

C:\Users\Admin\AppData\Local\Temp\81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe

"C:\Users\Admin\AppData\Local\Temp\81d45690bdbea2b6c2b35878903e6ceaed8bf002a157c27d7b647c18a9e5d006.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DULJA.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "firefox udate.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe" /f

C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe

"C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe"

C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe

"C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Windows\system32\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 shine.redirectme.net udp
US 204.95.99.109:1604 shine.redirectme.net tcp
US 204.95.99.109:1604 shine.redirectme.net tcp
US 204.95.99.109:1604 shine.redirectme.net tcp

Files

memory/1884-56-0x0000000002950000-0x0000000002A07000-memory.dmp

memory/1076-60-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1076-61-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1076-63-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1076-64-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1076-65-0x00000000004085D0-mapping.dmp

memory/1076-67-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1076-68-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1076-71-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1076-72-0x0000000076321000-0x0000000076323000-memory.dmp

memory/1720-73-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\DULJA.bat

MD5 b03159f96ccac2ce831bdb56b8d4fa0f
SHA1 575391e3af00ffe0b31e5fafadb8b0d87609c94a
SHA256 c94041f2bd22f248f9bd175a089d9d8461af32add1fff5b8ce00816cce520d3c
SHA512 889199d3e641bfcc15b2be03781196736538e7407e03eaeba0393226efea09983be622858c8bbc6f17997358aa42cd71bb81c3b82387164a78205a553a899be4

memory/340-75-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\temp\firefox udate.exe

MD5 181e2f86c874a3edcd82334b239dfc3d
SHA1 b40d7334ff53659877bcebc164b56a2e93e5e1e8
SHA256 abad3a9b5c922eb738ba46c9f8fcb33a6b27aa85aac22fa7477cc589f0342d53
SHA512 c2124baf957a55807c9bc248ea5cef7e5bbe17468e3d08a8f69e7275451811b5b54fe32f56bcb560b6fbfdaed3657666773a409897d992ffefbab35ebc72cdbd

\Users\Admin\AppData\Roaming\temp\firefox udate.exe

MD5 181e2f86c874a3edcd82334b239dfc3d
SHA1 b40d7334ff53659877bcebc164b56a2e93e5e1e8
SHA256 abad3a9b5c922eb738ba46c9f8fcb33a6b27aa85aac22fa7477cc589f0342d53
SHA512 c2124baf957a55807c9bc248ea5cef7e5bbe17468e3d08a8f69e7275451811b5b54fe32f56bcb560b6fbfdaed3657666773a409897d992ffefbab35ebc72cdbd

memory/908-81-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe

MD5 181e2f86c874a3edcd82334b239dfc3d
SHA1 b40d7334ff53659877bcebc164b56a2e93e5e1e8
SHA256 abad3a9b5c922eb738ba46c9f8fcb33a6b27aa85aac22fa7477cc589f0342d53
SHA512 c2124baf957a55807c9bc248ea5cef7e5bbe17468e3d08a8f69e7275451811b5b54fe32f56bcb560b6fbfdaed3657666773a409897d992ffefbab35ebc72cdbd

\Users\Admin\AppData\Roaming\temp\firefox udate.exe

MD5 181e2f86c874a3edcd82334b239dfc3d
SHA1 b40d7334ff53659877bcebc164b56a2e93e5e1e8
SHA256 abad3a9b5c922eb738ba46c9f8fcb33a6b27aa85aac22fa7477cc589f0342d53
SHA512 c2124baf957a55807c9bc248ea5cef7e5bbe17468e3d08a8f69e7275451811b5b54fe32f56bcb560b6fbfdaed3657666773a409897d992ffefbab35ebc72cdbd

\Users\Admin\AppData\Roaming\temp\firefox udate.exe

MD5 181e2f86c874a3edcd82334b239dfc3d
SHA1 b40d7334ff53659877bcebc164b56a2e93e5e1e8
SHA256 abad3a9b5c922eb738ba46c9f8fcb33a6b27aa85aac22fa7477cc589f0342d53
SHA512 c2124baf957a55807c9bc248ea5cef7e5bbe17468e3d08a8f69e7275451811b5b54fe32f56bcb560b6fbfdaed3657666773a409897d992ffefbab35ebc72cdbd

\Users\Admin\AppData\Roaming\temp\firefox udate.exe

MD5 181e2f86c874a3edcd82334b239dfc3d
SHA1 b40d7334ff53659877bcebc164b56a2e93e5e1e8
SHA256 abad3a9b5c922eb738ba46c9f8fcb33a6b27aa85aac22fa7477cc589f0342d53
SHA512 c2124baf957a55807c9bc248ea5cef7e5bbe17468e3d08a8f69e7275451811b5b54fe32f56bcb560b6fbfdaed3657666773a409897d992ffefbab35ebc72cdbd

C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe

MD5 181e2f86c874a3edcd82334b239dfc3d
SHA1 b40d7334ff53659877bcebc164b56a2e93e5e1e8
SHA256 abad3a9b5c922eb738ba46c9f8fcb33a6b27aa85aac22fa7477cc589f0342d53
SHA512 c2124baf957a55807c9bc248ea5cef7e5bbe17468e3d08a8f69e7275451811b5b54fe32f56bcb560b6fbfdaed3657666773a409897d992ffefbab35ebc72cdbd

memory/908-86-0x00000000026F0000-0x00000000027A7000-memory.dmp

memory/612-95-0x00000000004085D0-mapping.dmp

C:\Users\Admin\AppData\Roaming\temp\firefox udate.exe

MD5 181e2f86c874a3edcd82334b239dfc3d
SHA1 b40d7334ff53659877bcebc164b56a2e93e5e1e8
SHA256 abad3a9b5c922eb738ba46c9f8fcb33a6b27aa85aac22fa7477cc589f0342d53
SHA512 c2124baf957a55807c9bc248ea5cef7e5bbe17468e3d08a8f69e7275451811b5b54fe32f56bcb560b6fbfdaed3657666773a409897d992ffefbab35ebc72cdbd

memory/1072-102-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/1072-103-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/1072-105-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/1072-107-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/1072-109-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/612-112-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1072-113-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/1072-111-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/1072-115-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/1072-117-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/1072-118-0x0000000000490888-mapping.dmp

memory/1072-119-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/1076-120-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1072-122-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/1072-124-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/612-125-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1072-126-0x0000000000400000-0x00000000004B5000-memory.dmp