Malware Analysis Report

2024-11-30 11:22

Sample ID 231106-yka7bsea21
Target Emotet_1.zip
SHA256 ea94c5aef721f20aa4dc76d932f4b78780989ba636914e7aed9aa0d60a5ff080
Tags
darkgate civilian1337 discovery stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ea94c5aef721f20aa4dc76d932f4b78780989ba636914e7aed9aa0d60a5ff080

Threat Level: Known bad

The file Emotet_1.zip was found to be: Known bad.

Malicious Activity Summary

darkgate civilian1337 discovery stealer

DarkGate

Suspicious use of NtCreateUserProcessOtherParentProcess

Blocklisted process makes network request

Loads dropped DLL

Drops startup file

Executes dropped EXE

Modifies file permissions

Enumerates connected drives

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Runs ping.exe

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Suspicious behavior: GetForegroundWindowSpam

Modifies data under HKEY_USERS

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-06 19:50

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-06 19:50

Reported

2023-11-06 19:53

Platform

win10-20231023-en

Max time kernel

147s

Max time network

151s

Command Line

c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc

Signatures

DarkGate

stealer darkgate

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1668 created 4940 N/A \??\c:\tmpa\Autoit3.exe \??\c:\windows\SysWOW64\cmd.exe
PID 1668 created 4260 N/A \??\c:\tmpa\Autoit3.exe C:\Windows\System32\Conhost.exe
PID 1668 created 2836 N/A \??\c:\tmpa\Autoit3.exe c:\windows\system32\svchost.exe
PID 1668 created 2824 N/A \??\c:\tmpa\Autoit3.exe c:\windows\system32\sihost.exe
PID 1668 created 2836 N/A \??\c:\tmpa\Autoit3.exe c:\windows\system32\svchost.exe
PID 4524 created 5088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\OpenWith.exe
PID 4524 created 5088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\OpenWith.exe
PID 4524 created 784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\InstallAgent.exe
PID 4524 created 3576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
PID 4524 created 1596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\DllHost.exe
PID 4524 created 356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\ApplicationFrameHost.exe
PID 4524 created 2836 N/A C:\Windows\SysWOW64\cmd.exe c:\windows\system32\svchost.exe
PID 4524 created 2836 N/A C:\Windows\SysWOW64\cmd.exe c:\windows\system32\svchost.exe
PID 4524 created 5088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\OpenWith.exe
PID 4524 created 2824 N/A C:\Windows\SysWOW64\cmd.exe c:\windows\system32\sihost.exe
PID 4524 created 2836 N/A C:\Windows\SysWOW64\cmd.exe c:\windows\system32\svchost.exe
PID 4524 created 5088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\OpenWith.exe
PID 4524 created 3576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
PID 4524 created 3852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\RuntimeBroker.exe
PID 4524 created 3576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
PID 4524 created 356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\ApplicationFrameHost.exe
PID 4524 created 3576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
PID 4524 created 3852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\RuntimeBroker.exe
PID 4524 created 5088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\OpenWith.exe
PID 4524 created 3576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
PID 4524 created 2836 N/A C:\Windows\SysWOW64\cmd.exe c:\windows\system32\svchost.exe
PID 4524 created 2824 N/A C:\Windows\SysWOW64\cmd.exe c:\windows\system32\sihost.exe
PID 4524 created 2824 N/A C:\Windows\SysWOW64\cmd.exe c:\windows\system32\sihost.exe
PID 4524 created 3560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
PID 4524 created 2824 N/A C:\Windows\SysWOW64\cmd.exe c:\windows\system32\sihost.exe
PID 4524 created 2824 N/A C:\Windows\SysWOW64\cmd.exe c:\windows\system32\sihost.exe
PID 4524 created 3852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\RuntimeBroker.exe
PID 4524 created 1596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\DllHost.exe
PID 4524 created 5088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\OpenWith.exe
PID 4524 created 5088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\OpenWith.exe
PID 4524 created 3576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
PID 4524 created 1596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\DllHost.exe
PID 4524 created 3576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
PID 4524 created 5088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\OpenWith.exe
PID 4524 created 1596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\DllHost.exe
PID 4524 created 5088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\OpenWith.exe
PID 4524 created 784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\InstallAgent.exe
PID 4524 created 3560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
PID 4524 created 784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\InstallAgent.exe
PID 4524 created 2900 N/A C:\Windows\SysWOW64\cmd.exe c:\windows\system32\taskhostw.exe
PID 4524 created 3560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
PID 4524 created 1596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\DllHost.exe
PID 4524 created 5088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\OpenWith.exe
PID 4524 created 3560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
PID 4524 created 784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\InstallAgent.exe
PID 4524 created 5088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\OpenWith.exe
PID 4524 created 784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\InstallAgent.exe
PID 4524 created 3560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
PID 4524 created 356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\ApplicationFrameHost.exe
PID 4524 created 2824 N/A C:\Windows\SysWOW64\cmd.exe c:\windows\system32\sihost.exe
PID 4524 created 2824 N/A C:\Windows\SysWOW64\cmd.exe c:\windows\system32\sihost.exe
PID 4524 created 2836 N/A C:\Windows\SysWOW64\cmd.exe c:\windows\system32\svchost.exe
PID 4524 created 784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\InstallAgent.exe
PID 4524 created 3560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
PID 4524 created 4520 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4524 created 2836 N/A C:\Windows\SysWOW64\cmd.exe c:\windows\system32\svchost.exe
PID 4524 created 1596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\DllHost.exe
PID 4524 created 3576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
PID 4524 created 3576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cadhbef.lnk C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MW-1b6427ca-e145-43f1-90df-6918311f254d\files\windbg.exe N/A
N/A N/A \??\c:\tmpa\Autoit3.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ICACLS.EXE N/A
N/A N/A C:\Windows\SysWOW64\ICACLS.EXE N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1668 set thread context of 4524 N/A \??\c:\tmpa\Autoit3.exe C:\Windows\SysWOW64\cmd.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\e585a60.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5C25.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Logs\DPX\setupact.log C:\Windows\SysWOW64\EXPAND.EXE N/A
File opened for modification C:\Windows\Logs\DPX\setuperr.log C:\Windows\SysWOW64\EXPAND.EXE N/A
File opened for modification C:\Windows\Installer\MSI722F.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e585a60.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{2B99EF3E-10B9-44A2-AA7C-FA01E82FF4F3} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI720F.tmp C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ConfigFlags C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc C:\Windows\system32\svchost.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\tmpa\Autoit3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\tmpa\Autoit3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache C:\Windows\system32\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings \??\c:\tmpa\Autoit3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A \??\c:\tmpa\Autoit3.exe N/A
N/A N/A \??\c:\tmpa\Autoit3.exe N/A
N/A N/A \??\c:\tmpa\Autoit3.exe N/A
N/A N/A \??\c:\tmpa\Autoit3.exe N/A
N/A N/A \??\c:\tmpa\Autoit3.exe N/A
N/A N/A \??\c:\tmpa\Autoit3.exe N/A
N/A N/A \??\c:\tmpa\Autoit3.exe N/A
N/A N/A \??\c:\tmpa\Autoit3.exe N/A
N/A N/A \??\c:\tmpa\Autoit3.exe N/A
N/A N/A \??\c:\tmpa\Autoit3.exe N/A
N/A N/A \??\c:\tmpa\Autoit3.exe N/A
N/A N/A \??\c:\tmpa\Autoit3.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5040 wrote to memory of 4068 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 5040 wrote to memory of 4068 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 5040 wrote to memory of 3884 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 5040 wrote to memory of 3884 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 5040 wrote to memory of 3884 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3884 wrote to memory of 4332 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 3884 wrote to memory of 4332 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 3884 wrote to memory of 4332 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 3884 wrote to memory of 4340 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\EXPAND.EXE
PID 3884 wrote to memory of 4340 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\EXPAND.EXE
PID 3884 wrote to memory of 4340 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\EXPAND.EXE
PID 3884 wrote to memory of 2912 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-1b6427ca-e145-43f1-90df-6918311f254d\files\windbg.exe
PID 3884 wrote to memory of 2912 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-1b6427ca-e145-43f1-90df-6918311f254d\files\windbg.exe
PID 3884 wrote to memory of 2912 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-1b6427ca-e145-43f1-90df-6918311f254d\files\windbg.exe
PID 2912 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\MW-1b6427ca-e145-43f1-90df-6918311f254d\files\windbg.exe \??\c:\tmpa\Autoit3.exe
PID 2912 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\MW-1b6427ca-e145-43f1-90df-6918311f254d\files\windbg.exe \??\c:\tmpa\Autoit3.exe
PID 2912 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\MW-1b6427ca-e145-43f1-90df-6918311f254d\files\windbg.exe \??\c:\tmpa\Autoit3.exe
PID 3884 wrote to memory of 2756 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 3884 wrote to memory of 2756 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 3884 wrote to memory of 2756 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 1668 wrote to memory of 4940 N/A \??\c:\tmpa\Autoit3.exe \??\c:\windows\SysWOW64\cmd.exe
PID 1668 wrote to memory of 4940 N/A \??\c:\tmpa\Autoit3.exe \??\c:\windows\SysWOW64\cmd.exe
PID 1668 wrote to memory of 4940 N/A \??\c:\tmpa\Autoit3.exe \??\c:\windows\SysWOW64\cmd.exe
PID 4940 wrote to memory of 652 N/A \??\c:\windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\PING.EXE
PID 4940 wrote to memory of 652 N/A \??\c:\windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\PING.EXE
PID 4940 wrote to memory of 652 N/A \??\c:\windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\PING.EXE
PID 1668 wrote to memory of 4524 N/A \??\c:\tmpa\Autoit3.exe C:\Windows\SysWOW64\cmd.exe
PID 1668 wrote to memory of 4524 N/A \??\c:\tmpa\Autoit3.exe C:\Windows\SysWOW64\cmd.exe
PID 1668 wrote to memory of 4524 N/A \??\c:\tmpa\Autoit3.exe C:\Windows\SysWOW64\cmd.exe
PID 1668 wrote to memory of 4524 N/A \??\c:\tmpa\Autoit3.exe C:\Windows\SysWOW64\cmd.exe
PID 1668 wrote to memory of 4524 N/A \??\c:\tmpa\Autoit3.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 3064 N/A C:\Windows\system32\OpenWith.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5088 wrote to memory of 3064 N/A C:\Windows\system32\OpenWith.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3064 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3064 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3064 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3064 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3064 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3064 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3064 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3064 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3064 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3064 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3064 wrote to memory of 4520 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4520 wrote to memory of 4320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4520 wrote to memory of 4320 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4520 wrote to memory of 5020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4520 wrote to memory of 5020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4520 wrote to memory of 5020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4520 wrote to memory of 5020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4520 wrote to memory of 5020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4520 wrote to memory of 5020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4520 wrote to memory of 5020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4520 wrote to memory of 5020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4520 wrote to memory of 5020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4520 wrote to memory of 5020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4520 wrote to memory of 5020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4520 wrote to memory of 5020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4520 wrote to memory of 5020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4520 wrote to memory of 5020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4520 wrote to memory of 5020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4520 wrote to memory of 5020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4520 wrote to memory of 5020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4520 wrote to memory of 5020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe

"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca

C:\Windows\System32\InstallAgent.exe

C:\Windows\System32\InstallAgent.exe -Embedding

C:\Windows\system32\ApplicationFrameHost.exe

C:\Windows\system32\ApplicationFrameHost.exe -Embedding

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe

"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\1fb6b8bed3a67ee4225f852c3d90fd2b629f2541ab431b4bd4d9d9f5bbd2c4b7.msi

c:\windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

c:\windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 35F5E96030EE9C40D1B16D63A2E34561

C:\Windows\SysWOW64\ICACLS.EXE

"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-1b6427ca-e145-43f1-90df-6918311f254d\." /SETINTEGRITYLEVEL (CI)(OI)HIGH

C:\Windows\SysWOW64\EXPAND.EXE

"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files

C:\Users\Admin\AppData\Local\Temp\MW-1b6427ca-e145-43f1-90df-6918311f254d\files\windbg.exe

"C:\Users\Admin\AppData\Local\Temp\MW-1b6427ca-e145-43f1-90df-6918311f254d\files\windbg.exe"

\??\c:\tmpa\Autoit3.exe

c:\tmpa\Autoit3.exe c:\tmpa\script.au3

C:\Windows\SysWOW64\ICACLS.EXE

"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-1b6427ca-e145-43f1-90df-6918311f254d\." /SETINTEGRITYLEVEL (CI)(OI)LOW

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

\??\c:\windows\SysWOW64\cmd.exe

"c:\windows\system32\cmd.exe" /c ping 127.0.0.1 & del /q /f c:\tmpa\* & rmdir /s /q c:\tmpa\ exit

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

\??\c:\windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Windows\SysWOW64\cmd.exe

cmd /c ping 127.0.0.1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\MW-1b6427ca-e145-43f1-90df-6918311f254d\files\data.bin"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\MW-1b6427ca-e145-43f1-90df-6918311f254d\files\data.bin

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4520.0.1788951793\1397472502" -parentBuildID 20221007134813 -prefsHandle 1700 -prefMapHandle 1692 -prefsLen 20936 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b6f4e77c-70f5-4e9e-a04f-13380af675ce} 4520 "\\.\pipe\gecko-crash-server-pipe.4520" 1780 18eb40d6e58 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4520.1.91239398\80626073" -parentBuildID 20221007134813 -prefsHandle 2144 -prefMapHandle 2140 -prefsLen 21797 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a43529f0-048b-4b5b-806f-62f1bd270e61} 4520 "\\.\pipe\gecko-crash-server-pipe.4520" 2156 18eb3ffce58 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4520.2.958765279\392146621" -childID 1 -isForBrowser -prefsHandle 3064 -prefMapHandle 3060 -prefsLen 21900 -prefMapSize 232675 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {85e7bf54-b168-4c9d-94aa-caeefdf19e69} 4520 "\\.\pipe\gecko-crash-server-pipe.4520" 3080 18eb7ee1e58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4520.3.2120229620\1516054870" -childID 2 -isForBrowser -prefsHandle 3484 -prefMapHandle 3460 -prefsLen 26480 -prefMapSize 232675 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {683c01cc-debe-4100-8871-ab7b426f4a8d} 4520 "\\.\pipe\gecko-crash-server-pipe.4520" 3500 18ea9065b58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4520.4.1897925715\1990247681" -childID 3 -isForBrowser -prefsHandle 4788 -prefMapHandle 4804 -prefsLen 26795 -prefMapSize 232675 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {577aea82-03c6-4018-90d8-bac16837defe} 4520 "\\.\pipe\gecko-crash-server-pipe.4520" 4764 18eba687358 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4520.6.948677586\916890056" -childID 5 -isForBrowser -prefsHandle 5160 -prefMapHandle 5164 -prefsLen 26795 -prefMapSize 232675 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9383b0c0-eb9a-46fb-b864-c71321b5261f} 4520 "\\.\pipe\gecko-crash-server-pipe.4520" 5148 18ebb10fe58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4520.5.1041537351\555661060" -childID 4 -isForBrowser -prefsHandle 4956 -prefMapHandle 4960 -prefsLen 26795 -prefMapSize 232675 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e3daa12-e10f-481c-b490-b460c2fbb0b4} 4520 "\\.\pipe\gecko-crash-server-pipe.4520" 4948 18ebb10f558 tab

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\MW-1b6427ca-e145-43f1-90df-6918311f254d\files\data.bin

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.2.85.104.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
NL 185.130.227.202:2351 tcp
NL 185.130.227.202:8080 tcp
NL 185.130.227.202:8080 tcp
NL 185.130.227.202:2351 tcp
NL 185.130.227.202:2351 tcp
NL 185.130.227.202:2351 tcp
NL 185.130.227.202:8080 tcp
NL 185.130.227.202:2351 tcp
NL 185.130.227.202:2351 tcp
NL 185.130.227.202:8080 tcp
NL 185.130.227.202:2351 tcp
NL 185.130.227.202:2351 tcp
NL 185.130.227.202:8080 tcp
NL 185.130.227.202:2351 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
NL 185.130.227.202:2351 tcp
NL 185.130.227.202:8080 tcp
NL 185.130.227.202:2351 tcp
NL 185.130.227.202:2351 tcp
NL 185.130.227.202:8080 tcp
NL 185.130.227.202:2351 tcp
NL 185.130.227.202:2351 tcp
NL 185.130.227.202:2351 tcp
NL 185.130.227.202:8080 tcp
NL 185.130.227.202:2351 tcp
NL 185.130.227.202:2351 tcp
NL 185.130.227.202:8080 tcp
NL 185.130.227.202:2351 tcp
NL 185.130.227.202:2351 tcp
NL 185.130.227.202:8080 tcp
NL 185.130.227.202:2351 tcp
NL 185.130.227.202:2351 tcp
NL 185.130.227.202:8080 tcp
NL 185.130.227.202:2351 tcp
NL 185.130.227.202:2351 tcp
NL 185.130.227.202:2351 tcp
NL 185.130.227.202:8080 tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 34.117.237.239:443 contile.services.mozilla.com tcp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 44.235.236.240:443 shavar.prod.mozaws.net tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.117.65.55:443 push.services.mozilla.com tcp
US 8.8.8.8:53 240.236.235.44.in-addr.arpa udp
N/A 127.0.0.1:50008 tcp
NL 185.130.227.202:2351 tcp
NL 185.130.227.202:2351 tcp
NL 185.130.227.202:8080 tcp
N/A 127.0.0.1:50014 tcp
NL 185.130.227.202:2351 tcp
NL 185.130.227.202:2351 tcp
NL 185.130.227.202:8080 tcp
NL 185.130.227.202:2351 tcp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp
NL 185.130.227.202:2351 tcp
NL 185.130.227.202:8080 tcp
NL 185.130.227.202:2351 tcp
NL 185.130.227.202:2351 tcp
NL 185.130.227.202:8080 tcp
NL 185.130.227.202:2351 tcp
NL 185.130.227.202:2351 tcp
NL 185.130.227.202:2351 tcp
NL 185.130.227.202:8080 tcp
NL 185.130.227.202:2351 tcp
NL 185.130.227.202:2351 tcp
NL 185.130.227.202:8080 tcp

Files

\Windows\Installer\MSI5C25.tmp

MD5 d82b3fb861129c5d71f0cd2874f97216
SHA1 f3fe341d79224126e950d2691d574d147102b18d
SHA256 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

C:\Windows\Installer\MSI5C25.tmp

MD5 d82b3fb861129c5d71f0cd2874f97216
SHA1 f3fe341d79224126e950d2691d574d147102b18d
SHA256 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

C:\Users\Admin\AppData\Local\Temp\MW-1b6427ca-e145-43f1-90df-6918311f254d\msiwrapper.ini

MD5 b101cdc25f827394a2af871c6bb0f70f
SHA1 3af1b6332be1adfe60c3e1cda9dd2470f6e0ac33
SHA256 d57bf057ce24d5a4bc4d29530cf58fc77e4cfa0238c9e91a6969898f8184b2d5
SHA512 d5fcf0b73d09341ccd27f5f6daac20578d530db5901f2f9158827e23381ddb26b92c81d3267d4830c7428ffb9778d5cac5ac7dd84a8b0bdcda5021c1f88b9b74

C:\Users\Admin\AppData\Local\Temp\MW-1b6427ca-e145-43f1-90df-6918311f254d\files.cab

MD5 3a4de3260c72e38f814cc2a7b2d42df7
SHA1 19458fb6838dd9d8be113b0b9983c7d77c12eb25
SHA256 411776c8e92afa462d734d14b7c569341442e5d7726009e80eaa497b5e09deb7
SHA512 3493664ecdb50d0c0d4f2646aabdd24a20fb435f4799af96f95f625aa983842c1baf7977956964d77d5b344c9e2551d60f007230838bc7a82bc40a2c9714cc0e

C:\Users\Admin\AppData\Local\Temp\MW-1b6427ca-e145-43f1-90df-6918311f254d\msiwrapper.ini

MD5 b101cdc25f827394a2af871c6bb0f70f
SHA1 3af1b6332be1adfe60c3e1cda9dd2470f6e0ac33
SHA256 d57bf057ce24d5a4bc4d29530cf58fc77e4cfa0238c9e91a6969898f8184b2d5
SHA512 d5fcf0b73d09341ccd27f5f6daac20578d530db5901f2f9158827e23381ddb26b92c81d3267d4830c7428ffb9778d5cac5ac7dd84a8b0bdcda5021c1f88b9b74

C:\Users\Admin\AppData\Local\Temp\MW-1b6427ca-e145-43f1-90df-6918311f254d\files\windbg.exe

MD5 04ec4f58a1f4a87b5eeb1f4b7afc48e0
SHA1 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7
SHA256 bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4
SHA512 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

C:\Users\Admin\AppData\Local\Temp\MW-1b6427ca-e145-43f1-90df-6918311f254d\files\windbg.exe

MD5 04ec4f58a1f4a87b5eeb1f4b7afc48e0
SHA1 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7
SHA256 bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4
SHA512 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

\Users\Admin\AppData\Local\Temp\MW-1b6427ca-e145-43f1-90df-6918311f254d\files\dbgeng.dll

MD5 a1defa998f5984c7819cffd68664e00a
SHA1 9b0b17a2d660a2a51c8188186f394f8fe1650552
SHA256 abbb1d098f8ee24b0881278bee4228a59bb021242aba16af593c944c489e829f
SHA512 792ef593f78ffc453500f413640dee030bcf2bdd383697b01dc343f5e02e2b0f31b75ad68860fd7cfcae355e450e0d532ba99d1a912de7b47ced76fbc68fea24

C:\Users\Admin\AppData\Local\Temp\MW-1b6427ca-e145-43f1-90df-6918311f254d\files\dbgeng.dll

MD5 a1defa998f5984c7819cffd68664e00a
SHA1 9b0b17a2d660a2a51c8188186f394f8fe1650552
SHA256 abbb1d098f8ee24b0881278bee4228a59bb021242aba16af593c944c489e829f
SHA512 792ef593f78ffc453500f413640dee030bcf2bdd383697b01dc343f5e02e2b0f31b75ad68860fd7cfcae355e450e0d532ba99d1a912de7b47ced76fbc68fea24

C:\Users\Admin\AppData\Local\Temp\MW-1b6427ca-e145-43f1-90df-6918311f254d\files\data.bin

MD5 8b305b67e45165844d2f8547a085d782
SHA1 92b8ed7652e61fdf3acb4ce74f48bcc9ed14b722
SHA256 776622a88a71b989ae022dae2bfbe52d5f00024970548a465046b742089aa50b
SHA512 2bd688ab072464ed54ea111a07e44f130a6db2c51e6f5ede1d8583b31791ad3eb2ea51114e6ac624a50118f17dfd3ec3d72c7df00d8be3b4ef4dcd7b72a0dfe6

memory/2912-112-0x0000000005440000-0x0000000005540000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MW-1b6427ca-e145-43f1-90df-6918311f254d\files\data2.bin

MD5 7673659bf664bd45a6f3c38b7d1c25d3
SHA1 a9b40ab4590b77887417ec33ecd061c98490176a
SHA256 41339e85c54f960b04039fd47df735c5ce78d99ede511364c8c8c2ad81f38c7d
SHA512 14ca50e20b3830765e8f116fc48ea49faabf3e7ede9f8768d5d0e70803d466ef506fe953f53057eb7e2f78009029d87b780c78127e1026b161bb095bf8c4ab24

C:\tmpa\Autoit3.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/2912-117-0x0000000000400000-0x000000000048D000-memory.dmp

\??\c:\tmpa\script.au3

MD5 e6c14274f52c3de09b65c182807d6fe9
SHA1 5bd19f63092e62a0071af3bf031bea6fc8071cc8
SHA256 5fde42453eb2e4f1eef7cec5667093bd52d4712bffef4e383f154286b7ee9aa9
SHA512 7aa121c8d0d6f979c960882cd72a6c4766535bb277879b5040723fce3e206cc64df5c8438d5fe05e219796be4795cf25aacd13e91d8e0e24a58a17bd07f0ec4e

C:\Users\Admin\AppData\Local\Temp\MW-1b6427ca-e145-43f1-90df-6918311f254d\files\00001-337121377.png

MD5 fd49f38e666f94abdbd9cc0bb842c29b
SHA1 36a00401a015d0719787d5a65c86784760ee93ff
SHA256 1f5620bf07b2c25dd18fea78288c48fb2f7b5f0a5cfc1ee6c8d8dbf6029c442f
SHA512 2fc40f776e84574f915e418c4b946097234faceb9902239015d2b80e683fe61d623035644055dddb6f7b92160b3c8663795f8a27bf16c5b137c7053cc9f4f612

C:\Users\Admin\AppData\Local\Temp\MW-1b6427ca-e145-43f1-90df-6918311f254d\files\00002-337121378.png

MD5 f68d2ca13e1268dd79e95591b976ec45
SHA1 588454301e3c25065349740573282145aa0a5c7b
SHA256 af008f94fe42c29b1c7da7abe02e5edaaf9b89b1c8383e646ccfc8e0e7a66460
SHA512 a34b648c8453df91b88d7143237e5decf84a979bfe19a98ae5cff2d37081683236502ad2f62b585409cefae98da89e92acfc8665af40d3f7c9ece4c90e32ebae

C:\Users\Admin\AppData\Local\Temp\MW-1b6427ca-e145-43f1-90df-6918311f254d\msiwrapper.ini

MD5 8786a7ca19c14dbe1fc4572cf2c32142
SHA1 529266d037d32ebb7838222adb1d0166c2ab74fc
SHA256 c01b1425027365dbee426c05b3d88647b0f60391608059881ecd2e9e06a2bc75
SHA512 8eab1db52b63e14f8af9c1f83f3c212f2cc7257c14772d82a5b582b3b3dad708ccf209459fcfa824ce8114348a9401c54aa308cd3d79a192af9178183353245a

C:\Users\Admin\AppData\Local\Temp\MW-1b6427ca-e145-43f1-90df-6918311f254d\files\dataPicture.jpg

MD5 008b295295c49c6d07161baff5f7212b
SHA1 f89d13817531957967be21327c8180a35960d04d
SHA256 9f42965324b20db9ad4b9ab00217eade01e6978d9e68d03669adbe9a9fe66134
SHA512 6d8aae2cca7f283c0b850236763a0cb51947053b50758e4be7515ce76fc4e47876e6478e08934922e57ba9646e2fe35be23369617b7904038eee452ba363495e

C:\Users\Admin\AppData\Local\Temp\MW-1b6427ca-e145-43f1-90df-6918311f254d\files\00008-337121384.png

MD5 452b0afd9436be767a0ee61e98ef0356
SHA1 736f12f84f8af0bd04f5b207f31cba8dd359ae03
SHA256 0348e5297e8040b2cc3e83e2c6edf6ccbfa122af0b3880ebd079c0dda3286c9a
SHA512 2fc4deaadd35f691aca0af4fb2e36201a2f68e7f7dcda9fe4da01d0b72c4cb8e448ca69d90d1cb230abfc2dc795ff785c1a1b2e95b5ab8fc0833d86013660338

C:\Users\Admin\AppData\Local\Temp\MW-1b6427ca-e145-43f1-90df-6918311f254d\files\00005-337121381.png

MD5 602b44b5e0a94c61c7ae501966eb4fd5
SHA1 853f5c83bedd4523cb72ca127cc6c269ac99e2d9
SHA256 2e3feac0a21a7fa351458ef1fed86f6f7a282c15fbc7f21cac29f874db9da4f3
SHA512 e7fe6c8965a35faecb3ab7bf6a3f8ed7a58aba891c5d5a2addec6aeda4a6790cef78a7874a386d89327d6bcb1e90ad376444d37d44fd0c604d6905dbd7ac6c97

C:\Users\Admin\AppData\Local\Temp\MW-1b6427ca-e145-43f1-90df-6918311f254d\files\00004-337121380.png

MD5 85da5b7fd4b6983fffe78853c5276c03
SHA1 49a68d92beabfdfce7b2939f35a7b3e4bdc2bc96
SHA256 ff2a43f449bf81510c74eee9cd867bef4226c9c909b698e636ca8c56135d57ba
SHA512 c1d19bde8f9d434e29322edb8ac8892a475385bf97b5afd2f655175f1da6ce3ebc9df196585f3ea6a2a1755a1ec0fba2b60f203408ceebbea7801f4d1ab92f5b

C:\Users\Admin\AppData\Local\Temp\MW-1b6427ca-e145-43f1-90df-6918311f254d\files\00007-337121383.png

MD5 9a40cf65a81a8f618a4f562e2494a557
SHA1 3b06e119cc017bbe99c06906779f40f2d04b08ad
SHA256 087b59e3bfe212a96303f20122e9b9636753956fedaf2e1c8336e2e08c39f4e6
SHA512 745722fdeeb9d5f9011825d4826fb3c7c0fdeb0751a156a396b537c458854c376aac60a4709036ebf78e6d2d27cfeb302ef52ecfb1bfa3a6c238240d98839920

C:\Users\Admin\AppData\Local\Temp\MW-1b6427ca-e145-43f1-90df-6918311f254d\files\00003-337121379.png

MD5 7dbe5e4b98d7601585cfb9697f265e0f
SHA1 da8477a2494b1436664c535d7c854bf778942a76
SHA256 c3c4c040c61bbf8432d4450e34b7101110de26e5e4671736d64535b06189a288
SHA512 38e8d0e103096fee998aae33179ad15eee50acc57236bb75bf115f99bd7fa1e1d5fe386ab9a3adcced910f5114c36459c06b55b2218e8020832066eea3755d9e

memory/1668-130-0x00000000014C0000-0x00000000018C0000-memory.dmp

memory/1668-132-0x00000000042D0000-0x00000000045FA000-memory.dmp

C:\Windows\Installer\MSI722F.tmp

MD5 d82b3fb861129c5d71f0cd2874f97216
SHA1 f3fe341d79224126e950d2691d574d147102b18d
SHA256 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

\Windows\Installer\MSI722F.tmp

MD5 d82b3fb861129c5d71f0cd2874f97216
SHA1 f3fe341d79224126e950d2691d574d147102b18d
SHA256 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

\??\c:\tmpa\AutoIt3.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/1668-146-0x00000000042D0000-0x00000000045FA000-memory.dmp

memory/1668-147-0x00000000042D0000-0x00000000045FA000-memory.dmp

memory/1668-148-0x00000000042D0000-0x00000000045FA000-memory.dmp

memory/1668-149-0x00000000042D0000-0x00000000045FA000-memory.dmp

\??\Volume{ee705b7c-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{66e5c5ad-4394-487c-8863-5b93f3143523}_OnDiskSnapshotProp

MD5 6209ecb15380c1ff8cd243111f999dd0
SHA1 e3828da0cbf4c8b5cea35e05e53e691669b05223
SHA256 0ffdbd73600e4f8d0832e42b3a986baf73e6af6dc12049af3fc756b1dabe06fb
SHA512 4de47b05d571c6b683c38e16d8553809651ae1d92db848ca7f6428b23741a2244eaa5614bcd1d6e1238a72ded408651da7cf4622d54d5fdde9f4579d23108c6b

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 e72ab68ff7c3427ba7d5bd4f1d5728cc
SHA1 c3cdd37f1156163173290dea66f7be146a0df92a
SHA256 c609a7afbfa7d8c4bfe4f617e81e5a4d3d0b86e0b2656d86f7ad9b2ec6d12338
SHA512 87a7070a5e875b3d28339128ef0e246c922a98f81557134f2bdc26f761fbb76012c6571e30d05c10a3c84697af69c4feb75983855bb883a3ff73da0600df8f70

memory/4524-153-0x0000000000400000-0x0000000000465000-memory.dmp

memory/1668-155-0x00000000042D0000-0x00000000045FA000-memory.dmp

memory/4524-157-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4524-158-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4524-159-0x0000000000400000-0x0000000000465000-memory.dmp

C:\temp\AutoIt3.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

C:\ProgramData\fhafchh\hhhcede\hckffda

MD5 b283326419ac4d0ac8eaaddd8bd2b86c
SHA1 a29dc705e56f939388ebcf11d6f45a787f0779bc
SHA256 947c7a0e8d345cc0fcdfa98715448148397796fcf03b70d7a619f7b4a9705d72
SHA512 e9e40406a73f12fcdf780ef26076b7597fa7fcbd6c66f5d6e2b5c4e96e2f8bd5ead3a0dc7dba29d5ecc27f2af07ade955cc1fa390bdfd6f58362a2719f79c37a

\??\c:\temp\kefhfbh.au3

MD5 e6c14274f52c3de09b65c182807d6fe9
SHA1 5bd19f63092e62a0071af3bf031bea6fc8071cc8
SHA256 5fde42453eb2e4f1eef7cec5667093bd52d4712bffef4e383f154286b7ee9aa9
SHA512 7aa121c8d0d6f979c960882cd72a6c4766535bb277879b5040723fce3e206cc64df5c8438d5fe05e219796be4795cf25aacd13e91d8e0e24a58a17bd07f0ec4e

memory/4524-165-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4524-166-0x0000000000400000-0x0000000000465000-memory.dmp

C:\ProgramData\fhafchh\Autoit3.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/4524-172-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4524-173-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4524-174-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4524-175-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4524-176-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4524-177-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4524-178-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4524-179-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4524-180-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4524-181-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4524-182-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4524-183-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4524-187-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4524-188-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4524-189-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4524-190-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4524-191-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4524-192-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4524-195-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4524-196-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4524-197-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4524-198-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4524-199-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4524-200-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4524-201-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4524-202-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4524-203-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4524-204-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4524-205-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4524-206-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4524-207-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4524-208-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4524-209-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4524-210-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4524-211-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4524-212-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4524-213-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4524-214-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4524-215-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4524-216-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4524-218-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4524-219-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4524-221-0x0000000000400000-0x0000000000465000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\u5fl9cze.default-release\activity-stream.discovery_stream.json.tmp

MD5 4b2030def192fa9e9e40723d88a28f57
SHA1 c2765b2f897d3f1cb879f16be796efee6bd24275
SHA256 e758088ebafbade5718edcd9f7d9860680cead0d3b1f068af6443c3730661c2d
SHA512 2bedf09efeed27e16f67a85b8a490d99fbc044ab3085318b50ac8f375157dec902e56c190e7a4dbbdf0c2ee4acb8c94ede22792d75cb7aa7d249fbfd59a055af

C:\Users\Admin\Downloads\YEJWjhjm.bin.part

MD5 8b305b67e45165844d2f8547a085d782
SHA1 92b8ed7652e61fdf3acb4ce74f48bcc9ed14b722
SHA256 776622a88a71b989ae022dae2bfbe52d5f00024970548a465046b742089aa50b
SHA512 2bd688ab072464ed54ea111a07e44f130a6db2c51e6f5ede1d8583b31791ad3eb2ea51114e6ac624a50118f17dfd3ec3d72c7df00d8be3b4ef4dcd7b72a0dfe6

memory/4524-263-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4524-262-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4524-268-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4524-269-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4524-273-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4524-274-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4524-275-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4524-276-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4524-287-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4524-305-0x0000000000400000-0x0000000000465000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u5fl9cze.default-release\sessionCheckpoints.json.tmp

MD5 e6c20f53d6714067f2b49d0e9ba8030e
SHA1 f516dc1084cdd8302b3e7f7167b905e603b6f04f
SHA256 50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092
SHA512 462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u5fl9cze.default-release\sessionstore.jsonlz4

MD5 8718a370592f2d72642d804b1a19f99f
SHA1 affa7cbe2e852fe2e031bb738afad81078cef280
SHA256 d1bc8297593e289dc38e0b3135b95670db4780ab7722540246f6fb104d3e736d
SHA512 fe50fbf0af96ea44ef55776a03c1ed366cdfc81d1c9c466164fc2e9caafc898fd8056db58496c6d8d867be732a1dc0b5e04b752801d812967d8b46beb1fa3cbc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u5fl9cze.default-release\prefs-1.js

MD5 4d15aecb674199a6a8fc98dfc35289f7
SHA1 dbf51639a77ddfd78b77a430f7493b351838d633
SHA256 a61059e1c44c929cc6f7b44fb521388e1f4209301d22ade1e62755cc2ffcf8c1
SHA512 3d2fd5372d6d9c9d635921edb9fd556867049bc4b6ed4850669fcc398a74f90c16277ca276eb5923283733179c080b9c8e2ba5e7ce2ff665e4ee52bc87cad44e

memory/4524-340-0x0000000000400000-0x0000000000465000-memory.dmp