Malware Analysis Report

2024-10-10 13:08

Sample ID 240617-lcgypavard
Target Modifier.exe
SHA256 f62c275d44091d35cd9e2a8619ebbfb49961acd5204fa5fa5e8383d9e9d8de36
Tags
dcrat infostealer persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f62c275d44091d35cd9e2a8619ebbfb49961acd5204fa5fa5e8383d9e9d8de36

Threat Level: Known bad

The file Modifier.exe was found to be: Known bad.

Malicious Activity Summary

dcrat infostealer persistence rat

Process spawned unexpected child process

DcRat

Modifies WinLogon for persistence

DCRat payload

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Checks processor information in registry

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

NTFS ADS

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-17 09:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 09:23

Reported

2024-06-17 09:29

Platform

win10v2004-20240226-en

Max time kernel

218s

Max time network

236s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Modifier.exe"

Signatures

DcRat

rat infostealer dcrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe" C:\Program Files (x86)\WindowsPowerShell\RuntimeBroker.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\reactorsvschost.scr N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Componentwininto\portdll.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\WindowsPowerShell\RuntimeBroker.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Google\Update\Install\{1342F81A-D5C5-42B4-A5E8-933F7759DA30}\firefox.exe C:\Componentwininto\portdll.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Install\{1342F81A-D5C5-42B4-A5E8-933F7759DA30}\firefox.exe C:\Componentwininto\portdll.exe N/A
File created C:\Program Files (x86)\Internet Explorer\de-DE\StartMenuExperienceHost.exe C:\Componentwininto\portdll.exe N/A
File created C:\Program Files (x86)\Internet Explorer\de-DE\55b276f4edf653 C:\Componentwininto\portdll.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\61a52ddc9dd915 C:\Componentwininto\portdll.exe N/A
File created C:\Program Files (x86)\Google\Update\Install\{1342F81A-D5C5-42B4-A5E8-933F7759DA30}\0fc223bdacedc3 C:\Componentwininto\portdll.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\RuntimeBroker.exe C:\Componentwininto\portdll.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\9e8d7a4ca61bd9 C:\Componentwininto\portdll.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\msedge.exe C:\Componentwininto\portdll.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\GameBarPresenceWriter\0fc223bdacedc3 C:\Componentwininto\portdll.exe N/A
File created C:\Windows\ja-JP\firefox.exe C:\Componentwininto\portdll.exe N/A
File created C:\Windows\ja-JP\0fc223bdacedc3 C:\Componentwininto\portdll.exe N/A
File created C:\Windows\GameBarPresenceWriter\firefox.exe C:\Componentwininto\portdll.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\Admin\Downloads\reactorsvschost.scr N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\Downloads\reactorsvschost.scr:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Componentwininto\portdll.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\WindowsPowerShell\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2100 wrote to memory of 4304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2100 wrote to memory of 4304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2100 wrote to memory of 4304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2100 wrote to memory of 4304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2100 wrote to memory of 4304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2100 wrote to memory of 4304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2100 wrote to memory of 4304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2100 wrote to memory of 4304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2100 wrote to memory of 4304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2100 wrote to memory of 4304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2100 wrote to memory of 4304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 3120 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 3120 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 1880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 1880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 1880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 1880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 1880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 1880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 1880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 1880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 1880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 1880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 1880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 1880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 1880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 1880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 1880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 1880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 1880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 1880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 1880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 1880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 1880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 1880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 1880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 1880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 1880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 1880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 1880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 1880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 1880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 1880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 1880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 1880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 1880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 1880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 1880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 1880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 1880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 1880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 1880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 1880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 1880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 1880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 1880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 1880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 1880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 1880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 1880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 1880 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 4316 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 4316 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4304 wrote to memory of 4316 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Modifier.exe

"C:\Users\Admin\AppData\Local\Temp\Modifier.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5164 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4304.0.1614109535\2121935669" -parentBuildID 20221007134813 -prefsHandle 1900 -prefMapHandle 1892 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fab37487-b0b8-4f09-b304-423b5c790184} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" 1980 2a0e61d5158 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4304.1.432515589\1804718382" -parentBuildID 20221007134813 -prefsHandle 2368 -prefMapHandle 2364 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bdf5ef71-232f-466a-ac90-69b2a0d44651} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" 2380 2a0e5b33858 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4304.2.1744439834\891071075" -childID 1 -isForBrowser -prefsHandle 3008 -prefMapHandle 3004 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {07377ffb-e673-4a8f-aa68-96bc7b123021} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" 2984 2a0ea0bb058 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4304.3.1215706712\1577709086" -childID 2 -isForBrowser -prefsHandle 3608 -prefMapHandle 3604 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1445a7aa-95df-4074-a27b-4961b7d2da48} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" 3620 2a0d2570158 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4304.4.714442798\2018080043" -childID 3 -isForBrowser -prefsHandle 4336 -prefMapHandle 4332 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a8c0e12-e762-4250-b158-9d07258f6e00} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" 2800 2a0ebdc0158 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4304.5.1371249268\1375558289" -childID 4 -isForBrowser -prefsHandle 4804 -prefMapHandle 4652 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2aff81c-5c56-430b-8936-3cd44f43238c} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" 4792 2a0d252d558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4304.6.1312319711\492821188" -childID 5 -isForBrowser -prefsHandle 5220 -prefMapHandle 5224 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8ca99dd8-ad51-4576-846f-560d22bf5d47} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" 5212 2a0ea346e58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4304.7.1275210420\587574795" -childID 6 -isForBrowser -prefsHandle 5408 -prefMapHandle 5412 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5c5e6ac-2f9d-443e-aa96-67acd41a88cd} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" 5400 2a0ecad7958 tab

C:\Users\Admin\Downloads\reactorsvschost.scr

"C:\Users\Admin\Downloads\reactorsvschost.scr" /S

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Componentwininto\nK5ZF7jSeUHtsQHqCmNmgBBJa6muo.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Componentwininto\E4gQqg8h.bat" "

C:\Componentwininto\portdll.exe

"C:\Componentwininto\portdll.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\Update\Install\{1342F81A-D5C5-42B4-A5E8-933F7759DA30}\firefox.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "firefox" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Install\{1342F81A-D5C5-42B4-A5E8-933F7759DA30}\firefox.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Update\Install\{1342F81A-D5C5-42B4-A5E8-933F7759DA30}\firefox.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 10 /tr "'C:\Windows\GameBarPresenceWriter\firefox.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "firefox" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\firefox.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 7 /tr "'C:\Windows\GameBarPresenceWriter\firefox.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\odt\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\odt\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\odt\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\WindowsPowerShell\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\WindowsPowerShell\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\odt\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 12 /tr "'C:\Windows\ja-JP\firefox.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "firefox" /sc ONLOGON /tr "'C:\Windows\ja-JP\firefox.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 9 /tr "'C:\Windows\ja-JP\firefox.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Templates\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\All Users\Templates\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Templates\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\PackageManifests\msedge.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\PackageManifests\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\PackageManifests\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\firefox.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "firefox" /sc ONLOGON /tr "'C:\Users\Default User\firefox.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\firefox.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\msedge.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Users\Default User\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Downloads\msedge.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Users\Public\Downloads\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Downloads\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f

C:\Program Files (x86)\WindowsPowerShell\RuntimeBroker.exe

"C:\Program Files (x86)\WindowsPowerShell\RuntimeBroker.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "portdll" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "portdllp" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "firefox" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "firefoxf" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "StartMenuExperienceHost" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "StartMenuExperienceHostS" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "firefox" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "firefoxf" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "cmd" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "cmdc" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "RuntimeBroker" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "RuntimeBrokerR" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "dllhost" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "dllhostd" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "StartMenuExperienceHost" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "StartMenuExperienceHostS" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "explorer" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "explorere" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "sihost" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "sihosts" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "firefox" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "firefoxf" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "sysmon" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "sysmons" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "msedge" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "msedgem" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "firefox" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "firefoxf" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "conhost" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "conhostc" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "msedge" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "msedgem" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "msedge" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "msedgem" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "RuntimeBroker" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "RuntimeBrokerR" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F4MZx53eLu.bat" "

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 76.234.34.23.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
N/A 127.0.0.1:49861 tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com tcp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 52.33.96.36:443 shavar.services.mozilla.com tcp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 34.107.243.93:443 push.services.mozilla.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 8.8.8.8:53 166.188.117.34.in-addr.arpa udp
US 8.8.8.8:53 36.96.33.52.in-addr.arpa udp
N/A 127.0.0.1:49867 tcp
US 8.8.8.8:53 a0996725.xsph.ru udp
RU 141.8.192.103:80 a0996725.xsph.ru tcp
RU 141.8.192.103:80 a0996725.xsph.ru tcp
US 8.8.8.8:53 a0996725.xsph.ru udp
US 8.8.8.8:53 a0996725.xsph.ru udp
US 8.8.8.8:53 103.192.8.141.in-addr.arpa udp
US 8.8.8.8:53 93.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 73.242.123.52.in-addr.arpa udp
RU 141.8.192.103:80 a0996725.xsph.ru tcp
RU 141.8.192.103:80 a0996725.xsph.ru tcp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 ciscobinary.openh264.org udp
NL 2.18.121.197:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 197.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 redirector.gvt1.com udp
DE 142.250.185.206:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
DE 142.250.185.206:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigl6ney.gvt1.com udp
GB 173.194.183.166:443 r1---sn-aigl6ney.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigl6ney.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigl6ney.gvt1.com udp
GB 173.194.183.166:443 r1.sn-aigl6ney.gvt1.com udp
US 8.8.8.8:53 206.185.250.142.in-addr.arpa udp
US 8.8.8.8:53 166.183.194.173.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
DE 142.250.74.202:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 202.74.250.142.in-addr.arpa udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp

Files

memory/4212-0-0x00000000002B0000-0x00000000002D3000-memory.dmp

memory/4212-1-0x00000000002B0000-0x00000000002D3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\5f1193c5-e877-4e76-85aa-3704fb1bbce7

MD5 f3116ece21ab7c42eb86558e120599f3
SHA1 f35286bd9d090a6c52172774ef3b54aaf5dc1728
SHA256 c0e7932d0b104d4bd05721e883b4f95105081508330cce4f86f2fe7fc5be44dd
SHA512 d2d52dd2b6f4a49cd765583bb948f3c68e557e4fdab7d630743db33b46b49ddbcd94b02aa557bd1e24e8e76dd30ebfee6bc049383747bf89623fb26c8e14b355

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\db\data.safe.bin

MD5 98ab764d019a19df08f081a32d9e8ee5
SHA1 5708d8baaa206acb5cd83ee32cdd720fa885809c
SHA256 6d5eead3888d8b6fa024dc7759630ea2cb7484673cf9919ca89ac2cdbe0eafcb
SHA512 42f617d220bd3991d79672e6b6ea5e42bb29f60925f23d6854ba528e7ec49263b538e6a8448a32abbf44d3a2e50d4ddde76fdd878727e8d57b16a1871792ca85

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\f15565d2-521a-4b39-b4ae-82601473d565

MD5 cb5341db9adb82eb19417f5037e5551f
SHA1 71a8252c08afc43d05f539d5cc9a1b0486f73f44
SHA256 058c28ab957d2b8131cc867ae8438f5f165f4b59a1377a38bc1ecb5426063285
SHA512 e176ea43fdc09a4304f2a04ae96c47bf46cde4bc130eae3b073f4931bd5c2720d4cbf2636900d9542828716c9250d0a1daaa7964511de4d847ee8e50f3612594

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs.js

MD5 99422b4fff4ba9c87c35cd0246431ff2
SHA1 63985dcf6402d02a47ed9c83e91c996a24211e1f
SHA256 6e94aa2bc7ea113f90e5e8ee91a4c2cb227a87c53e0b6158b0f64c9d67fbaf26
SHA512 03158de2e55e35d208982cc4bcd00bbde0d2ca71986540dc6e409bb510f3a5bb9027956d848ca848c09c987f346209bb6d80cd144efc013061aeb8352b9f06cd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 89fb414d778d11d3a12991de60301815
SHA1 1d7a63ca92d9ad28930ce2feaac8c71c3f699ef7
SHA256 935ba660008416f0b46a028a709944f11f9c2858243a2f7bc0b57aa1d96314be
SHA512 49f06dc78f2e08621ba4ed19925d8c7ed040502f13edaeedc7df3d675e77417d8b7b3c0b3feaf7f4fcef989091b363f5af1fa9258de57cee5bd904e1d7a31f9b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js

MD5 dddc45392ebd49ed39389224f873e5cb
SHA1 ca21554c2e9238902bd657ccb4fc755835f0d214
SHA256 15fae9ced465122eba39d298ade20c9766ae4a463e97b6ca11dfe92c70418d17
SHA512 56765bb98afc58a525279d410050d3fc626ef004d7e6de5bb4eb0822b601e99e5a2d5676388088934157adc6d12ca4aad8939ec210beb2ce97c88ed59d7b5a3e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js

MD5 a463c268f158fcf9ddab73b7b38f8214
SHA1 d6c06ab6c223f88219bd5861fa884787a947e98c
SHA256 408738c728984ffce72da035066be0b2a617f79c64f86980736685f996cc9560
SHA512 0f3ef5d0365e648c0fa14f620cef3201fe8d92b71548fd1ebdc8740953c0781d5d83bb785bc2962431b224eba336c2bc488d80171abf1d08a5e9f7915c8e7771

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4

MD5 fd0fc89aa29d6378a1ff323c52740a1e
SHA1 98c0f11254cf56af6280ed53efdaa0b2d462bb23
SHA256 a837867c350ea20d4bfba3e47f0f4f59d38fde10c80c2fc43c5fad60a8f84678
SHA512 2d14e52129c41d4e2d004a4bb46d0d9be63183394bfc69a7fbf568a039d579b3786c36d11a0cb6b37624738375337528bd256009c85359f5d1cc47f3ac5dd9fc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js

MD5 9e9135839afebe5013377d078f6c0d84
SHA1 d50d15b9602f8a25371eebed9779d5fc4de9b90a
SHA256 77b7c55d62152b4c3a1e70213830f4583167db7d4988cd6b38d967bb513cf31d
SHA512 c24783667fe4c2580cbb3940b523b64a287430b5ce545f019ca184107eb1f48c2f3508f7a2f916d573049e154a2be50f749f1f8744eda2c7896d63d29713e4c0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4

MD5 8f8c875b2d7195e0202a39bce39e7f8d
SHA1 05b778bd510b85568c063f982e585b7965c87b33
SHA256 adb7f9aba282d556ce98cd4cf5796188de500b2be898681f1d4a260158f2dd0e
SHA512 2ce4d83e052b6ffb34c7e383d2dbc6292eb29497f403518ac2b0bb407897b3101e387fe5f738c46cc386195a846d3e577cc12fc89e5dfae76abd0320a096c5df

C:\Users\Admin\Downloads\reactorsvschost.40FmP8mZ.scr.part

MD5 37538031f35c40c916ba8df9610fc401
SHA1 d24979d41ab6898c5d1a766a266e66ac5059dc8e
SHA256 e7de0a0276caa77b30a2ed2b23659aea9b162f8c3a35e26154a0b977c470aaf9
SHA512 4dbdd17d348a71fa61a99993c9c8dc8fa8f1220f042947c558a240d5b6d63b71c7ac4db7e5aef14f8578ae71f11f1959beb80e820bae0d7fd3641ffa4a6548c9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js

MD5 fce6fcb3daa9ccd94ca9922e3981efc7
SHA1 542f603c873f0640bef7bc9ce8add183e99d851c
SHA256 8add90d9aa7065079522cedbdad3959d83ba4e3e2db63bb2bb436d127e50940a
SHA512 f012059a7471df565c53d0410a34cf4c390501ecd446313bb8b78a1362e1a2083a53b9ba9afa0fdb6a109e7433a814e8bb90e847fd68907eba02c9687f3483f4

C:\Users\Admin\Downloads\reactorsvschost.scr

MD5 2cf19a7172c5544d5bc225bfd0bde74b
SHA1 dccafba9469e32ddb407b3172079580eada4344e
SHA256 0ca8e42511ef25e1d999c13310b9fa6e5f3c991c31736321a27aba7dd9557fc8
SHA512 57160b44271c2b3280fe456614f156c144ed396bb4ed5e738fa09e0c50412826c89929c1e3d5a6c85fb9cdd734854d15d011d196a3466d633813d151b2e9339c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4

MD5 71f7836a74729a66c5c9ed5f8da3a9c0
SHA1 124c3e364829a6c7dcc7850b9375d1d1dc44d9f7
SHA256 05201b2267e9390857b4587d3ed1ce8a5e2edb573ff6342a6c47785d2b3bbfc5
SHA512 d442c5c7b40223d1413b5debf9f569be211a22206657e0cf3c482e841b01050ae197901af8ddad09cbbb1b9fc01cb382c516e81aaf96fd414dd143b2ddd33de6

C:\Componentwininto\nK5ZF7jSeUHtsQHqCmNmgBBJa6muo.vbe

MD5 acd9d8df3cd0c1de1dc877c5147d0442
SHA1 fae97db0064992c8df92da802d2787ce2166c323
SHA256 663c2dd32850522640e1ec3e683cd3ea17fea7a3ea8a6f3ccf88018007234d91
SHA512 2ececbbba4371d57691ddea3ff06852246c3f033d4b273bd3fd3d638d55f6c4454bd4b933bb6ecfdebf50b63705ad7a4673c70c6f66672d349da2e24bee83d5c

C:\Componentwininto\E4gQqg8h.bat

MD5 d10870e64c9b54a51cc81a794913b78c
SHA1 167e51475403b634373d82f8e4e8063b62a1ee4f
SHA256 8b39e6151b04adba2e3b9572365883eb2730866ee19774f736cf7a9b36a58445
SHA512 d80fe54f2ac893dccf4c1e049a207f7e92cfb45f3a0519c89e68dfdc7e754f039ea03dd5061ff550c0d2464959c483601e72c3eb33d2a8a1e147c9fff9216d8b

C:\Componentwininto\portdll.exe

MD5 82664052d6ab25f66adea9a4bbcc0c1c
SHA1 d748a7249b1768beac55a55651441bb8ae866915
SHA256 11230616449a7d7d397f447d891d320f136f59c24282415a462922d4ebf0410a
SHA512 fcc11b8e76e846712e63499fe3f38d439eb0a01bc3ec4312f5a2bcc5d47389c3abaafe62149939890fcb7767da800aaa5018add30185ce8dd9a9d7d55b47b511

memory/5152-192-0x0000000000850000-0x0000000000926000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js

MD5 21279adac8d74cffaa581177fe5d56ae
SHA1 b5f8d89d89d54e82ae7dd4c6b53143aeaafaa1d8
SHA256 dd1cae8a96e7f3ac830370d3df7d8ae4f3539f737773a8ee4cac40c039a9c4b2
SHA512 2e6ad657ec9e08dfd8bd86275e87bfff99642fa24250fce89cc11388c6c5082b544c0e00c143aa86b886d34c5b7b182bf6c5ef3b3197a4fcf8cecac19258da00

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4s2odj76.default-release\cache2\entries\383A97A57B113BD106DE6984E6DBA5F537327263

MD5 ac466eac240970b8f1d36b676ba84394
SHA1 bede39947b2df2689b6eca2235209b2bf0857246
SHA256 4a94296049c1c6336905b502523027c1a7e276ed5c9ae739e4801044d9e13efa
SHA512 81100e47a384c11eaf1238f663f6ffc4261e7fa56396fc6eb51caedfc0b2c87cbdf5e4f9b99ce466537b14457c0b1877899c198c4fc21f7728aebe2c5a39ecde

C:\Recovery\WindowsRE\55b276f4edf653

MD5 435b3cc0ba656fcf6e9de2a0d45310ee
SHA1 584ca64ce92ca968f51e3c64eb340dea0c5c79d8
SHA256 d4189b592cc64633b74e2751d43e40875cbb5fd610364608176bbb35b7e09988
SHA512 1091e4d7aa7c29d1f9bd073fc7f8f1a5196b20288f394bb22e9c2b42a782e6fa9bd0efd6b837c5f9b12f366bfb657e8c20dde214f753db7b1b7f2af20246d7e8

C:\Windows\GameBarPresenceWriter\0fc223bdacedc3

MD5 490e76b62deb920946445afbf8a23e49
SHA1 f79b333a61295564a4c875db5a7226ef2a803a6e
SHA256 09bbd7c48dc051d3dd6f3eaedb7b1b09a605f748ef86406b4adfe383b93a8b5b
SHA512 ad8423f55bb3f48fe8549f40d3c1dc96bbddc23d2ecb4855491c7aa56d434b9bc53b6e4f209065b012d97916307582c1e49abf5f633bc0b239c936f3d0f5ad2c

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\odt\ebf1f9fa8afd6d

MD5 baff153e6695fe53905fd96e9a07ab40
SHA1 3415ba0ee50b374c00c23cf7684540a654735206
SHA256 de4798d1824b93dea5c961c0d5ac237adc402733c01e11098ac44d89f88eca2a
SHA512 b564d8ba07648c477cdd422d48a25b8bb6316cf025326e7c26b95a96d19fd7fe8ea724cf0fd646ba0fc71581a4a93fdb682037baa7a7d49f08f2cf1ddc3a7f8c

C:\Recovery\WindowsRE\5940a34987c991

MD5 ae3aa0e8bfb9aa2bb3c6a258b12780db
SHA1 51eb919048ae7a23f5f51615f8d4d92eb9036614
SHA256 f4d38e0978772aa97d1ce04e381735385578063cc74350abce780dd36b6a4c5b
SHA512 c8f8b072f7be440d2f253bf0ce3971fc80e0547b26b4fd5ff8e27a220833bcf4df3001d896a0c82b9a81d321ccc51daf4cf76d2a8ee598ac4561c6a7c7b3ec41

C:\Program Files (x86)\Internet Explorer\de-DE\55b276f4edf653

MD5 ac658bff7c4cf679c2d71f26b40ffc34
SHA1 a335a1b8489cab1f389dd083a0cae834dbb9ee2d
SHA256 35df1ed05e9a9cb221559192b1913865f69ab4e7bb88a12ec19b5f39f7e61983
SHA512 ade3b373514d4dd455c5f98c03f8b9cac8cb966d13541061b13fb1d5c0eee222b37ae5e63b1fbb92c52583155b052211d2897836ad6dc3f6b8a6ec52dc11c533

C:\odt\7a0fd90576e088

MD5 fa09aad4273c88f6d8e831fc4769037f
SHA1 ada91c5239ea02b49d8298414cde70adff9e5115
SHA256 d6f37046f59e891cf63b400eb511c20fe07076bb0612121d7cd34eb538e4baaa
SHA512 2e0685b14bd5a15c26ce410fbe1c5253873efaa1643c371b4a68f4fb40988a361179ff8b3a043644e17778574294bf64c075fed1b8e40810b7411486eab5e2dd

C:\Windows\ja-JP\0fc223bdacedc3

MD5 71027b4eb7add8097147a56de141de3e
SHA1 294fffd2336e48411f0bfaaf9d0ac8d9503b6390
SHA256 3549ba0b151a4fd6b330df1c024c5684f25b9a9dbc36721e1dfdbea7a59a2eaa
SHA512 da70fb9c13969561e3e2aa9c001b337f734171c2a226364bf989c8e50e4375191a6ae568e4499f6968aa6295d9d54944539867d187b6b6a0f78dd9c001dd4c8d

C:\Program Files\Microsoft Office\PackageManifests\61a52ddc9dd915

MD5 cdd87fb8df1cdebac6b63ced038db727
SHA1 36bac72e9f2d3bc12a817d825ad0fc40a3eca0c8
SHA256 6e4eb0d3c554e4b429134e0432cc4e26dc5443424052d611076dd72cdd62581a
SHA512 fd538da1317606e7d21641dc8fa6e7dc3a375f9833b2a0f8a82a6cd46600fc15a9096702517e042982121b20a43f4a83ebd4844d93d5439a9f491fd06bd083a9

C:\Recovery\WindowsRE\088424020bedd6

MD5 da6e43b3b67b2e962e690a297c67437c
SHA1 37238ef53b641dbf754e6510c500ce0b38d64f76
SHA256 b937e55d04b22e5cb981df1b942af89e1a11479e7d356d572f91d7a785612f48
SHA512 24bce5c64a4105802b7b422f0d232dc66aa2c43661a1936783ab77118f6a6fec14e8b2839f2c369475fd8f0bfd7010189f29402b47b41bfcbf1b51a842d1fb89

C:\Users\Default User\61a52ddc9dd915

MD5 cdc41f87a97a4140d11b8f02ea91b0fd
SHA1 f91b76bc7b17f68258910dbc83635fd250e1ff1e
SHA256 48ff9ce75388f2d8d16e30b46c672fe0343f0eadb8eb10cff4945098c8c7bcbc
SHA512 3c3e08445514d608f8325a51b418681fdc79cd911081fc1f4b427f1db2f60e7695fab131be6d739f0d9ba802c432b2e978746d9f6ed1d572e7e038fd502a91f2

C:\Users\Public\Downloads\61a52ddc9dd915

MD5 6f6a8706ec2bbe89d4d128bd0c7ab337
SHA1 28da25759aaea1a5a6be233c34d582255a5564be
SHA256 bbaa7e8b59efbb3ecf434f9d0c497df916a2cd074ac35f0da3d665db8d3d4a36
SHA512 a0381d2ad1b07adb2933f83af67150d1c76682b0fbe11e16b42262b201313e913b3f88682c635332cbea7889ee7ce5e817b95fb86d7569ee3c0f2da2d6f19833

C:\Users\Default User\0fc223bdacedc3

MD5 79fb58899ae42dddd4552c99d22803d9
SHA1 b4b9436c2e5e404fca0ee7c7c7c2e90ee74d6fb1
SHA256 e7e4fce0f9dddd870683e220440e6a1beed9be22c8f3553d1195db753c6896d4
SHA512 efe901a027a13f394dff5b122c69ded77efcbcc5a5d16bc7a72b4b2c21cf6e2053dee18b610877a19682986743190d7237101bfbd72b8dd2986c63407a0d1b31

C:\Users\All Users\Templates\121e5b5079f7c0

MD5 f869c8e32ced7abfcd59b05b50266b01
SHA1 026443bf962ba26c5a28909849d320fd2358a07b
SHA256 795d800e5796bda55f63efcc5890fd3b9a221115ba688d21c78fea4edaa18300
SHA512 b3435ba2b415df3a7ca7e16f1f483c2a7cff07fbd2c2b670c18b32b4e39791d36b250b94500a939fab133bc77d9c06924e46ad552f8f0370e2dbc72809ebff24

C:\Recovery\WindowsRE\66fc9ff0ee96c2

MD5 feeba02038b3c9a40c3be9bf20c28ac8
SHA1 a554ab1c153c821d0f672434acbd5d74313302df
SHA256 94eb3b0b2364a5f2aecbefc025c419b3dd310e0e0a21cba482c65e05e4368ad7
SHA512 1b5d8467951bd6d87874c0aa05fbe8fdbb430651603db2420934b877c1939bf5dd6862e01d8e4c6a5a8abe1712bf13d4cfe3277bd27555598a3c47c6306cbe09

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Local\Temp\F4MZx53eLu.bat

MD5 d0551c6a7100da4b70bdc2e67a550442
SHA1 dcca7c4f5ae819b746094c222ba8553af47722f8
SHA256 f94e3d06bb47fe485ca598538ab8ffb9d715dd3d904e2ca2cc841933225e6d0e
SHA512 70a4fb9ea2f939a0e7017153252c6b6243e9de74d5d867297a5fff3d6690ab078551e1a3ab2549d69a0b8f39791a7bcdb53544ebb03f177a87b6c51dac6c1998

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Program Files (x86)\Google\Update\Install\{1342F81A-D5C5-42B4-A5E8-933F7759DA30}\0fc223bdacedc3

MD5 f11a22c518ce889f159f124a338e0146
SHA1 db06fcd0a8c51e833593e42387d31e6c441953e5
SHA256 02921703be253273b8303d8ad9ac673896fbf77135260cd3115adaa0b4663847
SHA512 dba20934b7ab500caf0c0def1c59d9fbd4a26ff1f0ff60511083d2891520f8c2d72d8cb45ed87ef780613add66e56a6adbe15788cbe300d32be60be645aa9189

C:\Program Files (x86)\WindowsPowerShell\9e8d7a4ca61bd9

MD5 91e9b34aee6a8c63212838b7879c6f0b
SHA1 d94611a92f4b2390e80db030f13c67571164c2ac
SHA256 cc2636dd296adb5c1ba33bfacd0f8b8e5acb8a79f0c70fb26382dbc6be0d7d3f
SHA512 800e719fa2da8e8eb5c085187d72d2d7a5213c15345848b2f5d476ec1e6d7f03e39a8c0f5fd8e607dd0aeebbecd5659f9da1164b5d0159bdc8513dbae06cbb39