Malware Analysis Report

2024-10-19 06:32

Sample ID 240628-az8t5s1eqh
Target ModStickInjectorV1.exe
SHA256 cb22cebed97d6363239f63cf28816b8a8c06977c6d8625a43a61f0afa8823b26
Tags
asyncrat quasar xworm default slave execution rat spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cb22cebed97d6363239f63cf28816b8a8c06977c6d8625a43a61f0afa8823b26

Threat Level: Known bad

The file ModStickInjectorV1.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat quasar xworm default slave execution rat spyware trojan

Xworm

Quasar payload

AsyncRat

Quasar RAT

Detect Xworm Payload

Async RAT payload

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Looks up external IP address via web service

Enumerates connected drives

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Scheduled Task/Job: Scheduled Task

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-28 00:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-28 00:40

Reported

2024-06-28 00:42

Platform

win10-20240404-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ModStickInjectorV1.exe"

Signatures

AsyncRat

rat asyncrat

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\E: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\L: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\P: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\V: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\W: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\J: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\M: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\Q: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\S: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\Y: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\A: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\I: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\K: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\N: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\O: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\T: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\Z: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\G: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\H: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\R: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\U: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\X: C:\Windows\System32\unregmp2.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 4.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5068 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\ModStickInjectorV1.exe C:\Users\Admin\AppData\Local\Temp\Part1.exe
PID 5068 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\ModStickInjectorV1.exe C:\Users\Admin\AppData\Local\Temp\Part1.exe
PID 5068 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\ModStickInjectorV1.exe C:\Users\Admin\AppData\Local\Temp\Part2.exe
PID 5068 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\ModStickInjectorV1.exe C:\Users\Admin\AppData\Local\Temp\Part2.exe
PID 768 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Part2.exe C:\Users\Admin\AppData\Local\Temp\Part 1.exe
PID 768 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Part2.exe C:\Users\Admin\AppData\Local\Temp\Part 1.exe
PID 768 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\Part2.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
PID 768 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\Part2.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
PID 768 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\Part2.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
PID 768 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\Part2.exe C:\Users\Admin\AppData\Local\Temp\Part 3.exe
PID 768 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\Part2.exe C:\Users\Admin\AppData\Local\Temp\Part 3.exe
PID 768 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\Part2.exe C:\Users\Admin\AppData\Local\Temp\Part 4.exe
PID 768 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\Part2.exe C:\Users\Admin\AppData\Local\Temp\Part 4.exe
PID 768 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\Part2.exe C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe
PID 768 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\Part2.exe C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe
PID 768 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\Part2.exe C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe
PID 2588 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\Part 1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2588 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\Part 1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1892 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe C:\Windows\SysWOW64\schtasks.exe
PID 1892 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe C:\Windows\SysWOW64\schtasks.exe
PID 1892 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe C:\Windows\SysWOW64\schtasks.exe
PID 5088 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\Part1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5088 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\Part1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 212 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\Part 4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 212 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\Part 4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2588 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\Part 1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2588 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\Part 1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5088 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\Part1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5088 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\Part1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 212 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\Part 4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 212 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\Part 4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3852 wrote to memory of 3728 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Program Files (x86)\Windows Media Player\setup_wm.exe
PID 3852 wrote to memory of 3728 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Program Files (x86)\Windows Media Player\setup_wm.exe
PID 3852 wrote to memory of 3728 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Program Files (x86)\Windows Media Player\setup_wm.exe
PID 3852 wrote to memory of 3008 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Windows\SysWOW64\unregmp2.exe
PID 3852 wrote to memory of 3008 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Windows\SysWOW64\unregmp2.exe
PID 3852 wrote to memory of 3008 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Windows\SysWOW64\unregmp2.exe
PID 3008 wrote to memory of 2944 N/A C:\Windows\SysWOW64\unregmp2.exe C:\Windows\System32\unregmp2.exe
PID 3008 wrote to memory of 2944 N/A C:\Windows\SysWOW64\unregmp2.exe C:\Windows\System32\unregmp2.exe
PID 200 wrote to memory of 1132 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 200 wrote to memory of 1132 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 200 wrote to memory of 1132 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 200 wrote to memory of 1132 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 200 wrote to memory of 1132 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 200 wrote to memory of 1132 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 200 wrote to memory of 1132 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 200 wrote to memory of 1132 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 200 wrote to memory of 1132 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 200 wrote to memory of 1132 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 200 wrote to memory of 1132 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1132 wrote to memory of 2780 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1132 wrote to memory of 2780 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1132 wrote to memory of 4728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1132 wrote to memory of 4728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1132 wrote to memory of 4728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1132 wrote to memory of 4728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1132 wrote to memory of 4728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1132 wrote to memory of 4728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1132 wrote to memory of 4728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1132 wrote to memory of 4728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1132 wrote to memory of 4728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1132 wrote to memory of 4728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1132 wrote to memory of 4728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1132 wrote to memory of 4728 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ModStickInjectorV1.exe

"C:\Users\Admin\AppData\Local\Temp\ModStickInjectorV1.exe"

C:\Users\Admin\AppData\Local\Temp\Part1.exe

"C:\Users\Admin\AppData\Local\Temp\Part1.exe"

C:\Users\Admin\AppData\Local\Temp\Part2.exe

"C:\Users\Admin\AppData\Local\Temp\Part2.exe"

C:\Users\Admin\AppData\Local\Temp\Part 1.exe

"C:\Users\Admin\AppData\Local\Temp\Part 1.exe"

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Users\Admin\AppData\Local\Temp\Part 3.exe

"C:\Users\Admin\AppData\Local\Temp\Part 3.exe"

C:\Users\Admin\AppData\Local\Temp\Part 4.exe

"C:\Users\Admin\AppData\Local\Temp\Part 4.exe"

C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe

"C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Part 1.exe'

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Part1.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Part 4.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Part 1.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Part1.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Part 4.exe'

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding

C:\Program Files (x86)\Windows Media Player\setup_wm.exe

"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding

C:\Windows\SysWOW64\unregmp2.exe

"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon

C:\Windows\System32\unregmp2.exe

"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.0.121896678\353775410" -parentBuildID 20221007134813 -prefsHandle 1732 -prefMapHandle 1724 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {12e77e6e-78fd-43f3-b68c-4af30dbe84e8} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 1812 1d9708f4b58 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.1.69972961\1932005376" -parentBuildID 20221007134813 -prefsHandle 2156 -prefMapHandle 2152 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f784eff1-78a8-49b3-b156-ab0946ac3871} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 2168 1d965872e58 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.2.1214060070\2002426679" -childID 1 -isForBrowser -prefsHandle 2820 -prefMapHandle 2828 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e89bae5-2101-4d94-94ce-46856a296386} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 3044 1d9748ae758 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.3.1457478902\643697522" -childID 2 -isForBrowser -prefsHandle 3528 -prefMapHandle 3524 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {66aa583b-2d70-4024-b5dc-895111665620} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 3540 1d965862858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.4.1945322316\795949869" -childID 3 -isForBrowser -prefsHandle 4088 -prefMapHandle 4164 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {622bc04a-02af-4510-97eb-7d9776160947} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 4184 1d976bb4158 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.5.467935924\739925453" -childID 4 -isForBrowser -prefsHandle 4844 -prefMapHandle 4876 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b1b96359-ea16-4bfd-b27f-afa81e145801} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 4884 1d96582d258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.6.991326892\915362930" -childID 5 -isForBrowser -prefsHandle 5020 -prefMapHandle 5024 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f79544b-ca84-4c1a-9f16-4fdb131b380b} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 5104 1d976bb6b58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.7.359580583\1088516435" -childID 6 -isForBrowser -prefsHandle 5220 -prefMapHandle 5224 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {937bd292-4176-4947-a4e3-9c38dcb44e66} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 5212 1d9770e9158 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.8.61771887\54006143" -childID 7 -isForBrowser -prefsHandle 2768 -prefMapHandle 2636 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0aa4a44b-94d0-42f5-9988-66c7c863b69d} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 2772 1d971fc5858 tab

Network

Country Destination Domain Proto
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 147.185.221.20:25844 finally-grande.gl.at.ply.gg tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 20.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 stop-largely.gl.at.ply.gg udp
US 147.185.221.20:27116 stop-largely.gl.at.ply.gg tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 i.ibb.co udp
FR 162.19.58.160:443 i.ibb.co tcp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 head-experimental.gl.at.ply.gg udp
US 147.185.221.20:27196 head-experimental.gl.at.ply.gg tcp
US 147.185.221.20:46178 head-experimental.gl.at.ply.gg tcp
US 8.8.8.8:53 160.58.19.162.in-addr.arpa udp
US 147.185.221.20:25844 head-experimental.gl.at.ply.gg tcp
US 147.185.221.20:27116 head-experimental.gl.at.ply.gg tcp
US 8.8.8.8:53 super-nearest.gl.at.ply.gg udp
US 147.185.221.20:17835 super-nearest.gl.at.ply.gg tcp
US 8.8.8.8:53 wiz.bounceme.net udp
US 65.191.34.109:6000 wiz.bounceme.net tcp
US 8.8.8.8:53 wiznon.000webhostapp.com udp
US 145.14.144.151:443 wiznon.000webhostapp.com tcp
US 8.8.8.8:53 151.144.14.145.in-addr.arpa udp
US 147.185.221.20:25844 super-nearest.gl.at.ply.gg tcp
US 147.185.221.20:27116 super-nearest.gl.at.ply.gg tcp
US 147.185.221.20:17835 super-nearest.gl.at.ply.gg tcp
US 147.185.221.20:27196 super-nearest.gl.at.ply.gg tcp
US 147.185.221.20:25844 super-nearest.gl.at.ply.gg tcp
US 147.185.221.20:27116 super-nearest.gl.at.ply.gg tcp
US 147.185.221.20:17835 super-nearest.gl.at.ply.gg tcp
US 147.185.221.20:27196 super-nearest.gl.at.ply.gg tcp
US 147.185.221.20:17835 super-nearest.gl.at.ply.gg tcp
US 147.185.221.20:46178 super-nearest.gl.at.ply.gg tcp
US 147.185.221.20:27116 super-nearest.gl.at.ply.gg tcp
US 147.185.221.20:25844 super-nearest.gl.at.ply.gg tcp
US 65.191.34.109:6000 wiz.bounceme.net tcp
US 147.185.221.20:27196 super-nearest.gl.at.ply.gg tcp
US 147.185.221.20:17835 super-nearest.gl.at.ply.gg tcp
US 147.185.221.20:27116 super-nearest.gl.at.ply.gg tcp
US 147.185.221.20:25844 super-nearest.gl.at.ply.gg tcp
US 147.185.221.20:17835 super-nearest.gl.at.ply.gg tcp
US 147.185.221.20:27116 super-nearest.gl.at.ply.gg tcp
US 147.185.221.20:27196 super-nearest.gl.at.ply.gg tcp
US 147.185.221.20:25844 super-nearest.gl.at.ply.gg tcp
US 147.185.221.20:46178 super-nearest.gl.at.ply.gg tcp
US 147.185.221.20:27196 super-nearest.gl.at.ply.gg tcp
US 147.185.221.20:17835 super-nearest.gl.at.ply.gg tcp
US 147.185.221.20:27116 super-nearest.gl.at.ply.gg tcp
US 147.185.221.20:25844 super-nearest.gl.at.ply.gg tcp
US 65.191.34.109:6000 wiz.bounceme.net tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 147.185.221.20:27196 super-nearest.gl.at.ply.gg tcp
US 147.185.221.20:17835 super-nearest.gl.at.ply.gg tcp
US 147.185.221.20:27116 super-nearest.gl.at.ply.gg tcp
US 147.185.221.20:27196 super-nearest.gl.at.ply.gg tcp
US 147.185.221.20:25844 super-nearest.gl.at.ply.gg tcp
US 147.185.221.20:27116 super-nearest.gl.at.ply.gg tcp
US 147.185.221.20:27196 super-nearest.gl.at.ply.gg tcp
US 147.185.221.20:25844 super-nearest.gl.at.ply.gg tcp
US 147.185.221.20:17835 super-nearest.gl.at.ply.gg tcp
US 8.8.8.8:53 redir.metaservices.microsoft.com udp
SE 23.201.43.25:80 redir.metaservices.microsoft.com tcp
US 8.8.8.8:53 onlinestores.metaservices.microsoft.com udp
NL 23.63.101.177:80 onlinestores.metaservices.microsoft.com tcp
US 8.8.8.8:53 25.43.201.23.in-addr.arpa udp
US 8.8.8.8:53 177.101.63.23.in-addr.arpa udp
US 147.185.221.20:27116 super-nearest.gl.at.ply.gg tcp
US 147.185.221.20:46178 super-nearest.gl.at.ply.gg tcp
US 147.185.221.20:27196 super-nearest.gl.at.ply.gg tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 34.117.188.166:443 contile.services.mozilla.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 147.185.221.20:25844 super-nearest.gl.at.ply.gg tcp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
N/A 127.0.0.1:50405 tcp
US 52.25.179.107:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 wiz.bounceme.net udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 65.191.34.109:6000 wiz.bounceme.net tcp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 166.188.117.34.in-addr.arpa udp
US 8.8.8.8:53 107.179.25.52.in-addr.arpa udp
N/A 127.0.0.1:50412 tcp
US 147.185.221.20:27116 super-nearest.gl.at.ply.gg tcp
US 147.185.221.20:27196 super-nearest.gl.at.ply.gg tcp
US 147.185.221.20:17835 super-nearest.gl.at.ply.gg tcp
US 147.185.221.20:25844 super-nearest.gl.at.ply.gg tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 227.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 147.185.221.20:17835 super-nearest.gl.at.ply.gg tcp
US 147.185.221.20:27116 super-nearest.gl.at.ply.gg tcp
US 147.185.221.20:27196 super-nearest.gl.at.ply.gg tcp
US 147.185.221.20:25844 super-nearest.gl.at.ply.gg tcp
US 147.185.221.20:27116 super-nearest.gl.at.ply.gg tcp
US 147.185.221.20:46178 super-nearest.gl.at.ply.gg tcp
US 147.185.221.20:17835 super-nearest.gl.at.ply.gg tcp
US 147.185.221.20:27196 super-nearest.gl.at.ply.gg tcp
US 147.185.221.20:17835 super-nearest.gl.at.ply.gg tcp
US 65.191.34.109:6000 wiz.bounceme.net tcp
US 147.185.221.20:25844 super-nearest.gl.at.ply.gg tcp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com udp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp
US 147.185.221.20:27116 super-nearest.gl.at.ply.gg tcp
US 147.185.221.20:27196 super-nearest.gl.at.ply.gg tcp
US 8.8.8.8:53 consent.google.com udp
GB 142.250.187.238:443 consent.google.com tcp
US 8.8.8.8:53 consent.google.com udp
US 8.8.8.8:53 consent.google.com udp
GB 142.250.187.238:443 consent.google.com tcp
GB 142.250.187.238:443 consent.google.com udp
US 147.185.221.20:25844 super-nearest.gl.at.ply.gg tcp
US 8.8.8.8:53 clients1.google.com udp
US 8.8.8.8:53 clients.l.google.com udp
GB 142.250.187.238:443 clients.l.google.com tcp
US 8.8.8.8:53 clients.l.google.com udp
GB 142.250.187.238:443 clients.l.google.com udp
US 147.185.221.20:17835 super-nearest.gl.at.ply.gg tcp
US 147.185.221.20:27116 super-nearest.gl.at.ply.gg tcp
US 147.185.221.20:27196 super-nearest.gl.at.ply.gg tcp
US 147.185.221.20:46178 super-nearest.gl.at.ply.gg tcp
US 147.185.221.20:17835 super-nearest.gl.at.ply.gg tcp
US 147.185.221.20:27196 super-nearest.gl.at.ply.gg tcp
US 147.185.221.20:25844 super-nearest.gl.at.ply.gg tcp

Files

memory/5068-0-0x00007FFF8D653000-0x00007FFF8D654000-memory.dmp

memory/5068-1-0x0000000000BD0000-0x0000000000C92000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Part1.exe

MD5 e35a7249966beef31a45272c53e06727
SHA1 cc54648f9c9423f7a625e96256c608791b1ab275
SHA256 ecb87965ad5fdc76a30721226b1cb8a6263bbbce476a0446ff730b6399022998
SHA512 1dc30dc4a690aa87211db37b8fbc152e2e9e2b2554927296ff62bd4d2a7ab542777faaa4752399719cfe816cf3886b3bb4a90539f3f197dedd52298f2a315114

memory/5088-10-0x0000000000020000-0x0000000000038000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Part2.exe

MD5 c47c0d681b491091209c54147c33da81
SHA1 58cb51be41aa576ce56d4c16c9c443e70e648f62
SHA256 429c5dd3f4af9dcaa0ebaefda12281af7c84b3e3aa05d1034ddf89d2bdefb720
SHA512 f3a6f9af783910dd94622bb0408385228dfe322487d9d89c140e2e49b8abbc3b9c9f3cb580635166d1ddf6f5b7feeac51380044cf100476d6994adc7cac6cc5c

memory/768-14-0x0000000000370000-0x000000000041C000-memory.dmp

memory/5088-16-0x00007FFF8D650000-0x00007FFF8E03C000-memory.dmp

memory/768-17-0x00007FFF8D650000-0x00007FFF8E03C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Part 1.exe

MD5 092a0c6fe885844fd74947e64e7fc11e
SHA1 bfe46f64f36f2e927d862a1a787f146ed2c01219
SHA256 91431cb73305e0f1fdc698907301b6d312a350f667c50765615672e7f10a68f2
SHA512 022589bd17b46e5486971a59b2517956bb15815266e48dc73a7ae9ac9efd42a348af09df471562eb71ffc94ce1e1845d54ca2994663d1496a385bce50ae595f0

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

MD5 e10c7425705b2bd3214fa96247ee21c4
SHA1 7603536b97ab6337fa023bafcf80579c2b4059e6
SHA256 021068ac225e479b124c33d9e7582c17fdea6e625b165b79e2c818479d8094e4
SHA512 47e031992d637fef2a67e4fb08d2d82eaba03eba6b80f3e0e0997153acf0d979d0294276c4a10a97daa50130540230865c56191e6fe8df07dbea11c50fa48a2d

memory/2588-27-0x00000000002A0000-0x00000000002B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Part 3.exe

MD5 27fe9341167a34f606b800303ac54b1f
SHA1 86373d218b48361bff1c23ddd08b6ab1803a51d0
SHA256 29e13a91af9b0ac77e9b7f8b0c26e5702f46bd8aea0333ca2d191d1d09c70c5d
SHA512 05b83ad544862d9c0cfc2651b2842624cff59fc4f454e0b1a2b36a705b558fad5a834f9f1af9f2626c57f1e3cd9aa400e290eaafb6efeb680422992bcbbde5b0

C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe

MD5 4daae2de5a31125d02b057c1ff18d58f
SHA1 e1d603edfcc150a4718e2916ae3dda3aa9548dc8
SHA256 25510f3aa1b879ea92a3cba9583d73e447b8765bae6dfcc4954bb72df5beaa7f
SHA512 7cda96a69f9cddab307f3f08e1f38a4d059f0cc7f7119d4a48891efdb01cf101ebcc06cb2ce0702ea2d689d27ee45faddc0a13cd72503c609c4e544919549a2a

C:\Users\Admin\AppData\Local\Temp\Part 4.exe

MD5 1f1b23752df3d29e7604ba52aea85862
SHA1 bb582c6cf022098b171c4c9c7318a51de29ebcf4
SHA256 4834d31394f19d42e8d2a035b4c3c9c36441340ea19fe766396848ecfb608960
SHA512 d52722ab73bb15d4a5b0033351f98f168192f382677e6d474f6cf506cf8dc2f5e421e45279b6cac0f074857f41a865d87b5d989450bfcb8eba925b7baa12fbde

memory/648-39-0x0000000000310000-0x0000000000326000-memory.dmp

memory/212-44-0x0000000000CC0000-0x0000000000CDA000-memory.dmp

memory/1892-45-0x00000000002D0000-0x000000000033C000-memory.dmp

memory/768-46-0x00007FFF8D650000-0x00007FFF8E03C000-memory.dmp

memory/1892-47-0x0000000005070000-0x000000000556E000-memory.dmp

memory/1892-49-0x0000000004CA0000-0x0000000004D32000-memory.dmp

memory/864-50-0x0000000000C30000-0x0000000000C3E000-memory.dmp

memory/864-51-0x00000000053B0000-0x00000000053C0000-memory.dmp

memory/1892-53-0x0000000004C00000-0x0000000004C66000-memory.dmp

memory/1892-54-0x0000000005000000-0x0000000005012000-memory.dmp

memory/5088-55-0x00007FFF8D650000-0x00007FFF8E03C000-memory.dmp

memory/1892-56-0x0000000005C00000-0x0000000005C3E000-memory.dmp

memory/3556-61-0x000002782BEA0000-0x000002782BEC2000-memory.dmp

memory/3556-68-0x000002782C050000-0x000002782C0C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ows1ds1i.3df.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/1892-139-0x0000000006300000-0x000000000630A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 ad5cd538ca58cb28ede39c108acb5785
SHA1 1ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256 c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512 c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3d72db63dec8b8e84e8a1155e8e0ca96
SHA1 b4728a0fc4a47592806b3da1d30eb0291c4d05d1
SHA256 a1e91ce3b1f6b419c88a0b371225a6fac03881b39c8184bf2ff65129a00ed6d2
SHA512 5aef675942f6157ab2d678c7ce800360488c0948be42577574afec0486c5ce903802e4971b80ede2fddb131b8ac8c81b022233f88b0210cdc7835739465f1c1c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 268e3ab5bd6ea508c0515ab314df0fb1
SHA1 74e8cdac4f575c6ff03b47598ed7609e087b58cb
SHA256 0888e55e56347f87915971d29b90df893972939d619226cee38f7e9e6ec9d07a
SHA512 d404df608ae5cdf96c76550a14705373fe2de095f2d443298d86021fc79d9cbefee7b25de60f7fa1b9fe248da2b0e2fef12e4af2a36324d7cb932400c60946bf

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c701107fcb3e97641ef7688d38e59e66
SHA1 a532643c6e2bf7d61518374c5f4c1c54aef450e9
SHA256 333d5421332259853961845e3a1c4fa3b47997254ed6e60c4de5be7dae9a34cb
SHA512 983c3ec067cc63b7c79092193b5af3bf99c71347e66c6c8108482e045e43dffdd5d71c658197e54084b520f2d123746d7fbdd93d88850b58b44b66899f973b04

memory/2588-320-0x000000001BD90000-0x000000001BD9E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 80603f6028189884e24b8a780976d181
SHA1 0d47668b6977f8c3feaf20e18654fbd513196061
SHA256 69ee9cd6ce6ff16f4009615297bde6b881845867777b6fc333e112e9e0a9fbea
SHA512 13ae1ff9bb572ed0be1c6ef3f13aa22b03beadd831509f7c0215e25eda4404099062b6ef6e45565914a1e5b4e1af0f25d1a925e083ed58b3c8f6dfb7edb9eca7

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 a6c4aa8987b07b1b28bba7617cc1199f
SHA1 90c0bb0ca13be76776104d9ba2d85e9c44d8a76d
SHA256 c6de2f0efdc81b58e0570ebe061ad37ff0f0c3a50d8e5c1a777a9bb5ca74b522
SHA512 e35902547cae6497f215fee7defe20c325642552ba50dcce0628a083eba0aea11decf097a380cf3e0349a36247ac6ff119c9655388c63daa8e00b5daa6d18034

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 66dafe9a82f5220ae53e4a7114a13fe9
SHA1 8f6b1835b7761d6168a5c46ad3482dc0f4babd47
SHA256 6d85de2b5746a7232e34b06a447333bb945122fef63ee2d886ed1d7b29908f80
SHA512 502d0b26b0b016b260ed63558b24b69728fab15ba290cdefdf721b45b3f233c86481432be07e55836de1cba09b81f1ef692c1d918ced06c581a5646c959c4a85

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 e262a4367ebe8550bd9f9c2f9588f310
SHA1 bbab8b7e8866407907d6848fbe0bd013581b938d
SHA256 bf08aba948eeda47184bba079d6ca5df51b0a24bd3c3f957a5df6068f1769ea5
SHA512 4572a8ce18b51cd3e91455ef3565be3e373d8ff30783f511ae3dec1c0a4a491a2a8cba92a8545f1142904542fefadcaaaf5aa99aef3bdd775076ba27573f5f3f

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 2e4fa44dca42b1e252e5a7e5afde259b
SHA1 1cca88a30ba22b05083d2827086cdd405811fb21
SHA256 728f015a739f65deb112abea5274d2a4bcf87ee4f21165a5772d7904503b0a3a
SHA512 b04b680062398f39ff1e0487457c547ad744ebca293cb2a7561f4d76b60e415bc3b1af9e7b7cdb08746be5b6f1552b7304b4a2e84b9ad34d35015972be99b776

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 89cc97f18aba3c5e2209bb0d2f176f7a
SHA1 0c63f5692ce172493b573c1a7dcb27fe4d742f27
SHA256 e73a5bf8b5cd1c513d487e95d0cb9250f62a39f8613f476acad93764dfac319c
SHA512 840982bd9acf6ff7fa757f8ab145c56b2af4210a486a84c83ac0aea0ac7f75fa2d1d06d1a2c9f4b2901973dddbc1b0aa7a84d6ab7f23a0b2dee8cc2d0c130cd2

memory/5088-346-0x00007FFF8D650000-0x00007FFF8E03C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 636ee902a912fdfef013329686cccc27
SHA1 b892e2f49bef0b24b358c2f85a00546cec4e92f6
SHA256 9a718a26a5bcf9b75808cf5efb19e53f2cbea2c8b5dca6e6fb49e69d2f0c66ca
SHA512 80b9cd2d9ab573a86c33b00254e9fb3ed6c648d08455dcd32e6e61b2e580ee43041819edf0a8d278763a18825a343f74a380bfe686b884087371ad33a55e50db

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 9d1a59e637ca3025226a983174d5b3e3
SHA1 818c8d59ecd163c3baffd262a38c541f89c0461c
SHA256 2a4b5339a8fedd6a5373ee429a07bc60cae4e3137a1a8a7f588dccabbc92c6b9
SHA512 18d8562a58c31360f938cabb8f9651e044d32d8c4743c5b723e6650288e7f61b9944a45e5a9dcd8950555580dbb2804fddca516eb988b04fa7ec02af3c79c561

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 3dd2004b13c17c38f04918246a90253e
SHA1 44847e82707fccd97e1f60e1a119aaced3647f1b
SHA256 9f0f28763007b0384bfddb35e1e4e5be7da7a47bf71bf891a2bef932a12ea5a8
SHA512 c16e8bf63d56b754fc5742aa7508371652f5ab91c97ae2bcf4eed6e531c277a9e302754028bf654918afa5026dfd5bfb7fad4d79c7e9d763eb5f8c3dd50c7b62

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 4bd89a23fdb960e9b8aea31f233728dd
SHA1 4a954c2d28d8d446e96b6f329a4865e5e30f1589
SHA256 0cb9758f66131e0b89276f7b53ccdbb7be8db51aa8b3253cd94cbd6fb3765a34
SHA512 c6af1b621986e4a10a57248b518a7319aee705533cba4ba9822d40e743676d6e55efcc18ae9b16dcd675dc5e31b184aef8c581900675dd1f4c47a8562176cc0a

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 443dd412f47970d43cba217c1aefd6e5
SHA1 99e0a5a3e42d2182e3b8042266be7a7c321b0bf5
SHA256 6d143e3a58fad17d58f59e958a95df0d90de92f11c517cda01d83f9fa69d018b
SHA512 61d0cf0e1a512a111d86d5d35a10e4e81080a49cd3d3817df19028b6e8e4cb9b8f3fd3399ac6a8642d7a0d5c489b61eb5d3180286343052d2c520d27998ca3e2

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 668974009c5c913ae156669c98cb612d
SHA1 c8cf27e94d09c8f20e32e472b802196b44927717
SHA256 203d76a9235a44903617a7fcabd0dc9a91bdf805caf0e23495f99a8f6dbbb2fd
SHA512 6df3818119955b0a9b30287160dea5fcbc19d171e04ce0e8c63f1e991020d4358dddfa03597de1133a3ab10cdad8d2ab4c5e27646d0fef2fd508fa0dd2fa9bbc

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 beb7a3ab23f136e83b9c82ce0a920b78
SHA1 3bba9c1f9f30b36503505ac99687a19b81167b19
SHA256 745be143f694f538d814c525f3c7d28f11782ccf3af5a7f38323c93383977b4a
SHA512 5cf489b78478e79d8511b794cb9f5034d3f28c23046f1c0350bd9beb92d1f4695a885aca4b46624d896506aa4be1235a54f67f4367fc64d5b972d9c854d4d2f1

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 8b7501fe745eea511cf62c277c9a28f0
SHA1 dfbbc7cbcf6f667489632626e0356dd0fca79fa3
SHA256 386eaea70b96e722c7da499213d7f3deb755df1e9bc1d5df89c2078996f54fd7
SHA512 6e8e76ef54bb6c2501be7f2e62dadd2a13e56d01cbe710336c33645024cbd8a0b14a827e0d171afca04e52ae79c28110f046faeb6c16b11215030952aa731a7a

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 412f389bf26aa7132febd4818fcceaba
SHA1 7cc8939dd5eefe9d9ecde5e09e063016dec444db
SHA256 2285c7335ff791173aff1d33cfc72bc4223e7f91bb6980decc5e799bffd02d64
SHA512 816ca33b620aac6cfcc378882f3cf3dc09ae66e42e9419cdc7878b390bb3f3df10389cc312de22c0c02c6cab43e25ceccb627bbcbac4716938027fe1e4e1b57c

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 026f6f10afb83e24cd9a36dbfb2d0caf
SHA1 2714f7b7a5630eee55b9c0663a12347d26328386
SHA256 6f0294667dc744cfe441180739957ae8b54ec6afd992fdd74fda846959a63eb4
SHA512 6aa11095a1a4f89687f7bddfe55b60bfb62b5303931438a41f5f223c35d4c0cf82d67154a70fe06cb109bd34dba9607316bdffadc2c3859b6b03270c35bfddbd

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 ae2a016b9fac85ff2bb57aed029d16c8
SHA1 9b3f2c34a4a81553493aa478dfbf423f0b07077d
SHA256 e24ab01e442054c58aafa041441b154acc302ad8385e9df8b6049097caffb946
SHA512 be894136ac6183f6f8aafafbc0facf1c5aa96511d35538c8ed43f4206e922d983b23c580d73dcada4b327ab23fe05795bfac0c0912a881df1f4c2691325dfaa9

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 fadc2bcca56ec2e5610118553e50c37c
SHA1 833bb55c2197385fef71020b2cc2a9cad1a54d41
SHA256 561e4edc0ab98121a15e88f3b5ecf9e53b6b9165a288b25f4572627eff52c048
SHA512 c95a71194ca9e8d1cd05b2f48673873f930d7cad4e19772a42f070c264db173ea28585c9370dadc73257a1d5662efd61036810019bd23850ee43f561d13763f4

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 4c6ab6c175d5731f044644a3c340c3ce
SHA1 6ca370da3f884ed6ea1ce314423e64a6673fb228
SHA256 a31a08d485f5b4b80d1df448587c81bb8f7bb079434bcc5bf66d1dfdda8148cd
SHA512 3a43442901e82d510d8a627fd5d610e77de092f4b385507fe117abeac93baeab9d342e1cb0acdf5ba125979d34354a5517513908bbea56aaa7810d117d851372

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 b54b09b8f35071c2e1ba4ebf2f3375c8
SHA1 2f61ef91f4500a058e0d454f2e6eb6a7e3410cf9
SHA256 07731800bc30e5d81c5e4a2cf80db962d9494530b3975f4bd49a9051061ad1a1
SHA512 edd6e3f815b366a534853ed96b57e9417a6c24bea8a321d6e2817bcc1fd30f155f8a9671d52b5801aed7bf1084b5cd1ce838f53c08010bbf53eca33bcd22de98

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 794dde7091fd7883ace4fb676916c7b2
SHA1 7a77806f431cb5ee5dd9d101e8ae5aa0de78faf1
SHA256 13f6991bdcfb3e550aaafb65480880187b68e4a96da7b9864cd51ef14c4536cc
SHA512 7448ed0ab51120b464356d417b8910cc94522522023e8751ba207eb98ae794a8d32e9bdd103e8e1a8dceabe6a6de072d9c3d3456f1091382267bda04c44b82d6

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 7f04d6abcb679702ce1f488651307c87
SHA1 0ee0d61fe4fa31963bb5cbd409c4737a582f4de7
SHA256 5c2828cb2dc75f010660ef77766c51d9b7b688a6a2b6cd7270bd1e5841e34cdf
SHA512 7969f7e65a3f2fcd4305b7e2828bd47333403192c927aa8e2aaee8e9504c8b300dd9a3846a70da96c3022af4ebede9fa124364f69aa6082deb99b9b94998d777

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 0a79efb183c62bdfed4a593250ad12e9
SHA1 1b6b0654be552e1cc8a572e88072281fe5f66542
SHA256 aa84d1404aa9d336aa6b53313e6d4e3aecde774f50f39e612c2ba3720303ee84
SHA512 6ef509435a29a879ba2991bb7c4cc407595ed62c00ed9eeb9edcffe5a41b265f87557eb93a2db1b110a1a5a6aa9c0417ea6d2ebb40347b118599acbdfab65b42

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 d20c85ee331b2ba521b7db52ce048040
SHA1 b8feed1d304b862d3274f1246e7bb00947bed581
SHA256 a46c83bf8a6af2c98411e6bae87547999acef63a095e7e925c21aa5536227c05
SHA512 9c1bba85880d376d9b1ce4f97bc9bb6a8045ea78de396a0d58781dfb9b8133191e81ae152bc66803d1f7c4c493bc4cf6fe923411d02f60631631216a68d91f13

memory/5088-389-0x00007FFF8D650000-0x00007FFF8E03C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 2e81bf98663b56fe60b8ecd3e38d20cc
SHA1 ebd0b247420ef3d8c95d9422ab0f6db923aeaf08
SHA256 1b9aeb663df380c530d97bed9792910ea1d287fd494b88d9994cca992efb96d2
SHA512 6dabe0bc1be0000c86ec62729309b2862fca0e34eabd0bd06af4dbf2feaf98d349ad1d649b06095307798d64bf05a0e0becc986fc6db904f2944cdda5fd36f08

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 ca9b5b1360104824ee66df10c2a7abc8
SHA1 740abc84a16f831619427610cc6f84bab13e560a
SHA256 223a88a12eb8478b38297de8ad120dbbdbc11cfff178b243828be3eb9bf53865
SHA512 148f6b1171e789525606da620402ca8a992ba20b7480c02608bb0ec3ab214beb391128f0cca4c298f37110794647664aacf122294e9301452cdc00ddb590ff31

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 605902f1fe603fb15ab7696868ed6d53
SHA1 1e9251f82805bd5b70cf2f13e12815b40e1796f8
SHA256 fde3790325262b8a9bd8a8b523108016b98e2ca823324672d5bdf71bd3765c45
SHA512 3b5b14c67c3b0d7298972830f5c79ef73ed1bb2837a87389bb84817172be948c0dce9666a2c96a07f709f3a9499b8cf22e2c3ec0af8d3c4841485c420f713581

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 6e5d2eb00a50ac066f4ea49d0d17a97e
SHA1 8ce6461cde079b2f60fa706a0902dbd08c301d5d
SHA256 052d258e395232d3a564a0f883fcbb2956754252ae2c93a58a5d0649e5f18524
SHA512 dcd5abfd1f29603bc32d99da484783603e77f7a2da5ac6800da167b59def342a0389e309ee510da4fcbd2ed99a9bf5b141056e58ab691b44ebba1fedf18fc1de

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 85dcd329c581b20a3d80ceed065ce3a0
SHA1 cce17c0f5cbcae1df96425ab7294d388d0fdd57e
SHA256 3432cd3bf0c0381948016d6f0f0c9cc2b9fcf061e74d21ef59ec85161dc3064c
SHA512 470b83cdfdb662c05e054f859e6f09cf0df0a1707fa1ddad98bd8ee38fc7c495fc00d04fc8c62bb4ef3eee1c0ba005d5886bf078122e4320c5cf94528b315634

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 a7824625fa3d66411af5a7a981a18f60
SHA1 297ae7a870d03e1e99d8ad43659b973d39500678
SHA256 2e29dbf12c2ca08f279103045173b0d97819fa755e3fa0ec191a46b92f0d1ea2
SHA512 08ace6b857a48b183b3d8cb1cbaf7c4d95f6d7f3c1235ba8df7353910ba36864c0f49e05f56608c3ec6ef0c0e645b52f81d1747e7f0910fbbec98eaed617265c

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 4046b4b93f27a9aeb15973f05f869f78
SHA1 9c8e8d3edfa3100ffc342e5779bbf41158f8cd5d
SHA256 87fbf01c0fe68bb1dfac429734568041778ac161316da647b39745b39d064b9b
SHA512 5100d049fdbb652543f3912143886e853cd07d15ea68d2babdd85f296b1bb4ad682a7cd52d609e57726f3c7c2cffe8f41dd4cfd7f55178f0a913c75e7238d83e

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 3b35f04823a2b037e9674c6e4835eb32
SHA1 6323bd7d02bdfbe0e99fab801d640436fd7c824b
SHA256 abac3ed9ff2de50fa1f4299d5b13d9a2ac2a2a70da16bf757b227678c317251e
SHA512 c28932932523f63bcc512c7765385bb983615ffa4649dff6812f98a16e890c958d47b183c0adc64a94a1334f005a4193363d81d80adbe40e047918ed567a51fa

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 2bce3cd60d6a15d3f322c02886a8b545
SHA1 bbc52c0b405e54e8a1235589b835ee33e9c8d54c
SHA256 c9149a5cecd2dbf328b3ab2f8a5c4172292b03f759349de709482282f163bca2
SHA512 6a5a19f8c086277daefae325188910a6b39a1b7960de8a5a2cb658e3be46709cc152d2d0b6e62c54fd6ddf42b2bc9ee8a60f23dbc31bc2da67436a94705f8713

C:\Users\Admin\$_.cmd

MD5 19c389cb300bdb3f72043eacb6f7064b
SHA1 92f71b9aa2547c81c7bdadac0bf2b4842f6c5c97
SHA256 98c2c44cd678ab133d44615d9f4826e7b4d8411cf1c81cd1691d1caba158f009
SHA512 1713858584838acf0900fa5ead3ae935f59242d05d28250c26e6c87c9314fb0f9205ce34e1ad063bfa5ecab233951c9bc31b6d67a851b7983e66e9b454b27b2f

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

MD5 7050d5ae8acfbe560fa11073fef8185d
SHA1 5bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256 cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512 a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 f19cbc0fe6f95513f453d8c1d0bc0a43
SHA1 fe40eec93c9f2bbae036667757c786583a028592
SHA256 4360d972da47246e9f52a016a2f2c1a43e101cb10f7203f9ab489de34c50011f
SHA512 6ff6fe4cc24f6bf89c4ba432abe506c0c3ea54eda519ce5f8ba94ecf01148e5f6c05924a5fee483af043e7acde745b20f851f991f5d1fd291c715e7ccdf88541

C:\Users\Admin\AppData\Local\Temp\tmp08328.WMC\allservices.xml

MD5 df03e65b8e082f24dab09c57bc9c6241
SHA1 6b0dacbf38744c9a381830e6a5dc4c71bd7cedbf
SHA256 155b9c588061c71832af329fafa5678835d9153b8fbb7592195ae953d0c455ba
SHA512 ef1cc8d27fbc5da5daab854c933d3914b84ee539d4d2f0126dc1a04a830c5599e39a923c80257653638b1b99b0073a7174cc164be5887181730883c752ba2f99

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\pending_pings\2a93fed9-53a0-43a8-ab51-83979c1666ff

MD5 eab5e66d19753c4cb3cd14fbf9056af8
SHA1 8f937ae76f71d5b3fa1268860223d0d66e781744
SHA256 95ddb4e3e2eaad8250fb741d887c2343aafb11e7dd19c5b441b59eb323da34eb
SHA512 d024d1f8296891b473cd8a452b2f7dcd468f9557d1436f879963580f42ed411ac688d33eacfce7c3e52583644d437a0f403b972d878959551a0a389c9af5992f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\db\data.safe.bin

MD5 407d57da8a85c6b13fd84573c338f448
SHA1 29ba91f6bb4e0b7543dd28f0011ce13f744154d5
SHA256 2596dab7cf948b3696175d019530ce2198dc536b026f2c20e2a6e47679b2836e
SHA512 24e3845a35c550ab9a2b05ca1ecf7527fb16c78afef731861a4844fdca10ba0ffd9b9ff4846cdd0974d4109398fb1413b13a6683937e81883670dcb602d959e2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs.js

MD5 25f2fde436fbe2d3c50b23b6dfc211ca
SHA1 fb48bca66d7ac6271c365ffa3ac913664529acae
SHA256 a9aba6aa1be260762fef09cbf85bae4e0ed5ed80dc01a678e9dfcbfc96e8f2d0
SHA512 d10d735e285801cfaf81f8a4d972054b8f87d9568cec293d767aa0f3b4cf019504d88a4e7adfd4f04a385aecc81b3a8febbf1f76380221c05e03a1ea11707052

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 0d0013d9708d9fef539adc917f5b87f6
SHA1 5e071e6b4d8abf007c8bb78ee948caf5bb0439e1
SHA256 f416d29cdbaa66b7d04483831d2a593a735316fafb643414a12df78da0ab054b
SHA512 851e9965a0fed9e0f5195ce655635cf13687d18678e4a9df807ab22cbc53c02cd2006fd65d93cd80b2a06d709e59122ea9933ba5cec551c6d51f5e9b4c175388

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs.js

MD5 65668617ea75ad0a42533f2f0e4ad441
SHA1 1c26086282903b6d872b7354744b9bdd09eec5e5
SHA256 e459237f9786b8cc381df418df2fa044cc4806c5b393d28e7e48464bc49f7f91
SHA512 deb90203e4069c9827ee67b27f42cc821cad3cc86f88910d6101d3c0e6e90d6a6750c59760897fc89dad91634350090aa407c58c6efca645554fcec200b9a09d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4

MD5 c5633ac621372a00963a58d07fc8d041
SHA1 6de548c77eda8cdb7f85deb389cc3618bf930a19
SHA256 acd0f80b8c5fc81a7f10f03ab43180226d65af3113a03f11e33e6119479267b9
SHA512 0d2dbf9aa58a76d12a7e1a60879e16d7de583cb69b42aa72edc9cd02a065dfb4c4194279f20868cb7a9766743fe5ab4485b877b8c509368a50299968187f2eb6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4

MD5 e7ecc635c33ad3f738c7d40c456da464
SHA1 7d405632923e14aa6fc749895b8f13f03397a818
SHA256 8bc8263a6775acaa6def3f859385fe8c412509a6d46d7d512730fce2d745813e
SHA512 5039389e55d82718a5fd7146eafec68bb421e68582970e1aa5d3b1671fa524ea8b8770e661349502a040aa64db44a2f9f17998597fa276d2e174d4efd5e00318

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs-1.js

MD5 46b2623b1ce3c1ec958cef0ee76c5149
SHA1 9158b259a88c87171e565fc12af2b22b7ade0744
SHA256 19a70aca7c5ee7e244eff55793f86d608e215cfab34e9d57bb7bacdea821abe5
SHA512 26aa88cb2095c15ee18e9455356b3f87fe5aca14610fdf0683e8a8567215ad99d2b2456fe1e13ab4b81f757096ae9a3cfb2c7704517825ee0bc06329a1c9394c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4

MD5 4caa78bb4c132fb9de23854486ef0533
SHA1 c9530ec92215a5fafad4f992c1f58a33f1cb080f
SHA256 8ea3afc73c8d60c75464f707fe33f222a59869a91c9da2bcee6215474bfcbe0b
SHA512 acb4ac18945d5b011b28f4fbf0587d81d19e70739d859480fcae44d622a981d4bc3593c43f798195a63a16130bf54fdd0152210e866668daaaa773dfa92480b3

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\cache2\entries\56A184BE013E192214E1133FBD0398E445432333

MD5 4a96cd919035c3d6f7cb4c7361d11682
SHA1 08cc0b662bcecdd170e0bd509f00a64fa148f32e
SHA256 7105ca034f946522e61ded48a6e99e8cc42919bfdc8d40a3928adbfdfa15f83c
SHA512 c383ce3cbceba7cc7bf4d2381940b17681f6acb2e3c768d3e63a0900a56f8d9d1716b021dc9139f18f2c583aa79565a2ceb3b7992ca6bc735ee34f56a909734e