Malware Analysis Report

2024-12-07 14:42

Sample ID 241007-wwl2vs1cnr
Target NocturneLoader.bin
SHA256 4c3fad8ea837861fe54356ad6e7e40cce2fe305b9cb323f07d8802c93a440b70
Tags
defense_evasion discovery evasion execution exploit impact persistence privilege_escalation ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4c3fad8ea837861fe54356ad6e7e40cce2fe305b9cb323f07d8802c93a440b70

Threat Level: Known bad

The file NocturneLoader.bin was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery evasion execution exploit impact persistence privilege_escalation ransomware trojan

Modifies WinLogon for persistence

UAC bypass

Deletes shadow copies

Modifies Windows Firewall

Disables Task Manager via registry modification

Possible privilege escalation attempt

Event Triggered Execution: Image File Execution Options Injection

Modifies system executable filetype association

Modifies file permissions

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Legitimate hosting services abused for malware hosting/C2

Sets desktop wallpaper using registry

Drops file in System32 directory

Drops file in Windows directory

Event Triggered Execution: Netsh Helper DLL

Unsigned PE

System Location Discovery: System Language Discovery

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: LoadsDriver

Suspicious use of SetWindowsHookEx

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Interacts with shadow copies

Kills process with taskkill

Suspicious use of FindShellTrayWindow

NTFS ADS

Uses Volume Shadow Copy service COM API

Modifies Internet Explorer settings

Modifies data under HKEY_USERS

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Checks processor information in registry

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2024-10-07 18:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-07 18:16

Reported

2024-10-07 18:21

Platform

win10-20240404-en

Max time kernel

317s

Max time network

317s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NocturneLoader.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe, C:\\Windows\\Defender\\Abantes.exe" C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A

Deletes shadow copies

ransomware defense_evasion impact execution

Disables Task Manager via registry modification

evasion

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeCP.exe\Debugger = "C:\\Windows\\Defender\\IFEO.exe" C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\resmon.exe\Debugger = "C:\\Windows\\Defender\\IFEO.exe" C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wordpad.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WindowsAnytimeUpgradeui.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe\Debugger = "C:\\Windows\\Defender\\IFEO.exe" C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspaint.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\StikyNot.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SnippingTool.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SnippingTool.exe\Debugger = "C:\\Windows\\Defender\\IFEO.exe" C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ehshell.exe\Debugger = "C:\\Windows\\Defender\\IFEO.exe" C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Windows\\Defender\\IFEO.exe" C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HelpPane.exe\Debugger = "C:\\Windows\\Defender\\IFEO.exe" C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmplayer.exe\Debugger = "C:\\Windows\\Defender\\IFEO.exe" C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdge.exe\Debugger = "C:\\Windows\\Defender\\IFEO.exe" C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\resmon.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdge.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp64.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\calc.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wordpad.exe\Debugger = "C:\\Windows\\Defender\\IFEO.exe" C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\StikyNot.exe\Debugger = "C:\\Windows\\Defender\\IFEO.exe" C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe\Debugger = "C:\\Windows\\Defender\\IFEO.exe" C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DVDMaker.exe\Debugger = "C:\\Windows\\Defender\\IFEO.exe" C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WindowsAnytimeUpgradeui.exe\Debugger = "C:\\Windows\\Defender\\IFEO.exe" C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xpsrchvw.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mstsc.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mstsc.exe\Debugger = "C:\\Windows\\Defender\\IFEO.exe" C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "C:\\Windows\\Defender\\IFEO.exe" C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp64.exe\Debugger = "C:\\Windows\\Defender\\IFEO.exe" C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Windows\\Defender\\IFEO.exe" C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\calc.exe\Debugger = "C:\\Windows\\Defender\\IFEO.exe" C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xpsrchvw.exe\Debugger = "C:\\Windows\\Defender\\IFEO.exe" C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "C:\\Windows\\Defender\\IFEO.exe" C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WindowsAnytimeUpgrade.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WindowsAnytimeUpgrade.exe\Debugger = "C:\\Windows\\Defender\\IFEO.exe" C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Windows\\Defender\\IFEO.exe" C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeCP.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HelpPane.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DVDMaker.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\Defender\\IFEO.exe" C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspaint.exe\Debugger = "C:\\Windows\\Defender\\IFEO.exe" C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ehshell.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Windows\\Defender\\icon.ico" C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

defense_evasion

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\en-US\authui.dll.mui C:\Windows\SysWOW64\cmd.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.bmp" C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Defender\Action.bat C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
File created C:\Windows\Defender\Rules.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
File opened for modification C:\Windows\Defender C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
File opened for modification C:\Windows\en-US\explorer.exe.mui C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\Defender\logonOverwrite.bat C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
File created C:\Windows\Defender\Payloads.dll C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
File created C:\Windows\Defender\explorer.exe.mui C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
File created C:\Windows\Defender\authui.dll.mui C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
File opened for modification C:\Windows\Defender\Abantes.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
File created C:\Windows\Defender\IFEO.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
File created C:\Windows\Defender\LogonUi.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
File created C:\Windows\Defender\LogonUIStart.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
File created C:\Windows\Defender\data.bin C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
File opened for modification C:\Windows\Defender\wallpaper.jpg C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
File created C:\Windows\Defender\Abantes.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
File created C:\Windows\Defender\cursor.cur C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
File created C:\Windows\Defender\icon.ico C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\shutdown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\vssadmin.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Windows\\Defender\\icon.ico" C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Windows\\Defender\\icon.ico" C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\Downloads\AIDS_NT.rar:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\Abantes (1).zip:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 168 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\NocturneLoader.exe C:\Windows\system32\cmd.exe
PID 168 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\NocturneLoader.exe C:\Windows\system32\cmd.exe
PID 2344 wrote to memory of 208 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 2344 wrote to memory of 208 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 2344 wrote to memory of 2108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2344 wrote to memory of 2108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2344 wrote to memory of 4916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2344 wrote to memory of 4916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1328 wrote to memory of 4220 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1328 wrote to memory of 4220 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1328 wrote to memory of 4220 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1328 wrote to memory of 4220 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1328 wrote to memory of 4220 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1328 wrote to memory of 4220 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1328 wrote to memory of 4220 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1328 wrote to memory of 4220 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1328 wrote to memory of 4220 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1328 wrote to memory of 4220 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1328 wrote to memory of 4220 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4220 wrote to memory of 3840 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4220 wrote to memory of 3840 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4220 wrote to memory of 4180 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4220 wrote to memory of 4180 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4220 wrote to memory of 4180 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4220 wrote to memory of 4180 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4220 wrote to memory of 4180 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4220 wrote to memory of 4180 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4220 wrote to memory of 4180 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4220 wrote to memory of 4180 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4220 wrote to memory of 4180 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4220 wrote to memory of 4180 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4220 wrote to memory of 4180 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4220 wrote to memory of 4180 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4220 wrote to memory of 4180 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4220 wrote to memory of 4180 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4220 wrote to memory of 4180 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4220 wrote to memory of 4180 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4220 wrote to memory of 4180 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4220 wrote to memory of 4180 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4220 wrote to memory of 4180 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4220 wrote to memory of 4180 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4220 wrote to memory of 4180 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4220 wrote to memory of 4180 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4220 wrote to memory of 4180 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4220 wrote to memory of 4180 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4220 wrote to memory of 4180 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4220 wrote to memory of 4180 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4220 wrote to memory of 4180 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4220 wrote to memory of 4180 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4220 wrote to memory of 4180 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4220 wrote to memory of 4180 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4220 wrote to memory of 4180 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4220 wrote to memory of 4180 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4220 wrote to memory of 4180 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4220 wrote to memory of 4180 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4220 wrote to memory of 4180 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4220 wrote to memory of 4180 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4220 wrote to memory of 4180 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4220 wrote to memory of 4180 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4220 wrote to memory of 4180 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4220 wrote to memory of 4180 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4220 wrote to memory of 4180 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4220 wrote to memory of 4180 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4220 wrote to memory of 4180 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\NocturneLoader.exe

"C:\Users\Admin\AppData\Local\Temp\NocturneLoader.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\NocturneLoader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"

C:\Windows\system32\certutil.exe

certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\NocturneLoader.exe" MD5

C:\Windows\system32\find.exe

find /i /v "md5"

C:\Windows\system32\find.exe

find /i /v "certutil"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4220.0.330240013\382977274" -parentBuildID 20221007134813 -prefsHandle 1744 -prefMapHandle 1736 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {294d17af-e386-48f7-ac2f-e4e275b62b28} 4220 "\\.\pipe\gecko-crash-server-pipe.4220" 1824 189a2509a58 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4220.1.655190723\490995250" -parentBuildID 20221007134813 -prefsHandle 2168 -prefMapHandle 2164 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f4cbb855-72fb-4d5e-a02b-3024dd04b107} 4220 "\\.\pipe\gecko-crash-server-pipe.4220" 2180 1898f171958 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4220.2.312291216\1258311420" -childID 1 -isForBrowser -prefsHandle 2712 -prefMapHandle 2808 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0dfe1e38-56a8-4632-b13e-380272ff9cc3} 4220 "\\.\pipe\gecko-crash-server-pipe.4220" 2784 189a53fc458 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4220.3.173457496\344208138" -childID 2 -isForBrowser -prefsHandle 3464 -prefMapHandle 3460 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {682a0137-952b-4321-9fa1-eea7de7769d4} 4220 "\\.\pipe\gecko-crash-server-pipe.4220" 3476 1898f15b258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4220.4.514374000\40827776" -childID 3 -isForBrowser -prefsHandle 4364 -prefMapHandle 4360 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8bb45886-5b74-4909-bb4d-7a742464b3dc} 4220 "\\.\pipe\gecko-crash-server-pipe.4220" 4376 189a74fd958 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4220.5.632637907\757394869" -childID 4 -isForBrowser -prefsHandle 4936 -prefMapHandle 4968 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3366f6f-2d18-47f2-b81f-f03314e3fc8b} 4220 "\\.\pipe\gecko-crash-server-pipe.4220" 4956 189a7b67358 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4220.6.1785546078\1541442628" -childID 5 -isForBrowser -prefsHandle 5100 -prefMapHandle 5096 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc0afa9a-c110-41b6-aac6-04408db1ff55} 4220 "\\.\pipe\gecko-crash-server-pipe.4220" 5108 189a7b67f58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4220.7.2130940729\612499322" -childID 6 -isForBrowser -prefsHandle 5216 -prefMapHandle 5220 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6782e03f-c507-4a65-ada7-f1667c548e28} 4220 "\\.\pipe\gecko-crash-server-pipe.4220" 5208 189a7b68558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4220.8.802778793\25832825" -childID 7 -isForBrowser -prefsHandle 5044 -prefMapHandle 5048 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e7021fc-efcd-421e-9cfc-40eb0529e17a} 4220 "\\.\pipe\gecko-crash-server-pipe.4220" 4500 189a1680458 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4220.9.2061581078\515086460" -childID 8 -isForBrowser -prefsHandle 1644 -prefMapHandle 1640 -prefsLen 27380 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6c23de61-12bd-4941-ab9f-621f378f4091} 4220 "\\.\pipe\gecko-crash-server-pipe.4220" 5660 189a1685558 tab

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\AIDS_NT.rar"

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E8068360AE7B84FFA4225A130BAE0F1A --mojo-platform-channel-handle=1620 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=CEA06A38F8034345BDD25B151EE23D58 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=CEA06A38F8034345BDD25B151EE23D58 --renderer-client-id=2 --mojo-platform-channel-handle=1636 --allow-no-sandbox-job /prefetch:1

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A978FE72A383F0E79B286CA3076CC58A --mojo-platform-channel-handle=2312 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6A96114B1C4481131936B0C877E0DFBE --mojo-platform-channel-handle=1604 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C45D784260086E28D9614E450B0A2857 --mojo-platform-channel-handle=1792 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe

"C:\Users\Admin\AppData\Local\Temp\Temp1_Abantes (1).zip\Abantes.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Windows\Defender\Action.bat""

C:\Windows\SysWOW64\takeown.exe

takeown /f logonui.exe

C:\Windows\SysWOW64\icacls.exe

icacls logonui.exe /granted Admin:F

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\System32\en-US" /r /d y

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\System32\en-US" /granted Admin:F /T /C

C:\Windows\SysWOW64\takeown.exe

takeown /f explorer.exe

C:\Windows\SysWOW64\takeown.exe

takeown /f regedit.exe

C:\Windows\SysWOW64\takeown.exe

takeown /f HelpPane.exe

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\Temp" /r /d y

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\en-US" /r /d y

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\Temp" /granted Admin:F /T /C

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\en-US" /granted Admin:F /T /C

C:\Windows\SysWOW64\icacls.exe

icacls regedit.exe /granted Admin:F

C:\Windows\SysWOW64\icacls.exe

icacls explorer.exe /granted Admin:F

C:\Windows\SysWOW64\icacls.exe

icacls HelpPane.exe /granted Admin:F

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic useraccount where name='Admin' set FullName='Abantes Was Here'

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic useraccount where name='Admin' rename 'Abantes Was Here'

C:\Windows\SysWOW64\netsh.exe

NetSh Advfirewall set allprofiles state off

C:\Windows\SysWOW64\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im explorer.exe

C:\Windows\SysWOW64\timeout.exe

TIMEOUT 1

C:\Windows\SysWOW64\timeout.exe

TIMEOUT 2

C:\Windows\SysWOW64\shutdown.exe

"C:\Windows\System32\shutdown.exe" /l /f

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0 /state0:0xa3af3055 /state1:0x41c64e6d

Network

Country Destination Domain Proto
N/A 127.0.0.1:49756 tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 166.188.117.34.in-addr.arpa udp
US 8.8.8.8:53 23.148.238.44.in-addr.arpa udp
N/A 127.0.0.1:49762 tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.200.36:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.200.36:443 www.google.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 csp.withgoogle.com udp
GB 142.250.187.209:443 csp.withgoogle.com tcp
US 8.8.8.8:53 csp.withgoogle.com udp
US 8.8.8.8:53 csp.withgoogle.com udp
GB 142.250.187.209:443 csp.withgoogle.com udp
US 8.8.8.8:53 36.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 2.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 209.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 172.217.169.78:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 78.169.217.172.in-addr.arpa udp
GB 172.217.169.78:443 play.google.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
DE 23.55.161.185:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 216.58.204.78:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 185.161.55.23.in-addr.arpa udp
US 8.8.8.8:53 78.204.58.216.in-addr.arpa udp
GB 216.58.204.78:443 redirector.gvt1.com udp
US 8.8.8.8:53 r4---sn-aigzrnsl.gvt1.com udp
GB 74.125.168.233:443 r4---sn-aigzrnsl.gvt1.com tcp
US 8.8.8.8:53 r4.sn-aigzrnsl.gvt1.com udp
US 8.8.8.8:53 r4.sn-aigzrnsl.gvt1.com udp
GB 74.125.168.233:443 r4.sn-aigzrnsl.gvt1.com udp
US 8.8.8.8:53 233.168.125.74.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.200.36:443 www.google.com udp
US 8.8.8.8:53 consent.google.com udp
GB 216.58.204.78:443 consent.google.com tcp
US 8.8.8.8:53 consent.google.com udp
US 8.8.8.8:53 consent.google.com udp
GB 216.58.204.78:443 consent.google.com udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.githubassets.com udp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 185.199.111.133:443 avatars.githubusercontent.com tcp
US 185.199.111.133:443 avatars.githubusercontent.com tcp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 154.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 collector.github.com udp
US 8.8.8.8:53 api.github.com udp
US 140.82.112.21:443 collector.github.com tcp
US 140.82.112.21:443 collector.github.com tcp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 210.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 21.112.82.140.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 171.117.168.52.in-addr.arpa udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 collector.github.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 collector.github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp

Files

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\pending_pings\2204dd83-e352-4a93-9e4d-d5fb529b8641

MD5 7e3dd22b23b3e4bb186e42bb1ee3257a
SHA1 b7d2cd21cd29a46df41c45e1014a0351b500cf04
SHA256 7a985787d9fb2748311c0581a159c415e97e4de0c47b081fb416e994c6db1c6b
SHA512 5a1ab8a1c6a7680f0199b21576f6518d8c54a4332b5eb7437e9c6000803299ba5391cc8bfe81cbea3ab6d3825ad68005d73797e506f0db40ae2deb589d7c88d4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\pending_pings\6055babd-2ec8-45c3-9a24-da465eeea694

MD5 b8a9f4c7e92a83af1c0f14368f4b5946
SHA1 e7e2524a1ee6baa6a6a203d79e780951d6ddc1ea
SHA256 51a4a4443e3c675c2daf3425e2028b0cef6c71ee63a766e18f43fac7421539f1
SHA512 2cd4be5e80b4df1db3aca4513a5e269941b33afefe596c8f9465652e967e20b0ce541e8c027e06a0c75752ef1b166fb7cd522cccac7ba99c761e48ba4c6e8006

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\db\data.safe.bin

MD5 2a33950f401ddf18a855a0a4d59c310d
SHA1 311b8d660d19c6aaeaa266f5792ff88dae37f5d4
SHA256 1dd5e396a83978fd25c3be59e2caa57bec5a4aa6db4b18ba0a802ab0872d2981
SHA512 b17c4cf50229833437357ee758893ef95adbe05884195a40aae5549e2841283a2a30a905107247123df3c8683240bd0c51fd8959ea731523a87c08f2395bde78

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 3018d1aad8385b734068dbad441e344e
SHA1 2a3925bc92ec843db64b6db2cd6fe18ccf084a86
SHA256 f33415b0b1fc8c7e52356318d44aef1ae6bd9c64a89afa012d43a01a79954f88
SHA512 7ab1a1115a4f7ac61ba41bfe5875792cfa84d81f14f71239e43848de5940bfa07e2e34ea4be85a61c091d0b4b7742f3f55961fd26734b528cdb2c0b4d169c5e0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4

MD5 035886aaabff33294d2746b835a135c0
SHA1 6ec18a94c1f77ae2c59a54f8a87997ba2e9a9c42
SHA256 69e244907f06ddfd97708c2916447b57c868ad04041fb5d7130f12b73a5478cf
SHA512 735bf3fdc909622e7a913f953132527028bfcf35bcc563ea90269b27f2bb626570ba9113973a99edfa77079aa0867dd4bd2f999591fb29481fd07c83ca3dcae1

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\cache2\entries\5B23235D54208C34AFF88FC6F18585FD8A8F8FAD

MD5 aa1880d2fa61445d28542396283cd000
SHA1 da43b8f6109794701778295ddbe855674e097a8b
SHA256 08b80cae4c814fb0924a9410b46d77fa37891aed90885a37dc9668bb77edfdb2
SHA512 80277308292dde8d06518712c59ba660c5ba24e53a988db64b34884bac12747d5292319f3508f18ec194c20c41876100f03903f1de6e8242fdf74e8c2c6ef4b0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\prefs-1.js

MD5 5d4164bb88f29f6c09c0b5d38f373678
SHA1 28a859a06bef77f4a8e6601af7040ee364c33163
SHA256 2d4f891507f99ec571c2b19e45688bb8233bc80df38b11d4253ff867af330dca
SHA512 75cf76759e7c4f66e92bb94dc2495b112384a8ae6ecc94e2924bb01dadf35e016599b9f66e66d11daf529394bc24e4f68c21ee7a249e47de274f2979a5d8bc8f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4

MD5 a8a3d635ffcda9d87d43a64491ca9280
SHA1 c278667caa7dc3ebeac9631b757c41facd9840c8
SHA256 4ff2312c0b5b1bc614a8a4616d44db07466a59d1f7e36f8da956b24abe8e5cf2
SHA512 569a71b73f3523b3c8a20df7693f4308880c60b43781a69b297ffaebf585c8b575f9a0503ba2680d14cb77e6c9e62983aab58fa01d73551c0eb6ffb1eca3a31c

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\prefs-1.js

MD5 eb83664fa366101282face62c1d7eb9b
SHA1 7c24613d685ede9451ba5ba3274f2792ea4c74a9
SHA256 86e946f1a2f2efc12ca7d1bd7efa16ccdca28fc01694e14671fa3c52c9e5cff2
SHA512 ba383fb9ee0bfb0cb1b32ea7ea9dcd1becb2b7badb4db3eafc04b027fa92d69b7f64c975b8c201fd834677f05468996d95c9832ff34c2d987a1c600897ca3416

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4

MD5 558cacf2ca6f27a3ea2c591713fe5948
SHA1 225f01c75026b2223e8624eef50fa7d998f82c2d
SHA256 9a51a3ea136cc71cc6a6ce0a5e8c892fd4e0049d17dfbe327cc57a015e0d7b7b
SHA512 592e32d0196505707bfd4a9ef889bda78941ac65f6862a6004dd0b96707c4b3925c4b6b65a405a12783edcf5f52968cbacf9a7905eb1fa3fb573b432abe9a581

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4

MD5 fa466be6d804db83d61b22b261518577
SHA1 3b19f2bd4d127743416c5e0613c9f7e73b4d55ad
SHA256 2a41d112da92e0c6bc2259a9ba1593e8856e08391b7d7e06a762fc90a0ff6f91
SHA512 223610628ec8ee04d1f49a5e418c4e684d9cbd8857e378694c20a24cb2c34c1b223f99499bc885d602a5c49764388348915d595e4fb89d19b6f0f1ac492bc771

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\cache2\entries\5F06DC3FBD2D7E40D137D8E6C0FEA28CFADD315E

MD5 58d834ad60d7ef51afb7ea0ed647688d
SHA1 b5ed5319c18c5a55c9660deb877d05e325885784
SHA256 303acea83b385b9d93f5f2df80b85178cd32f993986f8cdac297db82f89ceedd
SHA512 7e8ab035bede6ab362e022cf3837007ce538967aa1d1081cd3909beb13302d6976787f4c5d859910af5078360d1a9ade10104caad9991cf2ece5f531669f58f4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4

MD5 a523766b64733547111c692c74015bbd
SHA1 66d7374ae84ef9adf2c3dd862597c497aa09272d
SHA256 044fd65aa8f3c4b99fed9539c8481aa3544f43ff5fbe96cbb8ea4674c70e0e43
SHA512 9dee68c67bf08953de89e26afdf088381fc7013b02a2a98d11b2a9741756aa543dbd9f70e93df401e6a3691c4269f6b7ea19a67b0801484d0b12c2ddc7ab4781

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4

MD5 feb4fc89556c3e7b63698ed7da08b0db
SHA1 255d98638d6ea8d8b2f21f079af9d6460d28de7b
SHA256 4df2ddc3a9068f17985189e60df7c718f73caab28318c0f8c4affa04a7e12ab1
SHA512 9f74dc50f55c672672a0abcb030402fac0874fd333710cc79a1940eff0f7ca756016858a2daf884b0e88fca73d5b626657e9b04e23b3ef67115cd327e2e2e020

C:\Users\Admin\Downloads\3-ne9xlm.rar.part

MD5 6130816a444466d3ef237bfefae80c2c
SHA1 bd5e7be0fd74d424191cf9dddf0f6b4e0a2871b0
SHA256 52e0a1c02a0378774da69231586464c8c9fee1b36575786b5424fefda2f90418
SHA512 e83d352d104eeb89731bc0578384b5265b6270169aa4d198567f87334114850cfd453963891b47d581948a7d2d0e9ba511c5c01b7b6d6835f1b2ca376269182a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4

MD5 c0cacc9f7b60546ec7e128b3bff9f730
SHA1 9914e020a029c29081a709d0b992e2f3e4c05e69
SHA256 d60691015d7a9528b50726301e14ff8cdab8b6e8228d187f35ad0e28492f25c9
SHA512 c73c500eb8dafdd83b38c42d1a55ba3b7d5bb6a34c9ba7dc4c952af64003d6dc31c4e830a85f7001ae7a2ff59fe4b548087a45cb8875d910a9c48a9cc1b94bff

C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

MD5 406aa989db6c5b5cbe736f8aabd73042
SHA1 608382d2558191b0b87aaaee3e870569954d538f
SHA256 f476cd6127f6607fb58ef10bf36b6c89619f1f7d73cf0bfc1f0215b92135dd34
SHA512 42dcc0a3748eeead6b5fd6daf40442dac43e02456557b3167b89800a911f7a896ad4342b03170ce25ced1f3183c46835b1eb2426d2134f2c3e6fc8dfb0d6c315

memory/3076-609-0x0000000000940000-0x0000000000BF8000-memory.dmp

memory/3076-610-0x0000000005B90000-0x000000000608E000-memory.dmp

memory/3076-611-0x0000000005490000-0x0000000005522000-memory.dmp

memory/3076-612-0x0000000005530000-0x0000000005584000-memory.dmp

memory/3076-613-0x0000000005580000-0x000000000558A000-memory.dmp

C:\Windows\Defender\Action.bat

MD5 8b3585b4f84496c306b6c082ea6e52ef
SHA1 04bf1cf0f68a571e746fb7c863f71fa70e0e79d3
SHA256 d06d5f8501501af5677b133ff7aa531ccf1bf9b2673a1f26117f0420532b599e
SHA512 733bb98473fc8b3c8f0f96ff5ccec9212c36f7162742ee124d6a0edd0186e171ec61de97a3268663812802c90d29cd1e5077af72e02f550d94d67ebe106c0591

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

MD5 f0c5ee5d333e789286854ed98fbc5d77
SHA1 8009c9fd7b3ffb18355f6dfd7e9399dce83888c7
SHA256 95d4875e842e02aac108fe3f248d240ecaf475e21dbfa24218d279d22797f05b
SHA512 bbd3f4ec8e89300748441673ebe3b473af2d3c2cb8f05d3520b80e9606316195ae5de9d39000cb0ffa09d3cdc9df653ad8c8c4b80eb0f52f955f8c618bde31ab

C:\Windows\Defender\authui.dll.mui

MD5 a3a8fb6325f2f4fd31039775be19a9a4
SHA1 dba1acba938c8720b23b992ef77f130b6dbe7428
SHA256 6baf83c2c45f0e3a1a1dedc799cce6adb766dabe25baa847f9dd308aae0218eb
SHA512 9a03528d3b1a6a0bc3fbce6149d1cf6e21fe629c53d1b93954e6147cdfbf95eb272e75dbf906e38a1981706e71f679fda680cdf8601491ba792576c9b54d043e

C:\Windows\Defender\explorer.exe.mui

MD5 39f1a6a8b713fcf30afc03ea3c936f85
SHA1 9209b25730c7896e047e5a4fc1da73c294e55c0e
SHA256 b69b61675531060d350a795a53568ccf19a146060cebb659ebc658a0e8b27fc9
SHA512 82b402b1c94fb8444e9d32f10becad994715667fc36d427faf6ae4f433c8e7025c3ca387e6cae7fb4e14f2e9f36446354c1c2585445fd79e7673b78419232780

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore.jsonlz4

MD5 f4cd7a7d4e7fdfd371837ab0671e9097
SHA1 aaf1f30b13ddccbd63d9e1dadb46122e515b845d
SHA256 1583c4148ba3837a3ef0c39da7cf04facd76d6de334a447c78c41a1b4aa3dcef
SHA512 032b45243f71b617b832c5e4d7a982c5a795e4a5299bf3fe243fbda58b935f26fc3ced2b12b8c2de7e2a01daf47fe527f2b4c840f565b3d408160ba14e51762a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionCheckpoints.json.tmp

MD5 700fe59d2eb10b8cd28525fcc46bc0cc
SHA1 339badf0e1eba5332bff317d7cf8a41d5860390d
SHA256 4f5d849bdf4a5eeeb5da8836589e064e31c8e94129d4e55b1c69a6f98fb9f9ea
SHA512 3fa1b3fd4277d5900140e013b1035cb4c72065afcc6b6a8595b43101cfe7d09e75554a877e4a01bb80b0d7a58cdcfe553c4a9ef308c5695c5e77cb0ea99bada4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\prefs.js

MD5 6566263418ea444fec5f1f1cd5a86cb8
SHA1 312afe920d7599c5b4c1745858650524fc495663
SHA256 f2abea006b5554a77d24858a7fa8b3cc76dc7a1efb95bb1286f2c4a8283cc5a2
SHA512 74c951951669a8c97a3302f506592843725e15fdd072a9a05812088d3c48e2008e35caba0556b0e2d0192923ea0be12cb733fbc8e7eefc1dc08a6c0f7507238a